ijiss International Journal of Information Security Science 2147-0030 Şeref SAĞIROĞLU Customizing SSL Certificate Extensions to Reduce False-Positive Certificate Error/Warning Messages Tarazan Şafak Electric and Electronics Engineering Department, Faculty of Engineering, Atılım University, Kızılcaşar Mah. 06836, İncek-Gölbaşı/Ankara/Turkey Bostan Atila Computer Engineering Department, Faculty of Engineering, Atılım University, Kızılcaşar Mah. 06836, İncek-Gölbaşı/Ankara/Turkey 06 01 2016 5 2 21 28 Copyright © 2012, International Journal of Information Security Science 2012 International Journal of Information Security Science

In todays Internet world, X.509 certificates are commonly used in SSL protocol to provide security for web-based services by server/client authentication and secure communication. Although SSL protocol presents a technical basis, this web-security largely depends on user awareness of security measures as well. There are significant number of scientific studies in the literature reporting that the count of invalid or self-signed certificate usage in today’s Internet can not be overlooked. At the same time, quite a number of studies place emphasis on the acquired indifference towards certificate warning messages which are popped up by web browsers when visiting web pages with invalid or self-signed certificates. In this study, with the importance of user’s daily practices in developing habits in mind, we studied a modification of X.509 certificates in order to reduce the number of false-positive certificate-warning pop ups in order to reduce gaining faulty usage habit of invalid certificates.

 X509 certificates SSL protocol certificate extensions invalid certificates SSL certificates and users awareness T. Dierks, The transport layer security (TLS) protocol version 1.2, IETF RFC-5246, 2008, Available online at https://tools.ietf.org/html/rfc5246. K. Paterson and M. Albrecht, “Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS”, Real World Cryptography Conference 2016, 6-8 January 2016, Stanford, CA, USA. V. K. Keerthi, “Taxonomy of SSL/TLS Attacks.”, International Journal of Computer Network and Information Security, Vol.8 No 2, Feb. 2016 X. D. C. de Carnavalet and Mannan, M., “Killed by Proxy: Software.”, Cocordia university publications, 2016, http://users.encs.concordia.ca/~mmannan/publications/s sl-interception-ndss2016.pdf, Latest Access Time for the website is 23 April 2016. TLS Interception V. S Subrahmanian, M. Ovelgonne, T. Dumitras and A. Prakash, The Global Cyber-Vulnerability Report., ISBN: 978-3-319-25758-7, 2016. CSI 2010-2011, 15th Annual CSI Computer Crime & Security Survey, Computer Security Institute, 2011, http://reports.informationweek.com/cart/index/downloa dlink/id/7377, Latest Access Time for the website is 12 December 2013. CSI 2009, 14th Annual CSI Computer Crime & Security Survey, Comprehensive Addition, Computer Security http://gocsi.com/purchase_survey, Latest Access Time for the website is 11 June 2011. 2009, CSI 2008, CSI Computer Crime & Security Survey (2008), http://gocsi.com/sites/default/files/uploads/CSIsurvey20 08.pdf, Latest Access Time for the website is 12 December 2013. Security Institute, P. Kamal, “State of the Art Survey on Session Hijacking.”, Global Journal of Computer Science and Technology, Vol.15, No.1, 2016 [10] J. D’Arcy and A.Hovav, “Deterring Internal Information Misuse”, Communications of the ACM, Vol.50 No.10, pp 113-117, October 2007 Kevin Palfreyman and Tom Rodden, “A Protocol for User Awareness And World Wide Web”, Proceedings of Cambridge MA, USA,1996, ACM 0-89791-765- 0/96/11 Cooperative Work’96, B. Gross Joshua and B. Rosson Mary, “Looking for Trouble: Management”, Computer Human Interaction for Management of IT (CHIMIT’07), Cambridge MA. USA., 30-31 March 2007, ACM 1-59593-635- 6/97/0003 End-User Security M. Evans, L. A. Maglaras, Y. He and H. Janicke, “Human Behaviour as an aspect of Cyber Security Assurance.”, arXiv preprint arXiv:1601.03921, 2016 Hugo Krawczyk and Hoeteck Wee, “The OPTLS Protocol and TLS 1.3”, Real World Cryptography Conference 2016, 6-8 January 2016, Stanford, CA, USA. Adrienne Porter Felt, “Where the Wild Warnings Are: The TLS Story”, Real World Cryptography Conference 2016, 6-8 January 2016, Stanford, CA, USA. Shuhaili Talib, L. Clarke Nathan and M. Steven Furnell, "An analysis of information security awareness within home and work environments.", Availability, Reliability, and Security (ARES'10), International Conference on. IEEE, 2010. Henry Story,B. Harbulot, I. Jacobi and M. Jones, "Foaf+ ssl: Restful authentication for the social web.", Proceedings of the First Workshop on Trust and Privacy on the Social and Semantic Web (SPOT2009). June 2009. Jennifer Sobey, P. C. Van Oorschot, and Andrew S. Patrick, “Browser Interfaces and EV-SSL Certificates: Confusion, Inconsistencies and HCI Challenges.”, Carleton University School of Computer Science, Canada, Technical Report TR-09-02, 15 January 2009. Devdatta Akhawe and Porter Felt Adrienne, "Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness.", Usenix Security. 2013, Washington DC. USA, 14-16 Augustos 2013, pp 257-272 R. Dhamija, J. Tygar and M. Hearst, “Why Phishing Works”, Proceedings of the Conference on Human Factors in Computing Systems (CHI), New York, NY, USA, p. 581- 590, 2006. T. S. Amer and J. B. Maris, “Signal words and signal icons in application control and information technology exception messages – hazard matching and habituation effects.”, Tech. Rep. Working Paper Series–06-05, Northern Arizona University, Flagstaff AZ. USA, October 2006. Herley Cormac, "So long, and no thanks for the externalities: the rational rejection of security advice by users.", Proceedings of the Workshop on New Security Paradigms, ACM 2009, Queen's College, Oxford, UK. Serge Egelman, Trust me: Design patterns for constructing trustworthy trust indicators.”, ProQuest, 2009. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri and L. F. Cranor, "Crying Wolf: An Empirical Study of SSL Warning Effectiveness.", 18th USENIX Security Symposium, San Jose CA. USA, pp 399-416, 10- 14 August 2009.