Upload File

"i have no idea what i'm doing" - on the usability of deploying https

  • Home
  • Internet
  • "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS
35

Upload: sba-research

Post on 21-Jan-2018

337 views

Category:

Internet


1 download

Report

TRANSCRIPT

Page 1: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS
Page 2: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

“IHAVENOIDEAWHATI’MDOING”–ONTHEUSABILITYOFDEPLOYINGHTTPSKatharinaKrombholz, Wilfried Mayer,MartinSchmiedecker, EdgarWeippl

Page 3: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

“IHAVENOIDEAWHATI’MDOING”

Page 4: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

“IHAVENOIDEAWHATI’MDOING”

Page 5: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

“IHAVENOIDEAWHATI’MDOING”

Page 6: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Motivationand Goals

• ExplorereasonsforTLSmisconfigurations– usabilityfromtheadministrator‘sperspective

• StudyTask:ConfigureHTTPSonApacheo HTTP->HTTPSo InteractionwithCAo Hardeningo Testingo Done!

Page 7: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

source: (mis)adventures in setting up HTTPS by Yan Su https://www.youtube.com/watch?v=Q0VdlLG7t1w

Page 8: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

UserStudy– TheExpert’sPerspective

• Labstudywith28knowledgeableparticipants• Expertinterviewswith7securityauditors

Page 9: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Let’sEncrypt

• EasestheinteractionwiththeCA• Hardeningandintegrationstillneedstobedoneat

leastonce• Ourstudyfocusesonintegrationandhardening

Page 10: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Methodology- DataCollection

1.Recruitment

Questionnaire

• N=117• Multiple choice• Top 30

candidates were invited to participate in the study

2.Lab

Study

• N=28• Think-aloud

protocol• Bash/browser

history• VM images

3.Post-Study

Questionnaire

• N=28• Open/closed-

ended questions

• Demographics, previous experience

4.Expert

Interviews

• N=7• Semi-

structured interviews

• Ecological validity

Page 11: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

LabStudy- Participants

• N=28• Gender:2female,26male• Experiencedadmins:17• configuredTLSbefore:17

Page 12: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

DataAnalysis

• Observationprotocols:Qualitativeanalysiswithopen/axial/selectivecoding

• Bash/browserhistory,Apachelogfiles:o Quantitativeanalysiso MetricsbasedonQualy’s SSLTest(gradesA-F)

• Statisticalsignificance

Page 13: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

SecurityEvaluation

Page 14: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

SecurityEvaluation

• Only4participantsdeployedanAgradeconfiguration(25%)

• 15deployedaBgradeconfiguration(67%)• 4participantsdidnotmanagetodeployanyvalid

configuration

Page 15: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

SecurityEvaluation

• Only4participantsdeployedanAgradeconfiguration(25%)

• 15deployedaBgradeconfiguration(67%)• 4participantsdidnotmanagetodeployanyvalid

configuration

(Source: SSLPulse)

Page 16: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

SecurityEvaluation

• 2participantsusedself-signedcertificates• Noparticipantschoseakeysizesmallerthan2048

fortheirRSAkey• forwardsecrecy:14• HSTSheaders:11• HPKP:2

Page 17: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

TLSDeploymentModel

Page 18: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

TLSDeploymentModelLet’s Encrypt

Page 19: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Perceptions of Usability

• Findingthebest-practiceworkflowishard(19)• Misleadingterminology(15)• Weakdefaultconfig (12)

Page 20: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

OnlineSources

(P23)

Page 21: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

OnlineSources

„Theconfigurationprocess isfiddlyandonehastogoogletonsofpages togetitright.Eventhenone

cannotbesuretohaveagoodconfigurationbecausevulnerabilitiesarediscoveredalmostonaregular

basis.“(P9)

Page 22: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

OnlineSources

• Averagenumberofvisitedwebsites:60• Numberofvisitedwebsiteshadnoimpactonthe

quality oftheresultingconfiguration

Page 23: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

OnlineSources

• Decision-makingprocessismostlybasedononlinesources

• Noin-depthunderstandingofunderlyingfundamentalso e.g.choosingciphersuites

Page 24: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Impactofpriorexperience

• Thereisanassociationbetweenpriorexperienceandqualityoftheresultingconfiguration

• Noevidencethatpreviousemploymentimpactsconfigurationquality

Page 25: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

ConfusingFileStructureandTerminology

• Configuringvirtualhostandportistimeconsuming• Apacheconfig filesareperceivedasconfusingand

asadistractionfromthemaintask• Multipleconfigurationfilesandoptions

Page 26: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

MoreUsabilityChallenges

• Higheffortforhardening• Confusion:IsthesitestillreachableviaHTTP?• Findingtherightbalancebetweensecurityand

compatibility

Page 27: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

InterviewswithSecurityAuditors

• Goal:confirmtheecologicalvalidity ofourresults• Participants:7securityauditorsfromwell-respected

securityconsultingfirms

Page 28: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

InterviewswithSecurityAuditors

• AuditingTLSconnectionso Activatedversions?o Activatedciphersuites?o Certrecognizedbywebbrowsers?o HSTS,keypinningetc.

