DSHR's Blog: Economic Failures of HTTPS DSHR's Blog I'm David Rosenthal, and this is a place to discuss the work I'm doing in Digital Preservation. Thursday, December 18, 2014 Economic Failures of HTTPS Bruce Schneier points me to Assessing legal and technical solutions to secure HTTPS, a fascinating, must-read analysis of the (lack of) security on the Web from an economic rather than a technical perspective by Axel Arnbak and co-authors from Amsterdam and Delft universities. Do read the whole paper, but below the fold I provide some choice snippets. Arnbak et al point out that users are forced to trust all Certificate Authorities (CAs): A crucial technical property of the HTTPS authentication model is that any CA can sign certificates for any domain name. In other words, literally anyone can request a certificate for a Google domain at any CA anywhere in the world, even when Google itself has contracted one particular CA to sign its certificate. Many CAs are untrustworthy on their face: What’s particularly troubling is that a number of the trusted CAs are run by authoritarian governments, among other less trustworthy institutions. Their CAs can issue a certificate for any Web site in the world, which will be accepted as trustworthy by browsers of all Internet users. The security practices of even leading CAs have proven to be inadequate: three of the four market leaders got hacked in recent years and that some of the “security” features of these services do not really provide actual security. Customers can't actually buy security, only the appearance of security: Information asymmetry prevents buyers from knowing what CAs are really doing. Buyers are paying for the perception of security, a liability shield, and trust signals to third parties. None of these correlates verifiably with actual security. Given that CA security is largely unobservable, buyers’ demands for security do not necessarily translate into strong security incentives for CAs. There's little incentive for CAs to invest in better security: Negative externalities of the weakest-link security of the system exacerbate these incentive problems. The failure of a single CA impacts the whole ecosystem, not just that CA’s customers. All other things being equal, these interdependencies undermine the incentives of CAs to invest, as the security of their customers depends on the efforts of all other CAs. They conclude: Regardless of major cybersecurity incidents such as CA breaches, and even the Snowden revelations, a sense of urgency to secure HTTPS seems nonexistent. As it stands, major CAs continue business as usual. For the foreseeable future, a fundamentally flawed authentication model underlies an absolutely critical technology used every second of every day by every Internet user. On both sides of the Atlantic, one wonders what cybersecurity governance really is about. Posted by David. at 8:00 AM Labels: security 5 comments: David. said... Ars Technica has two stories showing how Microsoft's failure to take even minimal precautions allowed outsiders to obtain HTTPS certificates for Microsoft Live domains. In one documented case it took Microsoft 4 years to respond. Security, its just not a priority. March 18, 2015 at 10:20 AM David. said... Here we go again. The China Internet Network Information Center (CNNIC), a certificate authority trusted by essentially all browsers, delegated authority to MCS, an intermediate authority based in Egypt, who went ahead and issued certificates for, among other domains, Google properties. Browser vendors are rushing to revoke the certificates, except that so far there appears to be no comment to this effect from Microsoft. This completely broken system is aptly described by Bruce Schneier's term "security theater". March 23, 2015 at 7:44 PM David. said... Google has decided to remove CNNIC as a root CA pending improvements to their process. April 2, 2015 at 6:44 AM David. said... Over this weekend, the certificate chain for Google's Gmail service broke because Google forgot to renew one of the intermediate certificates. The system is too complex and fragile for even the experts to maintain properly. April 6, 2015 at 9:31 AM David. said... I should have remembered and linked to this relevant post from 2013 discussing the possible application of LOCKSS-style sampled voting to certificate verification. April 7, 2015 at 9:17 PM Post a Comment Newer Post Older Post Home Subscribe to: Post Comments (Atom) Blog Rules Posts and comments are copyright of their respective authors who, by posting or commenting, license their work under a Creative Commons Attribution-Share Alike 3.0 United States License. Off-topic or unsuitable comments will be deleted. DSHR DSHR in ANWR Recent Comments Full comments Blog Archive ►  2021 (7) ►  February (2) ►  January (5) ►  2020 (55) ►  December (4) ►  November (4) ►  October (3) ►  September (6) ►  August (5) ►  July (3) ►  June (6) ►  May (3) ►  April (5) ►  March (6) ►  February (5) ►  January (5) ►  2019 (66) ►  December (2) ►  November (4) ►  October (8) ►  September (5) ►  August (5) ►  July (7) ►  June (6) ►  May (7) ►  April (6) ►  March (7) ►  February (4) ►  January (5) ►  2018 (96) ►  December (7) ►  November (8) ►  October (10) ►  September (5) ►  August (8) ►  July (5) ►  June (7) ►  May (10) ►  April (8) ►  March (9) ►  February (9) ►  January (10) ►  2017 (82) ►  December (6) ►  November (6) ►  October (8) ►  September (6) ►  August (7) ►  July (5) ►  June (7) ►  May (6) ►  April (7) ►  March (11) ►  February (5) ►  January (8) ►  2016 (89) ►  December (4) ►  November (8) ►  October (10) ►  September (8) ►  August (8) ►  July (7) ►  June (8) ►  May (7) ►  April (5) ►  March (10) ►  February (7) ►  January (7) ►  2015 (75) ►  December (7) ►  November (5) ►  October (11) ►  September (5) ►  August (3) ►  July (3) ►  June (8) ►  May (10) ►  April (6) ►  March (6) ►  February (7) ►  January (4) ▼  2014 (68) ▼  December (7) Crypto-currency as a basis for preservation Economic Failures of HTTPS Hardware I/O Virtualization "Official" Senate CIA Torture Report Talk at Fall CNI A Note of Thanks Henry Newman's Farewell Column ►  November (8) ►  October (6) ►  September (8) ►  August (7) ►  July (3) ►  June (5) ►  May (6) ►  April (5) ►  March (6) ►  February (2) ►  January (5) ►  2013 (67) ►  December (3) ►  November (6) ►  October (7) ►  September (6) ►  August (3) ►  July (5) ►  June (6) ►  May (5) ►  April (9) ►  March (5) ►  February (5) ►  January (7) ►  2012 (43) ►  December (4) ►  November (4) ►  October (6) ►  September (6) ►  August (2) ►  July (5) ►  June (2) ►  May (5) ►  March (1) ►  February (5) ►  January (3) ►  2011 (40) ►  December (2) ►  November (1) ►  October (7) ►  September (3) ►  August (5) ►  July (2) ►  June (2) ►  May (2) ►  April (4) ►  March (4) ►  February (4) ►  January (4) ►  2010 (17) ►  December (5) ►  November (3) ►  October (4) ►  September (2) ►  July (1) ►  June (1) ►  February (1) ►  2009 (8) ►  July (1) ►  June (1) ►  May (1) ►  April (1) ►  March (2) ►  January (2) ►  2008 (8) ►  December (2) ►  March (1) ►  January (5) ►  2007 (14) ►  December (1) ►  October (3) ►  September (1) ►  August (1) ►  July (2) ►  June (3) ►  May (1) ►  April (2) LOCKSS system has permission to collect, preserve, and serve this Archival Unit. Simple theme. Powered by Blogger.