Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors

Abstract

HTTPS error warnings are supposed to alert browser users to net work attacks. Unfortunately, a wide range of non-attack circum stances trigger hundreds of millions of spurious browser warnings per month. Spurious warnings frustrate users, hinder the wide-spread adoption of HTTPS, and undermine trust in browser warnings.

We investigate the root causes of HTTPS error warnings in the field, with the goal of resolving benign errors. We study a sample of over 300 million errors that Google Chrome users encountered in the course of normal browsing. After manually reviewing more than 2,000 error reports, we developed automated rules to classify the top causes of HTTPS error warnings. We are able to automatically diagnose the root causes of two-thirds of error reports. To our surprise, we find that more than half of er rors are caused by client-side or network issues instead of server misconfigurations.

Based on these findings, we implemented more actionable warnings and other browser changes to address client- side error causes. We further propose solutions for other classes of root causes.

Reference

@inproceedings{DBLP:conf/ccs/AcerSFFBDBST17,
 author = {Mustafa Emre Acer and
Emily Stark and
Adrienne Porter Felt and
Sascha Fahl and
Radhika Bhargava and
Bhanu Dev and
Matt Braithwaite and
Ryan Sleevi and
Parisa Tabriz},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/conf/ccs/AcerSFFBDBST17.bib},
 booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and
Communications Security, CCS 2017, Dallas, TX, USA, October 30 -
November 03, 2017},
 doi = {10.1145/3133956.3134007},
 editor = {Bhavani M. Thuraisingham and
David Evans and
Tal Malkin and
Dongyan Xu},
 pages = {1407--1420},
 publisher = {ACM},
 title = {Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate
Errors},
 url = {https://doi.org/10.1145/3133956.3134007},
 year = {2017}
}