Secure deployment of HTTPS: Analysis and open challenges

Abstract

Users on the Internet unknowingly rely on HTTPS, a protocol whose goal is to cryptographically secure the communication between users and websites by providing confidentiality and integrity. HTTPS relies on the SSL/TLS protocols, but many versions and implementations of these protocols exist and some of them have been proven to be vulnerable to malign attackers. Furthermore, the communication's security depends on other key factors related to a wider application of security best-practices on the web pages: restrictions on the entities that can run code or access cookies, enforcement of the usage of HTTPS, and many more.

In this thesis we analyze the state and security of the HTTPS deployment of the most visited websites for different categories, considering the overall quality of the deployment by evaluating many key aspects.

We carry out an analysis that takes into account the usage of HTTPS itself, the quality of HTTPS certificates, the security of the SSL/TLS implementation used, the presence of server-side cryptographic vulnerabilities, and the adoption of other modern techniques to enforce security.

Finally, we analyze the obtained results and draw some conclusions on the overall state of the HTTPS deployments analyzed. One of the main goals of this work is to raise awareness on the importance of a careful deployment of HTTPS, thus encouraging site operators to keep cryptographic stacks updated and enforce strict security guidelines.