Axel Arnbak and Nico van Ejik have a thought provoking paper about regulating systematic vulnerabilities in the HTTPS value chain. They focus on constitutional values to establish a baseline to measure regulation against; it’s a clever move that offers a good lens to critique legislative efforts mean to regulate SSL. The paper is here, and the full abstract is below:
Hypertext Transfer Protocol Secure (‘HTTPS’) has evolved into the de facto standard for secure web browsing. Through the certificate-based authentication protocol, web services and internet users protect valuable communications and transactions against interception and alteration by cybercriminals, governments and business. In only one decade, it has facilitated trust in a thriving global E-Commerce economy, while every internet user has come to depend on HTTPS for social, political and economic activities on the internet.
Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a collapse of trust in these central mediators of HTTPS communications as they revealed ‘fundamental weaknesses in the design of HTTPS’ (ENISA 2011). In particular, the breach at Dutch CA Diginotar shows how a successful attack on one of the 650 Certificate Authorities across 54 jurisdictions enables attackers to create false SSL-certificates for any given website or service. Moreover, Diginotar kept the breach silent. So for 90 days, web browsers continued to trust Diginotar certificates, enabling attackers to intercept the communications of 300.000 Iranians. In its aftermath, Dutch public authorities overtook operations at Diginotar and convinced Microsoft to delay updates to its market-leading web browser to ensure ‘the continuity of the internet’. These bold interventions lacked a legitimate basis.
While serving as the de facto standard for secure web browsing, in many ways the security of HTTPS is broken. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem.
To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPS ecosystem are described through the lens of several landmark breaches. The paper then explores the rationales for regulatory intervention, discusses the EU eSignatures Regulation and abstracts from the EU proposal to develop general insights for HTTPS governance. Our findings should thus be relevant for anyone interested in HTTPS, cybersecurity and internet governance – both in Europe and abroad.
HTTPS governance apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of communication.
In the long term, a robust technical and policy overhaul must address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem. On the short term, specific regulatory measures to be considered throughout the value chain may include proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions.
The research finds that the EU eSignatures proposal lacks an integral vision on the HTTPS value chain and a coherent normative assessment of the underlying values of HTTPS governance. These omissions lead to sub-optimal provisions on liability, security requirements, security breach notifications and supervision in terms of legitimacy and addressing the systemic security vulnerabilities of the HTTPS ecosystem.