BibTex RIS Cite

Customizing SSL Certificate Extensions to Reduce False-Positive Certificate Error/Warning Messages

Year 2016, Volume: 5 Issue: 2, 21 - 28, 01.06.2016

Abstract

In todays Internet world, X.509 certificates are commonly used in SSL protocol to provide security for web-based services by server/client authentication and secure communication. Although SSL protocol presents a technical basis, this web-security largely depends on user awareness of security measures as well. There are significant number of scientific studies in the literature reporting that the count of invalid or self-signed certificate usage in today’s Internet can not be overlooked. At the same time, quite a number of studies place emphasis on the acquired indifference towards certificate warning messages which are popped up by web browsers when visiting web pages with invalid or self-signed certificates. In this study, with the importance of user’s daily practices in developing habits in mind, we studied a modification of X.509 certificates in order to reduce the number of false-positive certificate-warning pop ups in order to reduce gaining faulty usage habit of invalid certificates.

References

  • T. Dierks, The transport layer security (TLS) protocol
  • version 1.2, IETF RFC-5246, 2008, Available online at
  • https://tools.ietf.org/html/rfc5246.
  • K. Paterson and M. Albrecht, “Lucky Microseconds: A
  • Timing Attack on Amazon's s2n Implementation of
  • TLS”, Real World Cryptography Conference 2016, 6-8
  • January 2016, Stanford, CA, USA.
  • V. K. Keerthi, “Taxonomy of SSL/TLS Attacks.”,
  • International Journal of Computer Network and
  • Information Security, Vol.8 No 2, Feb. 2016
  • X. D. C. de Carnavalet and Mannan, M., “Killed by Proxy: Software.”, Cocordia university publications, 2016, http://users.encs.concordia.ca/~mmannan/publications/s sl-interception-ndss2016.pdf, Latest Access Time for the website is 23 April 2016. TLS Interception
  • V. S Subrahmanian, M. Ovelgonne, T. Dumitras and A. Prakash, The Global Cyber-Vulnerability Report., ISBN: 978-3-319-25758-7, 2016.
  • CSI 2010-2011, 15th Annual CSI Computer Crime & Security Survey, Computer Security Institute, 2011, http://reports.informationweek.com/cart/index/downloa dlink/id/7377, Latest Access Time for the website is 12 December 2013.
  • CSI 2009, 14th Annual CSI Computer Crime & Security Survey, Comprehensive Addition, Computer Security http://gocsi.com/purchase_survey, Latest Access Time for the website is 11 June 2011. 2009,
  • CSI 2008, CSI Computer Crime & Security Survey (2008), http://gocsi.com/sites/default/files/uploads/CSIsurvey20 08.pdf, Latest Access Time for the website is 12 December 2013. Security Institute,
  • P. Kamal, “State of the Art Survey on Session Hijacking.”, Global Journal of Computer Science and Technology, Vol.15, No.1, 2016 [10] J. D’Arcy
  • and A.Hovav, “Deterring Internal
  • Information Misuse”, Communications of the ACM,
  • Vol.50 No.10, pp 113-117, October 2007
  • Kevin Palfreyman and Tom Rodden, “A Protocol for User Awareness And World Wide Web”, Proceedings of Cambridge MA, USA,1996, ACM 0-89791-765- 0/96/11
  • Cooperative Work’96,
  • B. Gross Joshua and B. Rosson Mary, “Looking for Trouble: Management”, Computer Human Interaction for Management of IT (CHIMIT’07), Cambridge MA. USA., 30-31 March 2007, ACM 1-59593-635- 6/97/0003 End-User Security
  • M. Evans, L. A. Maglaras, Y. He and H. Janicke, “Human Behaviour as an aspect of Cyber Security Assurance.”, arXiv preprint arXiv:1601.03921, 2016
  • Hugo Krawczyk and Hoeteck Wee, “The OPTLS Protocol and TLS 1.3”, Real World Cryptography Conference 2016, 6-8 January 2016, Stanford, CA, USA.
  • Adrienne Porter Felt, “Where the Wild Warnings Are: The TLS Story”, Real World Cryptography Conference 2016, 6-8 January 2016, Stanford, CA, USA.
  • Shuhaili Talib, L. Clarke Nathan and M. Steven Furnell, "An analysis of information security awareness within home and work environments.", Availability, Reliability, and Security (ARES'10), International Conference on. IEEE, 2010.
  • Henry Story,B. Harbulot, I. Jacobi and M. Jones, "Foaf+ ssl: Restful authentication for the social web.", Proceedings of the First Workshop on Trust and Privacy on the Social and Semantic Web (SPOT2009). June 2009.
  • Jennifer Sobey, P. C. Van Oorschot, and Andrew S. Patrick, “Browser Interfaces and EV-SSL Certificates: Confusion, Inconsistencies and HCI Challenges.”, Carleton University School of Computer Science, Canada, Technical Report TR-09-02, 15 January 2009.
  • Devdatta Akhawe and Porter Felt Adrienne, "Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness.", Usenix Security. 2013, Washington DC. USA, 14-16 Augustos 2013, pp 257-272
  • R. Dhamija, J. Tygar and M. Hearst, “Why Phishing Works”, Proceedings of the Conference on Human Factors in Computing Systems (CHI), New York, NY, USA, p. 581- 590, 2006.
  • T. S. Amer and J. B. Maris, “Signal words and signal icons in application control and information technology exception messages – hazard matching and habituation effects.”, Tech. Rep. Working Paper Series–06-05, Northern Arizona University, Flagstaff AZ. USA, October 2006.
  • Herley Cormac, "So long, and no thanks for the externalities: the rational rejection of security advice by users.", Proceedings of the Workshop on New Security Paradigms, ACM 2009, Queen's College, Oxford, UK.
  • Serge Egelman, Trust me: Design patterns for constructing trustworthy trust indicators.”, ProQuest, 2009.
  • J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri and L. F. Cranor, "Crying Wolf: An Empirical Study of SSL Warning Effectiveness.", 18th USENIX Security Symposium, San Jose CA. USA, pp 399-416, 10- 14 August 2009.
There are 34 citations in total.

Details

Primary Language English
Journal Section Research Article
Authors

Şafak Tarazan This is me

Atila Bostan This is me

Publication Date June 1, 2016
Published in Issue Year 2016 Volume: 5 Issue: 2

Cite

IEEE Ş. Tarazan and A. Bostan, “Customizing SSL Certificate Extensions to Reduce False-Positive Certificate Error/Warning Messages”, IJISS, vol. 5, no. 2, pp. 21–28, 2016.