Security Collapse in the HTTPS Market

Axel Arnbak, his supervisor Nico van Eijk and co-authors Hadi Asghari and Michel van Eeten at Delft University of Technology have published a centerpiece of Axel's doctoral project in the Communications of the ACM. The article has been downloaded over 25.000 times in the first two weeks after its publication. Visual artist Willow Brugh, Axel's colleague at the Berkman Center at Harvard University, has made a mesmerizing vizthink animation as a teaser to the article:

 

 

A.M. Arnbak, H. Asghari, M. van Eeten, N.A.N.M. van Eijk, Security Collapse in the HTTPS Market, Communications of the ACM, 2014-10, vol. 57, p. 47-55.
Also published in: ACM Queue – Security, 2014-8, vol. 12.

Abstract: 
HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents—such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed—have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations—notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale—have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.

To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic. The findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become "too big to fail." Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.

Security Collapse in the HTTPS Market

Axel Arnbak, his supervisor Nico van Eijk and co-authors Hadi Asghari and Michel van Eeten at Delft University of Technology have published a centerpiece of Axel's doctoral project in the Communications of the ACM. The article has been downloaded over 25.000 times in the first two weeks after its publication. Visual artist Willow Brugh, Axel's colleague at the Berkman Center at Harvard University, has made a mesmerizing vizthink animation as a teaser to the article:

 

 

A.M. Arnbak, H. Asghari, M. van Eeten, N.A.N.M. van Eijk, Security Collapse in the HTTPS Market, Communications of the ACM, 2014-10, vol. 57, p. 47-55.
Also published in: ACM Queue – Security, 2014-8, vol. 12.

Abstract: 
HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents—such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed—have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations—notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale—have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.

To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outlines the systemic vulnerabilities of HTTPS, maps the thriving market for certificates, and analyzes the suggested regulatory and technological solutions on both sides of the Atlantic. The findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become "too big to fail." Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come.

Inaugural lecture Natali Helberger

On Friday 19 September 2014 at 16.00, Natali Helberger, appointed Professor of Information Law, will deliver her inaugural lecture at the Aula der Universiteit, Singel 411 in Amsterdam.

Media and users: towards a new balance

In the digital media environment user attention is scarce and competition for ‘eyeballs’ is fierce. Profiling and targeting users with customized news and advertisements is widely seen as a solution, and part of a larger trend to invest in what the New York Times has called ‘smart new strategies for growing our audience’. The shift from public information intermediary to personal information service creates new dynamics but also new imbalances in the relationship between the media and their users. In my inaugural speech I will state that to restore the balance, the media and regulators in Brussels and The Hague need to develop a vision of how to deal with issues such as media user privacy, editorial integrity and more generally ‘fair algorithmic media practices’."
 

Inaugural lecture Natali Helberger

On Friday 19 September 2014 at 16.00, Natali Helberger, appointed Professor of Information Law, will deliver her inaugural lecture at the Aula der Universiteit, Singel 411 in Amsterdam.

Media and users: towards a new balance

In the digital media environment user attention is scarce and competition for ‘eyeballs’ is fierce. Profiling and targeting users with customized news and advertisements is widely seen as a solution, and part of a larger trend to invest in what the New York Times has called ‘smart new strategies for growing our audience’. The shift from public information intermediary to personal information service creates new dynamics but also new imbalances in the relationship between the media and their users. In my inaugural speech I will state that to restore the balance, the media and regulators in Brussels and The Hague need to develop a vision of how to deal with issues such as media user privacy, editorial integrity and more generally ‘fair algorithmic media practices’."
 

VENI-aanvraag Stef van Gompel gehonoreerd door NWO

Het Instituut voor Informatierecht is zeer verheugd dat de VENI subsidieaanvraag van onze senior onderzoeker Stef van Gompel is gehonoreerd door NWO.

