论文信息 - Assessing legal and technical solutions to secure HTTPS.

Assessing legal and technical solutions to secure HTTPS.

HYPERTEXT TRANSFER PROTOCOL SECURE (HTTPS) has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another (" shake hands ") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to indicate a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online. At the same time, widely reported security incidents—such as DigiNo-tar's breach, Apple's #gotofail, and OpenSSL's Heartbleed—have exposed systemic security vulnerabili-ties of HTTPS to a global audience. The Edward Snowden revelations— notably around operation BULL-RUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale—have driven the point home that HTTPS is both a major target of government hacking and eavesdropping , as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology. While the Heartbleed incident illuminated severe flaws in a widely used crypto-library of HTTPS (OpenSSL), the focus here is on the systemic security vulnerabilities in the HTTPS au-thentication model that precedes end-to-end encryption. Although some of these vulnerabilities have been known for years, the 2011 security breach at the small Dutch certificate authority (CA) known as DigiNotar was a watershed moment, demonstrating these

Nico Van Eijk | Michel van Eeten | A. Arnbak | Hadi Asghari

[1] Sid Stamm,et al. Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL , 2010 .

[2] Julien Freudiger,et al. The Inconvenient Truth about Web Certificates , 2011, WEIS.

[3] J. Alex Halderman,et al. Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[4] Yannis Bakos,et al. Does Anyone Read the Fine Print? Testing a Law and Economics Approach to Standard Form Contracts , 2009 .

[5] Ross J. Anderson. Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[6] Stephen J. Schultze,et al. Trust Darknet: Control and Compromise in the Internet's Certificate Authority Model , 2013, IEEE Internet Computing.

[7] N. van Eijk,et al. Certificate Authority Collapse: Regulating Systemic Vulnerabilities in the HTTPS Value Chain , 2012 .

[8] Cormac Herley,et al. Where Do All the Attacks Go? , 2011, WEIS.

[9] Hadi Asghari,et al. Security Economics in the HTTPS Value Chain , 2013 .

[10] Dale A. Stirling,et al. Information rules , 2003, SGMD.