Invalid certificates in modern browsers: A socio-technical analysis

Rosario Giustolisi, Giampaolo Bella, Gabriele Lenzini

    Publikation: Artikel i tidsskrift og konference artikel i tidsskriftTidsskriftartikelForskningpeer review

    Abstract

    The authentication of a web server is a crucial procedure in the security of web browsing. It relies on certificate validation, a process that may require the participation of the user. Thus, the security of certificate validation is socio-technical as it depends on traditional security technology as well as on social elements such as cultural values, trust and human-computer interaction.

    This manuscript analyzes extensively the socio-technical security of certificate validation as carried out through today’s most popular browsers. First, we model processes, protocols and ceremonies that browsers run with servers and users as UML activity diagrams. We consider both classic and private browsing modes and focus on the certificate validation. We then translate each UML activity diagram to a CSP# model. The model is expanded with the LTL formalization of five socio-technical properties pivoted on user involvement with certificate validation. We automatically check whether the CSP# models are socio-technically secure against Man-in-the-Middle attacks using the PAT model checker. The findings turn out to be far from straightforward. From them, we state best-practice recommendations to browser vendors.
    OriginalsprogEngelsk
    TidsskriftJournal of Computer Security
    Vol/bind26
    Udgave nummer4
    Sider (fra-til)509-541
    ISSN0926-227X
    DOI
    StatusUdgivet - 2018

    Emneord

    • model checking
    • sociological study
    • formal methods
    • ceremony
    • HCI
    • CHI
    • human-centred security
    • Socio-tech

    Fingeraftryk

    Dyk ned i forskningsemnerne om 'Invalid certificates in modern browsers: A socio-technical analysis'. Sammen danner de et unikt fingeraftryk.

    Citationsformater