Paper accepted at USENIX Security 2017
Our paper ‘“I Have No Idea What I’m Doing” – On the Usability of Deploying HTTPS’ has been accepted for publication at the USENIX Security Symposium 2017, to take place in Vancouver this August. 85 out of 522 submissions (acceptance rate 16%) have been accepted. Kudos to Katharina and Willi!
Abstract: Protecting communication content at scale is a difficult task, and TLS is the protocol most commonly used to do so. However it has been shown that deploying it in a truly secure fashion is challenging for a large fraction of online service operators. While Let’s Encrypt was specifically built and launched to ease the process of TLS deployments, this paper aims to understand the reasons for why it has been so hard to deploy correctly and studies the usability of the TLS deployment process for HTTPS. We performed a series of experiments with 28 knowledgable participants and revealed significant usability challenges that result in weak TLS configurations. Additionally, we conducted expert interviews with 7 experienced security auditors. Our results suggest that the deployment process is far too complex even for people with proficient knowledge in the field, and that server configurations should have stronger security by default. While the results from our expert interviews confirm the ecological validity of the lab study results, they additionally highlight that even educated users prefer solutions that are easy to use. An improved and less vulnerable workflow would be very beneficial to finding stronger configurations in the wild.