Security Economics in the HTTPS Value Chain

Twelfth Workshop on the Economics of Information Security (WEIS 2013), Washington, D.C.

GigaNet: Global Internet Governance Academic Network, Annual Symposium 2013

36 Pages Posted: 17 Jul 2016 Last revised: 27 Jul 2016

See all articles by Hadi Asghari

Hadi Asghari

Alexander von Humboldt Institute for Internet and Society

Michel van Eeten

Delft University of Technology

Axel Arnbak

University of Amsterdam - Institute for Information Law (IViR); Harvard University - Berkman Klein Center for Internet & Society

N.A.N.M. van Eijk

affiliation not provided to SSRN

Date Written: March 2013

Abstract

Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.

(Note: this version of the paper contains minor revisions in Section 3.1, made on Nov 23, 2013 and Sep 30, 2015, based on clarifications by Trustwave and Comodo)

Keywords: HTTPS, Cybersecurity, Internet Governance, Constitutional Values, E-Commerce, Value Chain Analysis, Security Economics, eSignatures Regulation, SSL, TLS, Digital Certificates, Certificate Authorities, GigaNet

Suggested Citation

Asghari, Hadi and van Eeten, Michel and Arnbak, Axel and van Eijk, N.A.N.M., Security Economics in the HTTPS Value Chain (March 2013). Twelfth Workshop on the Economics of Information Security (WEIS 2013), Washington, D.C., GigaNet: Global Internet Governance Academic Network, Annual Symposium 2013, Available at SSRN: https://ssrn.com/abstract=2277806 or http://dx.doi.org/10.2139/ssrn.2277806

Hadi Asghari (Contact Author)

Alexander von Humboldt Institute for Internet and Society ( email )

Bebelplatz 1 | 10099
Berlin
Germany

Michel Van Eeten

Delft University of Technology ( email )

PO Box 5015
Delft, 2600GA
Netherlands

Axel Arnbak

University of Amsterdam - Institute for Information Law (IViR) ( email )

Kloveniersburgwal 48
Amsterdam, 1012 CX
Netherlands

HOME PAGE: http://www.ivir.nl/staff/arnbak.html

Harvard University - Berkman Klein Center for Internet & Society ( email )

23 Everett Street
Cambridge, MA 012138
United States

N.A.N.M. Van Eijk

affiliation not provided to SSRN

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
401
Abstract Views
3,629
Rank
143,323
PlumX Metrics