Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Security collapse in the HTTPS market
Arnbak A., Asghari H., Van Eeten M., Van Eijk N. Communications of the ACM57 (10):47-55,2014.Type:Article
Date Reviewed: Nov 12 2014

Hypertext transfer protocol secure (HTTPS) uses the transport layer security/secure sockets layer (TLS/SSL) protocol to authenticate the client and server through digital certificates issued by trusted certificate authorities (CAs) and to sign and encrypt the messages for integrity and confidentiality. Although HTTPS is the de facto standard for securing web-based communications, there have been large-scale attacks on it.

The authors point out three systematic vulnerabilities of HTTPS authentication. Since the root CAs can delegate their certificate signatures to many intermediate CAs, HTTPS suffers from the so-called weakest link problem. When one of the intermediate CA is compromised, the entire trust ecosystem can be vulnerable. Hence, the CAs do not have incentives to invest in stronger security. Second, the information asymmetry and ineffective auditing schemes of the CAs make it difficult to know the exact security of the CAs, and the current auditing regulations often give the erroneous perception of security. The CAs provide perceived security with bundled security services, certificate management, a liability shield, and more features; however, these services are not correlated with the actual security of the certificates. Third, liability dumping is common in the case of failures of HTTPS. The security providers push damages caused by invalid certificates down to end users.

The regulations adopted in the EU seem to perpetuate the vulnerabilities rather than address them. The technological solutions are promising to solve the weakest link problem and reduce the information asymmetry issues, but they are not yet mature enough for deployment. The authors warn that our future critical technology may depend on the fundamentally flawed HTTPS authentication model.

Reviewer:  Soon Ae Chun Review #: CR142929 (1504-0322)
Bookmark and Share
  Featured Reviewer  
 
Security and Protection (K.6.5 )
 
 
Design Tools and Techniques (D.2.2 )
 
 
Electronic Commerce (K.4.4 )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
CIRCAL and the representation of communication, concurrency, and time
Milne G. ACM Transactions on Programming Languages and Systems 7(2): 270-298, 1985. Type: Article
Oct 1 1985
Computer security risk management
Palmer I., Potter G., Van Nostrand Reinhold Co., New York, NY, 1989. Type: Book (9780442302900)
Apr 1 1991
Computers at risk
, National Academy Press, Washington, DC, 1991. Type: Book (9780309043885)
Oct 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy