Upload
sba-research
View
337
Download
1
Embed Size (px)
Citation preview
“IHAVENOIDEAWHATI’MDOING”–ONTHEUSABILITYOFDEPLOYINGHTTPSKatharinaKrombholz, Wilfried Mayer,MartinSchmiedecker, EdgarWeippl
Motivationand Goals
• ExplorereasonsforTLSmisconfigurations– usabilityfromtheadministrator‘sperspective
• StudyTask:ConfigureHTTPSonApacheo HTTP->HTTPSo InteractionwithCAo Hardeningo Testingo Done!
UserStudy– TheExpert’sPerspective
• Labstudywith28knowledgeableparticipants• Expertinterviewswith7securityauditors
Let’sEncrypt
• EasestheinteractionwiththeCA• Hardeningandintegrationstillneedstobedoneat
leastonce• Ourstudyfocusesonintegrationandhardening
Methodology- DataCollection
1.Recruitment
Questionnaire
• N=117• Multiple choice• Top 30
candidates were invited to participate in the study
2.Lab
Study
• N=28• Think-aloud
protocol• Bash/browser
history• VM images
3.Post-Study
Questionnaire
• N=28• Open/closed-
ended questions
• Demographics, previous experience
4.Expert
Interviews
• N=7• Semi-
structured interviews
• Ecological validity
DataAnalysis
• Observationprotocols:Qualitativeanalysiswithopen/axial/selectivecoding
• Bash/browserhistory,Apachelogfiles:o Quantitativeanalysiso MetricsbasedonQualy’s SSLTest(gradesA-F)
• Statisticalsignificance
SecurityEvaluation
• Only4participantsdeployedanAgradeconfiguration(25%)
• 15deployedaBgradeconfiguration(67%)• 4participantsdidnotmanagetodeployanyvalid
configuration
SecurityEvaluation
• Only4participantsdeployedanAgradeconfiguration(25%)
• 15deployedaBgradeconfiguration(67%)• 4participantsdidnotmanagetodeployanyvalid
configuration
(Source: SSLPulse)
SecurityEvaluation
• 2participantsusedself-signedcertificates• Noparticipantschoseakeysizesmallerthan2048
fortheirRSAkey• forwardsecrecy:14• HSTSheaders:11• HPKP:2
Perceptions of Usability
• Findingthebest-practiceworkflowishard(19)• Misleadingterminology(15)• Weakdefaultconfig (12)
OnlineSources
„Theconfigurationprocess isfiddlyandonehastogoogletonsofpages togetitright.Eventhenone
cannotbesuretohaveagoodconfigurationbecausevulnerabilitiesarediscoveredalmostonaregular
basis.“(P9)
OnlineSources
• Averagenumberofvisitedwebsites:60• Numberofvisitedwebsiteshadnoimpactonthe
quality oftheresultingconfiguration
OnlineSources
• Decision-makingprocessismostlybasedononlinesources
• Noin-depthunderstandingofunderlyingfundamentalso e.g.choosingciphersuites
Impactofpriorexperience
• Thereisanassociationbetweenpriorexperienceandqualityoftheresultingconfiguration
• Noevidencethatpreviousemploymentimpactsconfigurationquality
ConfusingFileStructureandTerminology
• Configuringvirtualhostandportistimeconsuming• Apacheconfig filesareperceivedasconfusingand
asadistractionfromthemaintask• Multipleconfigurationfilesandoptions
MoreUsabilityChallenges
• Higheffortforhardening• Confusion:IsthesitestillreachableviaHTTP?• Findingtherightbalancebetweensecurityand
compatibility
InterviewswithSecurityAuditors
• Goal:confirmtheecologicalvalidity ofourresults• Participants:7securityauditorsfromwell-respected
securityconsultingfirms
InterviewswithSecurityAuditors
• AuditingTLSconnectionso Activatedversions?o Activatedciphersuites?o Certrecognizedbywebbrowsers?o HSTS,keypinningetc.
• Tools:o Qualy’s SSLTesto NMapo Nessusmoduleso OpenVAS
ConfigurationsintheWild
• Configurationswithpoorciphers,nohardening,self-signedcertificates
• TwoauditorshadneverseenHTTPSpublickeypinningduringanaudit
Configurations intheWild
• Administratorswhoare“afraidofusingcrypto”• TLSdeploymentwasnotsufficientlystreamlinedin
companieso Multipleservers– updatedseparatelyo Varyingconfigurations
Compatibility
”Inmostcasesbackwardcompatibilityistheshow-stopperregardingproperTLSconfigurations” (E3)
• ..Sometimesjustamockargument• Butfindingthebestfitishard,evenforexperts
Compatibility
”Inmostcasesbackwardcompatibilityistheshow-stopperregardingproperTLSconfigurations” (E3)
• ..Sometimesjustamockargument• Butfindingthebestfitishard,evenforexperts
Suggestedimprovements
• Let’sEncrypt• Securitybydefault(Caddywebserver)• Compatibilityflags• Guidelines:deployeverythingthatdoesn’timpact
compatibility:e.g.HSTS• HTTPSshouldfullyreplaceHTTP• ConceptofhavingCAsisflawed
Conclusions
• ConfiguringTLSonApacheisachallengingtask,evenforexperiencedusersandweshouldtakethisserious!
• Administratorsstrugglewithimportantsecuritydecisions
• Concernsaremainlydrivenbycompatibility• Hardtofindreliableinformationsources