Conference Paper: Are HTTPS Configurations Still a Challenge?: Validating Theories of Administrators’ Difficulties with TLS Configurations
The paper “Are HTTPS Configurations Still a Challenge?: Validating Theories of Administrators’ Difficulties with TLS Configurations” has been accepted for the International Conference on Human-Computer Interaction 2022. The conference will take place June 26th to July 1st, 2022.
Title
Are HTTPS Configurations Still a Challenge?: Validating Theories of Administrators’ Difficulties with TLS Configurations
Authors
Alexandra Mai (SBA Research), Oliver Schedler (CISPA Helmholtz Center), Edgar Weippl (SBA Research, University of Vienna), Katharina Krombholz (CISPA Helmholtz Center)
Abstract
HTTPS has been the standard for securing online communications for over 20 years. Despite the availability of tools to make the configuration process easier (e.g., Let’s Encrypt, Certbot), SSL Pulse scans show that still more than 50% of the most popular websites are poorly configured, which emphasizes room for improvement. Although a few recent studies looked at the remaining challenges for administrators in configuring HTTPS from a qualitative perspective, there is little work that produced quantitative results. Therefore, we conducted a survey with 96 experienced administrators (as opposed to a student sample) to investigate to which extent configuration problems revealed in prior studies actually exist in the wild. Our results confirm that Let’s Encrypt and ACME clients, such as Certbot, simplify configuration and maintenance for administrators, thus increasing the security of HTTPS configurations. Moreover, we extend the current body of work by examining the trust administrators put into Let’s Encrypt and Certbot. We found that trust and usability issues are currently barriers to the widespread adoption of Certbot.