HTTPS has been the standard for securing online communications for over 20 years. Despite the availability of tools to make the configuration process easier (e.g., Let’s Encrypt, Certbot), SSL Pulse scans show that still more than 50% of the most popular websites are poorly configured, which emphasizes room for improvement. Although a few recent studies looked at the remaining challenges for administrators in configuring HTTPS from a qualitative perspective, there is little work that produced quantitative results. Therefore, we conducted a survey with 96 experienced administrators (as opposed to a student sample) to investigate to which extent configuration problems revealed in prior studies actually exist in the wild. Our results confirm that Let’s Encrypt and ACME clients, such as Certbot, simplify configuration and maintenance for administrators, thus increasing the security of HTTPS configurations. Moreover, we extend the current body of work by examining the trust administrators put into Let’s Encrypt and Certbot. We found that trust and usability issues are currently barriers to the widespread adoption of Certbot.
History
Preferred Citation
Alexandra Mai, Oliver Schedler, Edgar Weippl and Katharina Krombholz. Are HTTPS Configurations Still a Challenge?: Validating Theories of Administrators' Difficulties with TLS Configurations. In: International Conference on HCI for Cybersecurity, Privacy, and Trust (HCI-CPT). 2022.
Primary Research Area
Empirical and Behavioral Security
Name of Conference
International Conference on HCI for Cybersecurity, Privacy, and Trust (HCI-CPT)
Legacy Posted Date
2022-05-25
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3702,
title = "Are HTTPS Configurations Still a Challenge?: Validating Theories of Administrators' Difficulties with TLS Configurations",
author = "Mai, Alexandra and Schedler, Oliver and Weippl, Edgar and Krombholz, Katharina",
booktitle="{International Conference on HCI for Cybersecurity, Privacy, and Trust (HCI-CPT)}",
year="2022",
}