When HTTPS Meets URL Redirection and Government Websites

Thu 01Mar2018

Hsu-Chun Hsiao, National Taiwan University

From 12.00 until 13.30

At CNB/F/110 (Lunch) + CNB/F/100.9 (Seminar), ETH Zurich

Universitätstrasse 6, 8092 Zurich


A well-known and recurring Internet security concern is supporting HTTPS for the privacy and integrity of data in end-to-end communications. However, many studies have shown that HTTPS adoption rate remains low nowadays and websites often fail to correctly configure HTTPS. In this talk, I will present two of our recent studies that investigate the less explored aspects of HTTPS adoption on the web. The first study investigates the impact of URL redirection on HTTPS. Particularly, we examined the integrity and consistency of URL redirections for the Alexa top one million (1M) websites, and further examined 10,000 (10K) websites with their login features. Our results suggest that 1) the majority of redirection trails among websites that support only HTTPS are vulnerable to attacks, and 2) current incoherent practices undermine the security guarantees provided by HTTPS and HSTS. The second study investigates the government's role in the HTTPS ecosystem. We examined HTTPS adoption on G7 and Taiwan government websites, and perform an in-depth case study that involves interviewing government officials and administrators of government websites. Our survey and interview results reveal the infrastructural and administrative challenges that government sites may encounter when using HTTPS, including the effectiveness of government mandates, discrepancies between the website owner and creating contractors, and certificate verification issues.

Download Event to Calendar