• Tools:o Qualy’s SSLTesto NMapo Nessusmoduleso OpenVAS

Page 29: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

ConfigurationsintheWild

• Configurationswithpoorciphers,nohardening,self-signedcertificates

• TwoauditorshadneverseenHTTPSpublickeypinningduringanaudit

Page 30: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Configurations intheWild

• Administratorswhoare“afraidofusingcrypto”• TLSdeploymentwasnotsufficientlystreamlinedin

companieso Multipleservers– updatedseparatelyo Varyingconfigurations

Page 31: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Compatibility

”Inmostcasesbackwardcompatibilityistheshow-stopperregardingproperTLSconfigurations” (E3)

• ..Sometimesjustamockargument• Butfindingthebestfitishard,evenforexperts

Page 32: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Compatibility

”Inmostcasesbackwardcompatibilityistheshow-stopperregardingproperTLSconfigurations” (E3)

• ..Sometimesjustamockargument• Butfindingthebestfitishard,evenforexperts

Page 33: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Suggestedimprovements

• Let’sEncrypt• Securitybydefault(Caddywebserver)• Compatibilityflags• Guidelines:deployeverythingthatdoesn’timpact

compatibility:e.g.HSTS• HTTPSshouldfullyreplaceHTTP• ConceptofhavingCAsisflawed

Page 34: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Conclusions

• ConfiguringTLSonApacheisachallengingtask,evenforexperiencedusersandweshouldtakethisserious!

• Administratorsstrugglewithimportantsecuritydecisions

• Concernsaremainlydrivenbycompatibility• Hardtofindreliableinformationsources

Page 35: "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS

Questions?

Thankyou!


Https _qp.digialm.com_online_touchstone_cbse1414_cbse1414_d1363_74201822_cbse1414d1363e1

“I HAVE NO IDEA WHAT I’M DOING” – ON THE USABILITY OF ... · ON THE USABILITY OF DEPLOYING HTTPS ... o testing o done! source: (mis)adventures in setting up HTTPS by Yan Zhu

I'm the same I'm an other

Https Www.jstage.jst.Go

Https Www.emedical.immi.Gov

Experiential Learning Workshop on Web Security Basics · • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP

cdn.preterhuman.netcdn.preterhuman.net/texts/lyrics_and_music_related...I'm Alive Neil Diamond I'm Alive Gamma I'm Alive (medley) Blue Swede I'm Almost Ready Pure Prairie League I'm

Https Store.finewoodworking2

I'm local I'm global

https:// in.driftwatch

I'm not american, i'm canadian!

Websense Content Gateway HTTPS ConfigurationGoals and Objectives 3 SSL Overview –General SSL information HTTPS Module Overview –WCG‟s HTTPS HTTPS Configuration –Configuration

Https Www.emthemes

jquerySF: https:

HTTPS @Scale

HQSMS https

Https Www.eagle

I'm sorry I'm late, but

HTTPS:// DQYS6PE

“I Have No Idea What I’m Doing” - On the Usability of ... · On the Usability of Deploying HTTPS ... configurations in the wild. 1 Introduction Transport Layer Security (TLS)

Contribution Forms Gone Wild! · 2015. 8. 25. · Make It Look Awesome. URL Aliases Why have URLs that look like this: https: ... “Why I'm Contributing” Tweet “Why I'm Contributing”

I'm glad i'm a girl

https:// oboe.oerc.ox.ac.uk

PRINCIPLES OF GOVERNMENT. WHY STUDY GOVERNMENT? HTTPS:// XTOFSE2NCVFFEELTRQVHRZ8H HTTPS://

Https dWww.onepetro

Https://

Https Myaccountportal.sprint

Https Www.unicauca

Https:// 6_thermal.cfm

 · ACTIVITY WORKBOOK Steven J. Molinsky Bill Bliss with ... Paula D. Williams ... I'm not I'm not I'm not I'm not

portada BW4€¦ · Lesson 1 1 Read and write the letter. I'm watching TV. I'm listening to music. I'm washing up. I'm tidying up. I'm cooking dinner. I'm playing on the computer

HTTP & HTTPS

Https://

WILLIE VELASQUEZ DAY HTTPS:// HTTPS://

HTTP vs HTTPS, Do You Really Need HTTPS?