a user-centric approach to securing the https ecosystem · • phishing sites have https - false...
TRANSCRIPT
1
A User-Centric Approach to Securing the HTTPS Ecosystem
Who should we blame for security misconfigurations and vulnerable code?
Katharina Krombholz 3
Usability of Configuring HTTPS “I have no idea what I’m doing“ - On the Usability of Deploying HTTPS, Krombholz et al., Usenix Security’17
Mental Models of HTTPS“If HTTPS were secure, I wouldn’t need 2FA“ - End User and Administrator Mental Models of HTTPS, Krombholz et al., IEEE S&P’19
Security Misconfigurations in Companies Operators’ Perspective on Security Misconfigurations, Dietrich et al., CCS‘19
Katharina Krombholz
HTTPS
4
• Encrypted version of HTTP using Transport Layer Security (TLS)• Protocol to secure information in transit• Ensures privacy and data integrity between communication parties• Certificates/Extended Validation (EV) certificates
Katharina Krombholz
The Internet ecosystem 2014
5
source: Qualy’s SSL Labs ssllabs.com
Katharina Krombholz
The Internet ecosystem 2014
6
Katharina Krombholz
The Internet ecosystem 2019
7
source: Qualy’s SSL Labs ssllabs.com
What happened since 2014?
Katharina Krombholz
The Google Chrome Team worked on Improving Security Indicators
9
Porter Felt et al. (2016): Rethinking Connection Security Indicators
Katharina Krombholz
Usable security should consider all users
10
Theory PracticeSoft
ware
Develo
per
System
Integ
rator
Admini
strato
r
End U
ser
Decisio
n-
maker
Protoc
ol
Design
er
API
Design
er
Cryptog
raphe
r
Katharina Krombholz 11
Usability of Configuring HTTPS “I have no idea what I’m doing“ - On the Usability of Deploying HTTPS, Krombholz et al., Usenix Security’17
Mental Models of HTTPS“If HTTPS were secure, I wouldn’t need 2FA“ - End User and Administrator Mental Models of HTTPS, Krombholz et al., IEEE S&P’19
Security Misconfigurations in Companies Operators’ Perspective on Security Misconfigurations, Dietrich et al., CCS‘19
Katharina Krombholz
Usability from the Administrators’ Perspective
12
Katharina Krombholz
Measuring HTTPS usability from the administrators’ perspective
13
1.
Recruitment
Questionnaire
• N=117
• Multiple choice
• Top 30
candidates
were invited to
participate in
the study
2.
Lab
Study
• N=28
• Think-aloud
protocol
• Bash/browser
history
• VM images
3.
Post-Study
Questionnaire
• N=28
• Open/closed-
ended
questions
• Demographics,
previous
experience
4.
Expert
Interviews
• N=7
• Semi-
structured
interviews
• Ecological
validity
Katharina Krombholz
User Research - Qualitative vs. Quantitative Data
14
• Qualitative research• answer questions like “why?“, “how?“• smaller sample size• go deep• exploratory
• Quantitative research• answer questions like “how many?“• larger sample size (depending on statistical assumptions and models)• go broad• quantify phenomena
Katharina Krombholz
The standard deployment process is complicated
15
Katharina Krombholz
The standard deployment process vs. let’s encrypt
16
Katharina Krombholz
Usability Was Considered From The Administrators’ Perspective
17
Katharina Krombholz
Summary of findings
18
• ssllabs score does not reflect administrators’ mental models• high effort for hardening• misconceptions of cipher suites• compatibility vs. security• administrators heavily rely on online sources• misconceptions of terminology and file structures
• consultants report that administrators are “afraid of using crypto“
Katharina Krombholz 19
Usability of Configuring HTTPS “I have no idea what I’m doing“ - On the Usability of Deploying HTTPS, Krombholz et al., Usenix Security’17
Mental Models of HTTPS“If HTTPS were secure, I wouldn’t need 2FA“ - End User and Administrator Mental Models of HTTPS, Krombholz et al., IEEE S&P’19
Security Misconfigurations in Companies Operators’ Perspective on Security Misconfigurations, Dietrich et al., CCS‘19
Katharina Krombholz
Mental Models of HTTPS
20
