Customizing SSL Certificate Extensions to Reduce False-Positive Certificate Error/Warning Messages

Year 2016, Volume: 5 Issue: 2, 21 - 28, 01.06.2016

Şafak Tarazan Atila Bostan

Abstract

In todays Internet world, X.509 certificates are commonly used in SSL protocol to provide security for web-based services by server/client authentication and secure communication. Although SSL protocol presents a technical basis, this web-security largely depends on user awareness of security measures as well. There are significant number of scientific studies in the literature reporting that the count of invalid or self-signed certificate usage in today’s Internet can not be overlooked. At the same time, quite a number of studies place emphasis on the acquired indifference towards certificate warning messages which are popped up by web browsers when visiting web pages with invalid or self-signed certificates. In this study, with the importance of user’s daily practices in developing habits in mind, we studied a modification of X.509 certificates in order to reduce the number of false-positive certificate-warning pop ups in order to reduce gaining faulty usage habit of invalid certificates.

Keywords

X509 certificates, SSL protocol, certificate extensions, invalid certificates, SSL certificates and users awareness

References

• T. Dierks, The transport layer security (TLS) protocol
• version 1.2, IETF RFC-5246, 2008, Available online at
• https://tools.ietf.org/html/rfc5246.
• K. Paterson and M. Albrecht, “Lucky Microseconds: A
• Timing Attack on Amazon's s2n Implementation of
• TLS”, Real World Cryptography Conference 2016, 6-8
• January 2016, Stanford, CA, USA.
• V. K. Keerthi, “Taxonomy of SSL/TLS Attacks.”,
• International Journal of Computer Network and
• Information Security, Vol.8 No 2, Feb. 2016
• X. D. C. de Carnavalet and Mannan, M., “Killed by Proxy: Software.”, Cocordia university publications, 2016, http://users.encs.concordia.ca/~mmannan/publications/s sl-interception-ndss2016.pdf, Latest Access Time for the website is 23 April 2016. TLS Interception
• V. S Subrahmanian, M. Ovelgonne, T. Dumitras and A. Prakash, The Global Cyber-Vulnerability Report., ISBN: 978-3-319-25758-7, 2016.
• CSI 2010-2011, 15th Annual CSI Computer Crime & Security Survey, Computer Security Institute, 2011, http://reports.informationweek.com/cart/index/downloa dlink/id/7377, Latest Access Time for the website is 12 December 2013.
• CSI 2009, 14th Annual CSI Computer Crime & Security Survey, Comprehensive Addition, Computer Security http://gocsi.com/purchase_survey, Latest Access Time for the website is 11 June 2011. 2009,
• CSI 2008, CSI Computer Crime & Security Survey (2008), http://gocsi.com/sites/default/files/uploads/CSIsurvey20 08.pdf, Latest Access Time for the website is 12 December 2013. Security Institute,
• P. Kamal, “State of the Art Survey on Session Hijacking.”, Global Journal of Computer Science and Technology, Vol.15, No.1, 2016 [10] J. D’Arcy
• and A.Hovav, “Deterring Internal
• Information Misuse”, Communications of the ACM,
• Vol.50 No.10, pp 113-117, October 2007
• Kevin Palfreyman and Tom Rodden, “A Protocol for User Awareness And World Wide Web”, Proceedings of Cambridge MA, USA,1996, ACM 0-89791-765- 0/96/11
• Cooperative Work’96,
• B. Gross Joshua and B. Rosson Mary, “Looking for Trouble: Management”, Computer Human Interaction for Management of IT (CHIMIT’07), Cambridge MA. USA., 30-31 March 2007, ACM 1-59593-635- 6/97/0003 End-User Security
• M. Evans, L. A. Maglaras, Y. He and H. Janicke, “Human Behaviour as an aspect of Cyber Security Assurance.”, arXiv preprint arXiv:1601.03921, 2016
• Hugo Krawczyk and Hoeteck Wee, “The OPTLS Protocol and TLS 1.3”, Real World Cryptography Conference 2016, 6-8 January 2016, Stanford, CA, USA.
• Adrienne Porter Felt, “Where the Wild Warnings Are: The TLS Story”, Real World Cryptography Conference 2016, 6-8 January 2016, Stanford, CA, USA.
• Shuhaili Talib, L. Clarke Nathan and M. Steven Furnell, "An analysis of information security awareness within home and work environments.", Availability, Reliability, and Security (ARES'10), International Conference on. IEEE, 2010.
• Henry Story,B. Harbulot, I. Jacobi and M. Jones, "Foaf+ ssl: Restful authentication for the social web.", Proceedings of the First Workshop on Trust and Privacy on the Social and Semantic Web (SPOT2009). June 2009.
• Jennifer Sobey, P. C. Van Oorschot, and Andrew S. Patrick, “Browser Interfaces and EV-SSL Certificates: Confusion, Inconsistencies and HCI Challenges.”, Carleton University School of Computer Science, Canada, Technical Report TR-09-02, 15 January 2009.
• Devdatta Akhawe and Porter Felt Adrienne, "Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness.", Usenix Security. 2013, Washington DC. USA, 14-16 Augustos 2013, pp 257-272
• R. Dhamija, J. Tygar and M. Hearst, “Why Phishing Works”, Proceedings of the Conference on Human Factors in Computing Systems (CHI), New York, NY, USA, p. 581- 590, 2006.
• T. S. Amer and J. B. Maris, “Signal words and signal icons in application control and information technology exception messages – hazard matching and habituation effects.”, Tech. Rep. Working Paper Series–06-05, Northern Arizona University, Flagstaff AZ. USA, October 2006.
• Herley Cormac, "So long, and no thanks for the externalities: the rational rejection of security advice by users.", Proceedings of the Workshop on New Security Paradigms, ACM 2009, Queen's College, Oxford, UK.
• Serge Egelman, Trust me: Design patterns for constructing trustworthy trust indicators.”, ProQuest, 2009.
• J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri and L. F. Cranor, "Crying Wolf: An Empirical Study of SSL Warning Effectiveness.", 18th USENIX Security Symposium, San Jose CA. USA, pp 399-416, 10- 14 August 2009.