research-article

Open access

Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors

Authors:

Mustafa Emre Acer,

Adrienne Porter Felt,

Radhika Bhargava,

Matt Braithwaite,

Ryan Sleevi, and

Parisa TabrizAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

Pages 1407 - 1420

https://doi.org/10.1145/3133956.3134007

Published: 30 October 2017 Publication History

Abstract

HTTPS error warnings are supposed to alert browser users to network attacks. Unfortunately, a wide range of non-attack circumstances trigger hundreds of millions of spurious browser warnings per month. Spurious warnings frustrate users, hinder the widespread adoption of HTTPS, and undermine trust in browser warnings. We investigate the root causes of HTTPS error warnings in the field, with the goal of resolving benign errors.

We study a sample of over 300 million errors that Google Chrome users encountered in the course of normal browsing. After manually reviewing more than 2,000 error reports, we developed automated rules to classify the top causes of HTTPS error warnings. We are able to automatically diagnose the root causes of two-thirds of error reports. To our surprise, we find that more than half of errors are caused by client-side or network issues instead of server misconfigurations. Based on these findings, we implemented more actionable warnings and other browser changes to address client-side error causes. We further propose solutions for other classes of root causes.

References

[1]

Devdatta Akhawe, Bernhard Amann, Matthias Vallentin, and Robin Sommer 2013. Here's My Cert, So Trust Me, Maybe?: Understanding TLS Errors on the Web Proceedings of the 22Nd International Conference on World Wide Web (WWW '13). ACM, New York, NY, USA, 59--70. https://doi.org/10.1145/2488388.2488395

Digital Library

[2]

Xavier de Carné de Carnavalet and Mohammad Mannan 2016. Killed by Proxy: Analyzing Client-end TLS Interception Software NDSS.

[3]

T. Dierks and E. Rescorla 2008. The Transport Layer Security (TLS) Protocol Version 1.2. https://tools.ietf.org/html/rfc5246#section-7.4.2.

[4]

Zakir Durumeric, James Kasten, Michael Bailey, and J. Alex Halderman 2013. Analysis of the HTTPS Certificate Ecosystem. In Proceedings of the 2013 Conference on Internet Measurement Conference (IMC '13). ACM, New York, NY, USA, 291--304. https://doi.org/10.1145/2504730.2504755

Digital Library

[5]

Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, and Vern Paxson 2017. The Security Impact of HTTPS Interception. In Network and Distributed Systems Symposium (NDSS'17).

[6]

Sascha Fahl, Yasemin Acar, Henning Perl, and Matthew Smith 2014. Why Eve and Mallory (Also) Love Webmasters: A Study on the Root Causes of SSL Misconfigurations. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS '14). ACM, New York, NY, USA, 507--512. https://doi.org/10.1145/2590296.2590341

Digital Library

[7]

Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. 2015. Improving SSL Warnings: Comprehension and Adherence Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 2893--2902. https://doi.org/10.1145/2702123.2702442

Digital Library

[8]

Adrienne Porter Felt, Robert W. Reeder, Hazim Almuhimedi, and Sunny Consolvo 2014. Experimenting at Scale with Google Chrome's SSL Warning Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 2667--2670. https://doi.org/10.1145/2556288.2557292

Digital Library

[9]

Lucas Garron and David Benjamin 2015. An update on SHA-1 certificates in Chrome. https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html.

[10]

Ralph Holz, Lothar Braun, Nils Kammenhuber, and Georg Carle. 2011. The SSL Landscape: A Thorough Analysis of the x.509 PKI Using Active and Passive Measurements Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference (IMC '11). ACM, New York, NY, USA, 427--444. https://doi.org/10.1145/2068816.2068856

Digital Library

[11]

Lin Shung Huang, Alex Rice, Erling Ellingsen, and Collin Jackson 2014. Analyzing Forged SSL Certificates in the Wild. Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP '14). IEEE Computer Society, Washington, DC, USA, 83--97. https://doi.org/10.1109/SP.2014.13

Digital Library

[12]

Mariko Kobayashi. 2017. Survey on Behaviors of Captive Portals. https://www.ietf.org/proceedings/98/slides/slides-98-capport-survey-00.pdf.

[13]

Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, and Vern Paxson. 2016. Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension International World Wide Web Conference.

Digital Library

[14]

Tyler Odean. 2012. Chromium Blog: Changes to the Field Trials Infrastructure. https://blog.chromium.org/2012/05/changes-to-field-trials-infrastructure.html.

[15]

Mark O'Neill, Scott Ruoti, Kent Seamons, and Daniel Zappala 2016. TLS Proxies: Friend or Foe?. In Proceedings of the 2016 Internet Measurement Conference (IMC '16). ACM, New York, NY, USA, 551--557. https://doi.org/10.1145/2987443.2987488

Digital Library

[16]

Tavis Ormandy. 2016. Kaspersky: SSL interception differentiates certificates with a 32bit hash. https://bugs.chromium.org/p/project-zero/issues/detail?id=978.

[17]

Waseem Patwegar. 2016. How to Fix Slow or Incorrect Windows Computer Clock. http://www.techbout.com/fix-slow-incorrect-windows-computer-clock-14287/.

[18]

Deborah Salmi. 2015. Avast Web Shield scans HTTPS sites for malware and threats. https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/.

