Talks and Poster Presentations (with Proceedings-Entry):
K. Krombholz, W. Mayer, M. Mulazzani, E. Weippl:
"I Have No Idea What I'm Doing - On the Usability of Deploying HTTPS";
Talk: 26th USENIX Security Symposium (USENIX Security 2017),
Vancouver, Canada;
2017-08-16
- 2017-08-18; in: "Proceedings of the 26th USENIX Security Symposium",
(2017).
English abstract:
Protecting communication content at scale is a difficult
task, and TLS is the protocol most commonly used to
do so. However, it has been shown that deploying it
in a truly secure fashion is challenging for a large fraction
of online service operators. While Letīs Encrypt
was specifically built and launched to promote the adoption
of HTTPS, this paper aims to understand the reasons
for why it has been so hard to deploy TLS correctly
and studies the usability of the deployment process for
HTTPS. We performed a series of experiments with 28
knowledgable participants and revealed significant usability
challenges that result in weak TLS configurations.
Additionally, we conducted expert interviews with 7 experienced
security auditors. Our results suggest that the
deployment process is far too complex even for people
with proficient knowledge in the field, and that server
configurations should have stronger security by default.
While the results from our expert interviews confirm the
ecological validity of the lab study results, they additionally
highlight that even educated users prefer solutions
that are easy to use. An improved and less vulnerable
workflow would be very beneficial to finding stronger
configurations in the wild.
Created from the Publication Database of the Vienna University of Technology.