Measurements, analysis, and system designs to reveal how the Internet’s most commonly used trust systems operate (and misfunction) in practice, and how we can make them more secure.
Research on the SSL/TLS Ecosystem
Every day, we use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to secure our Internet transactions such as banking, e-mail and e-commerce. Along with a public key infrastructure (PKI), they allow our computers to automatically verify that our sensitive information (e.g., credit card numbers and passwords) are hidden from eavesdroppers and sent to trustworthy servers.
In mid-April, 2014, a software vulnerability called Heartbleed was announced. It allows malicious users to capture information that would allow them to masquerade as trusted servers and potentially steal sensitive information from unsuspecting users. The PKI provides multiple ways to prevent such an attack from occurring, and we should expect Web site operators to use these countermeasures.
In this study, we found that the overwhelming majority of sites (more than 73%) did not do so, meaning visitors to their sites are vulnerable to attacks such as identify theft. Further, the majority of sites that attempted to address the problem (60%) did so in a way that leaves customers vulnerable.
Measurements, analysis, and system designs to reveal how the Internet’s most commonly used trust systems operate (and misfunction) in practice, and how we can make them more secure.
Research on the SSL/TLS Ecosystem
Every day, we use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to secure our Internet transactions such as banking, e-mail and e-commerce. Along with a public key infrastructure (PKI), they allow our computers to automatically verify that our sensitive information (e.g., credit card numbers and passwords) are hidden from eavesdroppers and sent to trustworthy servers.
In mid-April, 2014, a software vulnerability called Heartbleed was announced. It allows malicious users to capture information that would allow them to masquerade as trusted servers and potentially steal sensitive information from unsuspecting users. The PKI provides multiple ways to prevent such an attack from occurring, and we should expect Web site operators to use these countermeasures.
In this study, we found that the overwhelming majority of sites (more than 73%) did not do so, meaning visitors to their sites are vulnerable to attacks such as identify theft. Further, the majority of sites that attempted to address the problem (60%) did so in a way that leaves customers vulnerable.