[19]

Angela Sasse. 2015. Scaring and Bullying People into Security Won't Work. IEEE Security and Privacy (May/June 2015).

[20]

David W Stewart and Ingrid M Martin 1994. Intended and unintended consequences of warning messages: A review and synthesis of empirical research. Journal of Public Policy & Marketing (1994), 1--19.

[21]

Joel Weinberger and Adrienne Porter Felt 2016. A Week to Remember: The Impact of Browser Warning Storage Policies Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 15--25. https://www.usenix.org/conference/soups2016/technical-sessions/presentation/weinberger

[22]

M Wogalter. 2006. Purposes and scope of warnings. Handbook of Warnings (3--9); Wogalter, M., Ed (2006).

Cited By

Luo MFeng BLu LKirda ERen K(2023)On the Complexity of the Web’s PKI: Evaluating Certificate Validation of Mobile BrowsersIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325586921:1(419-433)Online publication date: 13-Mar-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3255869
Li RZhang ZShao JLu RJia XWei G(2023)The Potential Harm of Email Delivery: Investigating the HTTPS Configurations of Webmail ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324660021:1(125-138)Online publication date: 20-Feb-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3246600
Huang YObada-Obieh BBeznosov KChiasson SKapadia A(2022)Users' perceptions of chrome's compromised credential notificationProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563618(155-174)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563618
Show More Cited By

Index Terms

Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors
1. Networks
  1. Network protocols
    1. Transport protocols
2. Security and privacy
  1. Network security
    1. Web protocol security
  2. Systems security
    1. Browser security

Recommendations

An Experience Sampling Study of User Reactions to Browser Warnings in the Field
CHI '18: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems

Web browser warnings should help protect people from malware, phishing, and network attacks. Adhering to warnings keeps people safer online. Recent improvements in warning design have raised adherence rates, but they could still be higher. And prior ...
Read More
Improving SSL Warnings: Comprehension and Adherence
CHI '15: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems

Browsers warn users when the privacy of an SSL/TLS connection might be at risk. An ideal SSL warning would empower users to make informed decisions and, failing that, guide confused users to safety. Unfortunately, users struggle to understand and often ...
Read More
An End-to-End Measurement of Certificate Revocation in the Web's PKI
IMC '15: Proceedings of the 2015 Internet Measurement Conference

Critical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Check for updates

Author Tags

Qualifiers

Research-article

Data Availability

Emily Stark - Wild Warnings.mp4 https://dl.acm.org/doi/10.1145/3133956.3134007#Emily Stark - Wild Warnings.mp4

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
1,379
Total Downloads

Downloads (Last 12 months)141
Downloads (Last 6 weeks)16

Other Metrics

View Author Metrics

Citations

Cited By

Luo MFeng BLu LKirda ERen K(2023)On the Complexity of the Web’s PKI: Evaluating Certificate Validation of Mobile BrowsersIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325586921:1(419-433)Online publication date: 13-Mar-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3255869
Li RZhang ZShao JLu RJia XWei G(2023)The Potential Harm of Email Delivery: Investigating the HTTPS Configurations of Webmail ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324660021:1(125-138)Online publication date: 20-Feb-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3246600
Huang YObada-Obieh BBeznosov KChiasson SKapadia A(2022)Users' perceptions of chrome's compromised credential notificationProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563618(155-174)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563618
Ukrop MBalážová MŽáčik PValčík EMatyas V(2022)Assessing Real-World Applicability of Redesigned Developer Documentation for Certificate Validation ErrorsProceedings of the 2022 European Symposium on Usable Security10.1145/3549015.3554296(131-144)Online publication date: 29-Sep-2022
https://dl.acm.org/doi/10.1145/3549015.3554296
Bruhner CLinnarsson ONemec MArlitt MCarlsson N(2022)Changing of the Guards: Certificate and Public Key Management on the InternetPassive and Active Measurement10.1007/978-3-030-98785-5_3(50-80)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-030-98785-5_3
Zhang YLiu BLu CLi ZDuan HLi JZhang ZKim YKim JVigna GShi E(2021)Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI EcosystemProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484768(1373-1387)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484768
Li BLin JLi FWang QWang WLi QCheng GJing JWang C(2021)The Invisible Side of Certificate Transparency: Exploring the Reliability of Monitors in the WildIEEE/ACM Transactions on Networking10.1109/TNET.2021.312350730:2(749-765)Online publication date: 10-Nov-2021
https://dl.acm.org/doi/10.1109/TNET.2021.3123507
Datta PNamin AJones KHewett R(2021)Warning users about cyber threats through soundsSN Applied Sciences10.1007/s42452-021-04703-43:7Online publication date: 29-Jun-2021
https://doi.org/10.1007/s42452-021-04703-4
Harish Rkumar AKumar VAmritha P(2021)Facilitating Cryptojacking Through Internet Middle BoxesAdvances in Electrical and Computer Technologies10.1007/978-981-15-9019-1_4(41-52)Online publication date: 27-Feb-2021
https://doi.org/10.1007/978-981-15-9019-1_4
Gallersdörfer UEbel JMatthes F(2021)Augmenting MetaMask to Support TLS-endorsed Smart ContractsData Privacy Management, Cryptocurrencies and Blockchain Technology10.1007/978-3-030-93944-1_15(227-244)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1007/978-3-030-93944-1_15
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents