Security Economics in the HTTPS Value Chain

Twelfth Workshop on the Economics of Information Security (WEIS 2013), Washington, D.C.

GigaNet: Global Internet Governance Academic Network, Annual Symposium 2013

36 Pages Posted: 17 Jul 2016 Last revised: 27 Jul 2016

See all articles by Hadi Asghari

Hadi Asghari

Delft University of Technology

Michel van Eeten

Delft University of Technology

Axel Arnbak

University of Amsterdam - Institute for Information Law (IViR); Harvard University - Berkman Klein Center for Internet & Society

N.A.N.M. van Eijk

Institute for Information Law (IViR)

Date Written: March 2013

Abstract

Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.

(Note: this version of the paper contains minor revisions in Section 3.1, made on Nov 23, 2013 and Sep 30, 2015, based on clarifications by Trustwave and Comodo)

Keywords: HTTPS, Cybersecurity, Internet Governance, Constitutional Values, E-Commerce, Value Chain Analysis, Security Economics, eSignatures Regulation, SSL, TLS, Digital Certificates, Certificate Authorities, GigaNet

Suggested Citation

Asghari, Hadi and van Eeten, Michel and Arnbak, Axel and van Eijk, N.A.N.M., Security Economics in the HTTPS Value Chain (March 2013). Twelfth Workshop on the Economics of Information Security (WEIS 2013), Washington, D.C.; GigaNet: Global Internet Governance Academic Network, Annual Symposium 2013. Available at SSRN: https://ssrn.com/abstract=2277806 or http://dx.doi.org/10.2139/ssrn.2277806

Hadi Asghari (Contact Author)

Delft University of Technology ( email )

P.O. Box 5015
2600 GB Delft
Netherlands

Michel Van Eeten

Delft University of Technology ( email )

PO Box 5015
Delft, 2600GA
Netherlands

Axel Arnbak

University of Amsterdam - Institute for Information Law (IViR) ( email )

Kloveniersburgwal 48
Amsterdam, 1012 CX
Netherlands

HOME PAGE: http://www.ivir.nl/staff/arnbak.html

Harvard University - Berkman Klein Center for Internet & Society ( email )

23 Everett Street
Cambridge, MA 012138
United States

N.A.N.M. Van Eijk

Institute for Information Law (IViR) ( email )

Postbus 1030
Amsterdam, 1000 BA
Netherlands

HOME PAGE: http://www.ivir.nl/medewerkerpagina/eijk

Register to save articles to
your library

Register

Paper statistics

Downloads
298
rank
100,053
Abstract Views
2,306
PlumX Metrics
!

Under construction: SSRN citations while be offline until July when we will launch a brand new and improved citations service, check here for more details.

For more information