(2017) "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS.
|
Text
sec17-krombholz.pdf Download (470kB) | Preview |
Abstract
Protecting communication content at scale is a difficult task, and TLS is the protocol most commonly used to do so. However, it has been shown that deploying it in a truly secure fashion is challenging for a large fraction of online service operators. While Let’s Encrypt was specifically built and launched to promote the adoption of HTTPS, this paper aims to understand the reasons for why it has been so hard to deploy TLS correctly and studies the usability of the deployment process for HTTPS. We performed a series of experiments with 28 knowledgable participants and revealed significant usability challenges that result in weak TLS configurations. Additionally, we conducted expert interviews with 7 experienced security auditors. Our results suggest that the deployment process is far too complex even for people with proficient knowledge in the field, and that server configurations should have stronger security by default. While the results from our expert interviews confirm the ecological validity of the lab study results, they additionally highlight that even educated users prefer solutions that are easy to use. An improved and less vulnerable workflow would be very beneficial to finding stronger configurations in the wild.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Conference: | USENIX-Security Usenix Security Symposium |
| Depositing User: | Katharina Krombholz |
| Date Deposited: | 09 Nov 2018 21:08 |
| Last Modified: | 18 Jul 2019 12:12 |
| Primary Research Area: | NRA5: Empirical & Behavioral Security |
| URI: | https://publications.cispa.saarland/id/eprint/2654 |
Actions
Actions (login required)
 |
View Item |