TeamUSEC

Why eve and mallory (also) love webmasters: a study on the root causes of SSL misconfigurations

Sascha Fahl, Yasemin Acar, Henning Perl and Matthew Smith.
9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS '14, Kyoto, Japan - June 03 - 06, 2014
PDF Abstract Cite DOI

Abstract

Previous research showed that the SSL infrastructure is a fragile system: X.509 certificate validation fails for a nontrivial number of HTTPS-enabled websites resulting in SSL warning messages presented to users. Studies revealed that warning messages do not provide easy-to-understand information or are ignored by webbrowser users. SSL warning messages are a critical component in the HTTPS infrastructure and many attempts have been made to improve these warning messages. However, an important question has not received sufficient attention yet: Why do webmasters (deliberately) deploy non-validating, security-critical X.509 certificates on publicly available websites? In this paper, we conduct the first study with webmasters operating nonvalidating X.509 certificates to understand their motives behind deploying those certificates. We extracted the nonvalidating certificates from Google’s webcrawler body of X.509 certificates, informed webmasters about the problem with the X.509 certificate configuration on their website and invited a random sample of the respective webmasters to participate in our study. 755 webmasters participated, allowing us insight into their motives. While one third of them admitted to having misconfigured their webserver accidentally, two thirds of them gave reasons for deliberately using a non-validating X.509 certificate.

Reference

@inproceedings{DBLP:conf/ccs/FahlAPS14,
 author = {Sascha Fahl and
Yasemin Acar and
Henning Perl and
Matthew Smith},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/conf/ccs/FahlAPS14.bib},
 booktitle = {9th ACM Symposium on Information, Computer and Communications Security,
ASIA CCS '14, Kyoto, Japan - June 03 - 06, 2014},
 doi = {10.1145/2590296.2590341},
 editor = {Shiho Moriai and
Trent Jaeger and
Kouichi Sakurai},
 pages = {507--512},
 publisher = {ACM},
 title = {Why eve and mallory (also) love webmasters: a study on the root causes
of SSL misconfigurations},
 url = {https://doi.org/10.1145/2590296.2590341},
 year = {2014}
}