• mental representation of the surrounding world or technology, the relationships between its various parts and a person's intuitive perception
Katharina Krombholz
Study methodology
21
semi-structured interviews(incl. 3 drawing tasks) coding
post-hocvalidity study
pre-study
questionnaire
Katharina Krombholz
Study methodology - interview guideline
22
• Interviews• general questions about security expectation, behavior• drawing tasks
1. encryption in general2. online shopping with HTTPS3. online banking with HTTPS
• attacker models
Katharina Krombholz
Study methodology - data analysis
23
• dataset• 30 participants (18 end users,12 administrators)• quantitative and qualitative data
• questionnaire• drawings• hand-written notes• audio transcripts
• coding• two rounds of open coding (3 independent coders)• descriptive axial coding (Strauss & Corbin)• selective coding
Katharina Krombholz 24
Katharina Krombholz 25
Katharina Krombholz 26
Katharina Krombholz 27
The Worst-Case Model
28
OnlineShopping
Site
Bank
plaintext message
HTTPSProxy
(Blackbox)
codeX1%
X1% ZYX
2nd factor
intelligence agencies, ad trackers, hackers
(end user-specific)
The Best-Case Model
29
cert check, TLS handshake, HTTP GET, ...
Server
CA
or
(admin-specific)
Katharina Krombholz
Summary of findings
30
• our findings reveal misconceptions about security benefits and threat models from both groups.
• we identify protocol components that interfere with secure configurations and usage behavior.
• our results suggest that end user mental models are more conceptual while administrator mental models are more protocol-based.
• end users often confuse encryption with authentication • users distrust security indicators. • administrators often do not understand the interplay of protocol
components.
Katharina Krombholz 31
Usability of Configuring HTTPS “I have no idea what I’m doing“ - On the Usability of Deploying HTTPS, Krombholz et al., Usenix Security’17
Mental Models of HTTPS“If HTTPS were secure, I wouldn’t need 2FA“ - End User and Administrator Mental Models of HTTPS, Krombholz et al., IEEE S&P’19
Security Misconfigurations in Companies Operators’ Perspective on Security Misconfigurations, Dietrich et al., CCS‘19
Katharina Krombholz 32
What are organizations doing to prevent security misconfigurations?
Katharina Krombholz
Organizations struggle with post-mortems and configuration errors
33
Katharina Krombholz
Would you log into this site?
34
Katharina Krombholz
Remaining challenges - what now?
35
• we need to again re-think connection security indicators• phishing sites have HTTPS - false sense of security• organizations need blameless post-mortems, more automation, shared
responsibilities• still ~35% of sites are vulnerable (especially the long tail)• user-centric design approaches!
Katharina Krombholz
Remaining challenges - designing security tools
36
Katharina Krombholz
Designing security tools
37
• design of security APIs, protocols, tools has an impact on user mental models• how can technology design help to construct meaningful mental models?
Metaphors
Who should we blame for security misconfigurations and vulnerable code?
Katharina Krombholz 39
Katharina Krombholz 40
Katharina Krombholz
“Umbrella conservation“
41
Theory PracticeSoft
ware
Develo
per
System
Integ
rator
Admini
strato
r
End U
ser
Decisio
n-
maker
Protoc
ol
Design
er
API
Design
er
Cryptog
raphe
r
42
• we have shown that configuring HTTPS is hard even for experts, admins heavily rely on online resources
• end user mental models are more conceptual while administrator mental models are more protocol-based.
• users often confuse encryption with authentication
• users distrust security indicators. • administrators often do not understand the
interplay of protocol components.
OnlineShopping
Site
Bank
plaintext message
HTTPSProxy
(Blackbox)
codeX1%
X1% ZYX
2nd factor
intelligence agencies, ad trackers, hackers
(end user-specific)
cert check, TLS handshake, HTTP GET, ...
Server
CA
or
(admin-specific)
Summary and Questions