Security economics in the HTTPS value chain

Asghari, H.; Van Eeten, M.J.G.; Arnbak, A.M.; Van Eijk, N.A.N.M.

doi:doi:10.2139/ssrn.2277806

Security economics in the HTTPS value chain

Title

Security economics in the HTTPS value chain

Author

Asghari, H.
Van Eeten, M.J.G.
Arnbak, A.M.
Van Eijk, N.A.N.M.

Faculty

Technology, Policy and Management

Department

Multi Actor Systems

Date

2013-06-12

Abstract

Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.

Subject

HTTPS
cybersecurity
internet governance
constitutional values
E-Commerce
value chain analysis
security economics
eSignatures Regulation
SSL
TLS
digital certificates
certificate authorities