Security Collapse in the HTTPS Market
Com. of the ACM, Vol. 57(10), Oct. 2014, p. 47-55
9 Pages Posted: 14 Dec 2014
Date Written: October 5, 2014
Hyptertext Transfer Protocol Secure (HTTPS) has evolved into the de facto standard for secure web browsing. Through the certificate-based authentication protocol, web services and browsers first authenticate one another (“shake hands”) using a TLS/SSL certificate, then encrypt web communications end-to-end, and show a padlock in the browser to users to indicate a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online.
Recent breaches at Certificate Authorities (CAs) have exposed several systemic vulnerabilities and market failures inherent in the current HTTPS authentication model. This article outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic.
Our findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become “too big to fail.” Unfortunately, the proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions are far from being adopted at scale.
Regardless of major cybersecurity incidents and even the Snowden revelations that showed the systemic vulnerabilities in CAs are exploited by Western intelligence agencies, a sense of urgency to secure HTTPS seems nonexistent. As it stands, major CAs continue business as usual. For the foreseeable future, a fundamentally flawed authentication model underlies an absolutely critical technology used every second of every day by every Internet user, corporation and government. On both sides of the Atlantic, one wonders what cybersecurity governance really is about.
Keywords: HTTPS, Privacy, Cybersecurity, Security Economics
Suggested Citation: Suggested Citation