WEIS 2011 :: Session 2 :: Identity :: The Inconvenient Truth About Web Certificates

Nevena Vratonjic
Julien Freudiger
Vincent Bindschaedler
Jeane-Pierre Hubaux

Presentation [PDF]

Twitter transcript

#weis2011 Overview of basic ssl/tls/https concepts. Asking: how prevalent is https, what are problems with https?

#weis2011 Out of their large sample, only 1/3 (34.7%) have support for https, login is worse! only 22.6% < #data!

#weis2011 (me) just like Microsoft for patches/vulns, everyone uses Bank of America for https & identity examples. #sigh

#weis2011 More Certificates 101, but a good venn diagram explaining what authentication success looks like w/%ages. rly good visualization.

#weis2011 domain mismatch accounts for over 80% of certificate authentication failures. why? improper reuse. it has a simple solution (SNI)

#weis2011 the team did a very thorough analysis that puts data behind what most folks have probably assumed. #dataisspiffy

#weis2011 We've created a real mess for users with certs. EV certs help, but are expensive and not pervasive (***6%***!)

#weis2011 economics don't back good cert issuance practices; 0 liability on issuers; too many subcontractors; we trained users to click "OK"

#weis2011 great slide on CA success rates (hint: godaddy is #1) #sadtrombone

#weis2011 sample: 1 million web sites; less than 6% do SSL/TLS right. cheap certs == cheap "security"; policies need to change incentives

#weis2011 URL for the data is in the last slide. first question is challenging the approach for the analysis and went on for a while

Cover image from Data-Driven Security
Amazon Author Page

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.