Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web
Title | Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web |
Publication Type | Conference Paper |
Year of Publication | 2013 |
Authors | Akhawe, D., Amann J., Vallentin M., & Sommer R. |
Other Numbers | 3412 |
Abstract | When browsers report TLS errors, they cannot distinguish betweenattacks and harmless server misconfigurations; hencethey leave it to the user to decide whether continuing issafe. However, actual attacks remain rare. As a result, usersquickly become used to false positives that deplete theirattention span, making it unlikely that they will pay sufficientscrutiny when a real attack comes along. Consequently,browser vendors should aim to minimize the number of lowriskwarnings they report. To guide that process, we performa large-scale measurement study of common TLS warnings.Using a set of passive network monitors located at differentsites, we identify the prevalence of warnings for a total populationof about 300,000 users over a nine-month period. Weidentify low-risk scenarios that consume a large chunk of theuser attention budget and make concrete recommendationsto browser vendors that will help maintain user attentionin high-risk situations. We study the impact on end userswith a data set much larger in scale than the data sets usedin previous TLS measurement studies. A key novelty of ourapproach involves the use of internal browser code instead ofgeneric TLS libraries for analysis, providing more accurateand representative results. |
Acknowledgment | This research was supported by Intel through the ISTCfor Secure Computing; by the Air Force Office of ScientificResearch under MURI grant numbers 22178970-4170 andFA9550-08-1-0352; by the National Science Foundation undergrant numbers OCI-1032889, 0831501-CT-L, CCF-0424422,and 0842695; by a fellowship within the Postdoc-Programmeof the German Academic Exchange Service (DAAD); andby the Office of Naval Research under MURI Grant NumberN000140911081. Any opinions, findings, and conclusions orrecommendations expressed in this material are those of theauthor(s) and do not necessarily reflect the views of the NSF,the AFOSR, the ONR, the DAAD, or Intel. |
URL | https://www.icsi.berkeley.edu/pubs/networking/ICSI_heresmycert13.pdf |
Bibliographic Notes | Proceedings of the World Wide Web Conference (WWW), Rio de Janeiro, Brazil |
Abbreviated Authors | D. Akhawe, J. Amann, M. Vallentin, and R. Sommer |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Article in conference proceedings |