Economic Failures of HTTPS Encryption
Interesting paper: “Security Collapse of the HTTPS Market.” From the conclusion:
Recent breaches at CAs have exposed several systemic vulnerabilities and market failures inherent in the current HTTPS authentication model: the security of the entire ecosystem suffers if any of the hundreds of CAs is compromised (weakest link); browsers are unable to revoke trust in major CAs (“too big to fail”); CAs manage to conceal security incidents (information asymmetry); and ultimately customers and end users bear the liability and damages of security incidents (negative externalities).
Understanding the market and value chain for HTTPS is essential to address these systemic vulnerabilities. The market is highly concentrated, with very large price differences among suppliers and limited price competition. Paradoxically, the current vulnerabilities benefit rather than hurt the dominant CAs, because among others, they are too big to fail.
Hanno • November 28, 2014 6:54 AM
I feel the discussion like in this paper is often somewhat outdated.
We actually have a pretty nice solution for many (but not all) of the problems: HTTP Public Key Pinning (pretty soon to be RFCed).
They mention this, but then the authors write:
“All proposals attempt to solve the weakest-link problem by introducing another authority to check whether the certificate that is validated through the normal HTTPS process is indeed the correct one”
I feel this is simply wrong. Key Pinning does not introduce another authority. It introduces a “trust on first use” concept as an additional protection. And the nice thing is: You can start using it today and it requires no software changes on the server side. Chrome already supports it, firefox will pretty soon and even IE announced that they are working on it.