New Paper ‘Security Collapse in the HTTPS Market’ Downloaded 30.000 Times in 3 Weeks

With my supervisor Nico van Eijk and co-authors Hadi Asghari and Michel van Eeten at Delft University of Technology, I’ve published a centerpiece of my doctoral project in the Communications of the ACM: ‘Security Collapse in the HTTPS Market’ [link to pdf].

In three weeks, the new article has been downloaded over 30.000 times. I didn’t quite believe that number, but the folks at the ACM have actually confirmed it. Blows my mind, really. Has been covered in the media and on Reddit and Slashdot, wich probably explains the download count. Visual artist Willow Brugh made a mesmerizing vizthink animation as a teaser to the article:

A.M. Arnbak, H. Asghari, M. van Eeten, N.A.N.M. van EijkSecurity Collapse in the HTTPS Market, Communications of the ACM, 2014-10, vol. 57, p. 47-55. Also published in: ACM Queue – Security, 2014-8, vol. 12.

From the abstract:

HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents-such as DigiNotar’s breach, Apple’s #gotofail, and OpenSSL’s Heartbleed-have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations-notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale-have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.

To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outline the systemic vulnerabilities of HTTPS, map the thriving market for certificates, and analyze the suggested regulatory and technological solutions on both sides of the Atlantic. Our findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become “too big to fail.” Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.

5 thoughts on “New Paper ‘Security Collapse in the HTTPS Market’ Downloaded 30.000 Times in 3 Weeks”

  1. My husband and i felt thankful Chris could round up his researching via the precious recommendations he grabbed using your weblog. It is now and again perplexing to just possibly be offering instructions which often the rest may have been trying to sell. Therefore we understand we now have you to thank because of that. The most important illustrations you made, the simple site menu, the relationships you will help promote – it is all superb, and it’s really leading our son and the family know that the article is pleasurable, which is certainly truly serious. Thanks for all the pieces!

  2. I’m on work experience levitra reviews At The Oval four years ago, England only took the upper hand in the series on the penultimate day of the series. Eight years ago, that most glorious of summers was only sealed in the final session of the final day.

Leave a Reply

Your email address will not be published.