The challenge of evidence-based intellectual property law reform: Legal pragmatism meets doctrinal legal reasoning

Intellectual property (IP) is an important instrument of innovation, cultural and growth policies. A key trend in the quest for “better” IP lawmaking is to base policies and their elaboration into effective legal norms on empirical (economic) evidence. Today’s IP laws, however, are still the result of a more doctrinal approach, giving consideration primarily to coherence and formal consistency with legal-theoretical foundations. Arguably, an increased focus on evidence-based policy requires a more legal pragmatic approach to IP lawmaking. This research explores how a legal pragmatic approach can best be reconciled with the prevailing doctrinal approach to IP lawmaking in a way that combines the strengths of both approaches, and curtails their weaknesses. In so doing, the research aims to improve the quality of IP lawmaking and further the progress and development of IP law.

To identify and assess ways in which evidence-based lawmaking can be integrated in IP reform, this project will situate evidence-based policy in conflicting theories and practices of legal doctrinalism and pragmatism in IP law. This requires comparative legal research and a multidisciplinary literature review. Furthermore, two IP case studies shall be conducted to analyze doctrinal and pragmatic legal reasoning at work and qualitative interviews will be held with IP lawmakers to assess what challenges they encounter bringing evidence-based lawmaking in practice. The research will not only contribute to the theoretical foundations of evidence-based IP lawmaking, but also benefit IP lawmakers, creative industries and other actors involved in the IP lawmaking process through the development of guidelines and best practices for implementing evidence-based policy in IP lawmaking.

VENI-aanvraag Stef van Gompel gehonoreerd door NWO

Het Instituut voor Informatierecht is zeer verheugd dat de VENI subsidieaanvraag van onze senior onderzoeker Stef van Gompel is gehonoreerd door NWO.

The challenge of evidence-based intellectual property law reform: Legal pragmatism meets doctrinal legal reasoning

Intellectual property (IP) is an important instrument of innovation, cultural and growth policies. A key trend in the quest for “better” IP lawmaking is to base policies and their elaboration into effective legal norms on empirical (economic) evidence. Today’s IP laws, however, are still the result of a more doctrinal approach, giving consideration primarily to coherence and formal consistency with legal-theoretical foundations. Arguably, an increased focus on evidence-based policy requires a more legal pragmatic approach to IP lawmaking. This research explores how a legal pragmatic approach can best be reconciled with the prevailing doctrinal approach to IP lawmaking in a way that combines the strengths of both approaches, and curtails their weaknesses. In so doing, the research aims to improve the quality of IP lawmaking and further the progress and development of IP law.

To identify and assess ways in which evidence-based lawmaking can be integrated in IP reform, this project will situate evidence-based policy in conflicting theories and practices of legal doctrinalism and pragmatism in IP law. This requires comparative legal research and a multidisciplinary literature review. Furthermore, two IP case studies shall be conducted to analyze doctrinal and pragmatic legal reasoning at work and qualitative interviews will be held with IP lawmakers to assess what challenges they encounter bringing evidence-based lawmaking in practice. The research will not only contribute to the theoretical foundations of evidence-based IP lawmaking, but also benefit IP lawmakers, creative industries and other actors involved in the IP lawmaking process through the development of guidelines and best practices for implementing evidence-based policy in IP lawmaking.

IViR staff commenting on Google Spain / AEPD, European Court of Justice, 13 May 2014

Google Spain / AEPD, European Court of Justice, 13 May 2014.


'Het word een drama, een eeuwigdurende hel', Foliaweb, 20 januari 2015

Frederik BorgesiusStefan Kulk

Nico van Eijk:

Egbert Dommering:

Ot van Daalen:

Axel Arnbak:

Joris van Hoboken:

IViR staff commenting on Google Spain / AEPD, European Court of Justice, 13 May 2014

Google Spain / AEPD, European Court of Justice, 13 May 2014.


'Het word een drama, een eeuwigdurende hel', Foliaweb, 20 januari 2015

Frederik BorgesiusStefan Kulk

Nico van Eijk:

Egbert Dommering:

Ot van Daalen:

Axel Arnbak:

Joris van Hoboken: