Security Collapse in the HTTPS Market

Com. of the ACM, Vol. 57(10), Oct. 2014, p. 47-55

9 Pages Posted: 14 Dec 2014

See all articles by Axel Arnbak

Axel Arnbak

University of Amsterdam - Institute for Information Law (IViR); Harvard University - Berkman Klein Center for Internet & Society

Hadi Asghari

Delft University of Technology

Michel van Eeten

Delft University of Technology

N.A.N.M. van Eijk

Institute for Information Law (IViR)

Date Written: October 5, 2014

Abstract

Hyptertext Transfer Protocol Secure (HTTPS) has evolved into the de facto standard for secure web browsing. Through the certificate-based authentication protocol, web services and browsers first authenticate one another (“shake hands”) using a TLS/SSL certificate, then encrypt web communications end-to-end, and show a padlock in the browser to users to indicate a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online.

Recent breaches at Certificate Authorities (CAs) have exposed several systemic vulnerabilities and market failures inherent in the current HTTPS authentication model. This article outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic.

Our findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become “too big to fail.” Unfortunately, the proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions are far from being adopted at scale.

Regardless of major cybersecurity incidents and even the Snowden revelations that showed the systemic vulnerabilities in CAs are exploited by Western intelligence agencies, a sense of urgency to secure HTTPS seems nonexistent. As it stands, major CAs continue business as usual. For the foreseeable future, a fundamentally flawed authentication model underlies an absolutely critical technology used every second of every day by every Internet user, corporation and government. On both sides of the Atlantic, one wonders what cybersecurity governance really is about.

Keywords: HTTPS, Privacy, Cybersecurity, Security Economics

Suggested Citation

Arnbak, Axel and Asghari, Hadi and van Eeten, Michel and van Eijk, N.A.N.M., Security Collapse in the HTTPS Market (October 5, 2014). Com. of the ACM, Vol. 57(10), Oct. 2014, p. 47-55. Available at SSRN: https://ssrn.com/abstract=2537568

Axel Arnbak (Contact Author)

University of Amsterdam - Institute for Information Law (IViR) ( email )

Kloveniersburgwal 48
Amsterdam, 1012 CX
Netherlands

HOME PAGE: http://www.ivir.nl/staff/arnbak.html

Harvard University - Berkman Klein Center for Internet & Society ( email )

23 Everett Street
Cambridge, MA 012138
United States

Hadi Asghari

Delft University of Technology ( email )

P.O. Box 5015
2600 GB Delft
Netherlands

Michel Van Eeten

Delft University of Technology ( email )

PO Box 5015
Delft, 2600GA
Netherlands

N.A.N.M. Van Eijk

Institute for Information Law (IViR) ( email )

Postbus 1030
Amsterdam, 1000 BA
Netherlands

HOME PAGE: http://www.ivir.nl/medewerkerpagina/eijk

Register to save articles to
your library

Register

Paper statistics

Downloads
88
Abstract Views
599
rank
284,186
PlumX Metrics