Embed Size (px)
Citation preview
“IHAVENOIDEAWHATI’MDOING”–ONTHEUSABILITYOFDEPLOYINGHTTPSKatharinaKrombholz, Wilfried Mayer,MartinSchmiedecker, EdgarWeippl
“IHAVENOIDEAWHATI’MDOING”
“IHAVENOIDEAWHATI’MDOING”
“IHAVENOIDEAWHATI’MDOING”
Motivationand Goals
• ExplorereasonsforTLSmisconfigurations– usabilityfromtheadministrator‘sperspective
• StudyTask:ConfigureHTTPSonApacheo HTTP->HTTPSo getacertificateo integration,hardeningo testingo done!
source: (mis)adventures in setting up HTTPS by Yan Zhu https://www.youtube.com/watch?v=Q0VdlLG7t1w
UserStudy– TheExpert’sPerspective
• Labstudywith28knowledgeableparticipants• Expertinterviewswith7securityauditors
Let’sEncrypt
• EasestheinteractionwiththeCA• Hardeningandintegrationstillneedstobedoneat
leastonce• Ourstudyfocusesonintegrationandhardening
Methodology- DataCollection
1.Recruitment
Questionnaire
• N=117• Multiple choice• Top 30
candidates were invited to participate in the study
2.Lab
Study
• N=28• Think-aloud
protocol• Bash/browser
history• VM images
3.Post-Study
Questionnaire
• N=28• Open/closed-
ended questions
• Demographics, previous experience
4.Expert
Interviews
• N=7• Semi-
structured interviews
• Ecological validity
LabStudy- Participants
• N=28• Gender:2female,26male• Experiencedadmins:17• configuredTLSbefore:17
DataAnalysis
• Observationprotocols:Qualitativeanalysiswithopen/axial/selectivecoding
• Bash/browserhistory,Apachelogfiles:o Quantitativeanalysiso MetricsbasedonQualy’s SSLTest(gradesA-F)
• Statisticalsignificance
SecurityEvaluation
SecurityEvaluation
• Only4participantsdeployedanAgradeconfiguration(25%)
• 15deployedaBgradeconfiguration(67%)• 4participantsdidnotmanagetodeployanyvalid
configuration
SecurityEvaluation
• Only4participantsdeployedanAgradeconfiguration(25%)
• 15deployedaBgradeconfiguration(67%)• 4participantsdidnotmanagetodeployanyvalid
configuration
(Source: SSLPulse)
SecurityEvaluation
• 2participantsusedself-signedcertificates• Noparticipantchoseakeysizesmallerthan2048for
theirRSAkey• forwardsecrecy:14• HSTSheaders:11• HPKP:2
TLSDeploymentModel
TLSDeploymentModelLet’s Encrypt
Perceptions of Usability
• Findingthebest-practiceworkflowishard(19)• Misleadingterminology(15)• Weakdefaultconfiguration(12)
OnlineSources
(P23)
OnlineSources
„Theconfigurationprocess isfiddlyandonehastogoogletonsofpages togetitright.Eventhenone
cannotbesuretohaveagoodconfigurationbecausevulnerabilitiesarediscoveredalmostonaregular
basis.“(P9)
OnlineSources
• Averagenumberofvisitedwebsites:60• Numberofvisitedwebsiteshadnoimpactonthe
quality oftheresultingconfiguration
OnlineSources
• Decision-makingprocessismostlybasedononlinesources
• Noin-depthunderstandingofunderlyingfundamentalso e.g.choosingciphersuites
Impactofpriorexperience
• Thereisanassociationbetweenpriorexperienceandqualityoftheresultingconfiguration
• Noevidencethatpreviousemploymentimpactsconfigurationquality
ConfusingFileStructureandTerminology
• Configuringvirtualhostandportistimeconsuming• Apacheconfigurationfilesareperceivedas
confusingandasadistractionfromthemaintask• Multipleconfigurationfilesandoptions
MoreUsabilityChallenges
• Higheffortforhardening• Confusion:IsthesitestillreachableviaHTTP?• Findingtherightbalancebetweensecurityand
compatibility
InterviewswithSecurityAuditors
• Goal:confirmtheecologicalvalidity ofourresults• Participants:7securityauditors
o fromwell-respectedsecurityconsultingfirmso withexperienceassecurityauditor>2years
InterviewswithSecurityAuditors
• AuditingTLSconnectionso Activatedversions?o Activatedciphersuites?o Certrecognizedbywebbrowsers?o HSTS,keypinningetc.
• Tools:o Qualy’s SSLTesto NMapo Nessusmoduleso OpenVAS
ConfigurationsintheWild
• poorciphers• nohardening• self-signedcertificates• TwoauditorshadneverseenHTTPSpublickey
pinningduringanaudit
Configurations intheWild
• Administratorswhoare“afraidofusingcrypto”• TLSdeploymentwasnotsufficientlystreamlinedin
companieso Multipleservers– updatedseparatelyo Varyingconfigurations
Compatibility
”Inmostcasesbackwardcompatibilityistheshow-stopperregardingproperTLSconfigurations” (E3)
• ..Sometimesjustamockargument• Butfindingthebestfitishard,evenforexperts
Suggestedimprovements
• Let’sEncrypt• Securitybydefault(Caddywebserver)• Compatibilityflags• Guidelines:deployeverythingthatdoesn’timpact
compatibility:e.g.HSTS• HTTPSshouldfullyreplaceHTTP• ConceptofhavingCAsisflawed
Conclusions
• ConfiguringTLSonApacheisachallengingtask,evenforexperiencedusersandweshouldtakethisserious!
• Administratorsstrugglewithimportantsecuritydecisions
• Concernsaremainlydrivenbycompatibility• Hardtofindreliableinformationsources
Questions?
Thankyou!
![[MS-IPHTTPS]: IP over HTTPS (IP-HTTPS) Tunneling Protocol€¦ · IP over HTTPS (IP-HTTPS) Tunneling Protocol Intellectual Property Rights Notice for Open Specifications Documentation](https://img.dokumen.tips/doc/110x75/5f5d18b22a82be0e3640e86d/ms-iphttps-ip-over-https-ip-https-tunneling-protocol-ip-over-https-ip-https.jpg)
