With my supervisor Nico van Eijk and co-authors Hadi Asghari and Michel van Eeten at Delft University of Technology, I’ve published a centerpiece of my doctoral project in the Communications of the ACM: ‘Security Collapse in the HTTPS Market’ [link to pdf].
In three weeks, the new article has been downloaded over 30.000 times. I didn’t quite believe that number, but the folks at the ACM have actually confirmed it. Blows my mind, really. Has been covered in the media and on Reddit and Slashdot, wich probably explains the download count. Visual artist Willow Brugh made a mesmerizing vizthink animation as a teaser to the article:
A.M. Arnbak, H. Asghari, M. van Eeten, N.A.N.M. van Eijk, Security Collapse in the HTTPS Market, Communications of the ACM, 2014-10, vol. 57, p. 47-55. Also published in: ACM Queue – Security, 2014-8, vol. 12.
From the abstract:
HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents-such as DigiNotar’s breach, Apple’s #gotofail, and OpenSSL’s Heartbleed-have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations-notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale-have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.
To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outline the systemic vulnerabilities of HTTPS, map the thriving market for certificates, and analyze the suggested regulatory and technological solutions on both sides of the Atlantic. Our findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become “too big to fail.” Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.