Skip to main content
SpringerLink
Log in

Evolution of SSL/TLS Indicators and Warnings in Web Browsers

  • Conference paper
  • First Online:
Security Protocols XXVII (Security Protocols 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12287))

Included in the following conference series:

Abstract

The creation of the World Wide Web (WWW) in the early 1990’s finally made the Internet accessible to a wider part of the population. With this increase in users, security became more important. To address confidentiality and integrity requirements on the web, Netscape—by then a major web browser vendor—presented the Secure Socket Layer (SSL), later versions of which were renamed to Transport Layer Security (TLS). In turn, this necessitated the introduction of both security indicators in browsers to inform users about the TLS connection state and also of warnings to inform users about potential errors in the TLS connection to a website. Looking at the evolution of indicators and warnings, we find that the qualitative data on security indicators and warnings, i.e., screen shots of different browsers over time is inconsistent. Hence, in this paper we outline our methodology for collecting a comprehensive data set of web browser security indicators and warnings, which will enable researchers to better understand how security indicators and TLS warnings in web browsers evolved over time.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For example, early versions of Internet Explore displayed a warning when a non plain-text website was visited.

References

  1. Aertsen, M., Korczyński, M., Moura, G., Tajalizadehkhoob, S., van den Berg, J.: No domain left behind: is let’s encrypt democratizing encryption? In: Proceedings of the Applied Networking Research Workshop, pp. 48–54. ACM (2017)

    Google Scholar 

  2. Anderson, R., Baqer, K.: Reconciling multiple objectives – politics or markets?. In: Stajano, F., Anderson, J., Christianson, B., Matyáš, V. (eds.) Security Protocols XXV. Security Protocols 2017. LNCS, vol. 10476, pp. 144–156 Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71075-4_17

  3. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033, IETF (March 2005). http://tools.ietf.org/rfc/rfc4033.txt

  4. Barnes, R., Thomson, M., Pironti, A., Langley, A.: Deprecating Secure Sockets Layer Version 3.0. RFC 7568, IETF (June 2015). http://tools.ietf.org/rfc/rfc7568.txt

  5. Borgolte, K., Fiebig, T., Hao, S., Kruegel, C., Vigna, G.: Cloud strife: mitigating the security risks of domain-validated certificates. In: Proceedings of 2018 Internet Society Symposium on Network and Distributed System Security (NDSS). The Internet Society (2018)

    Google Scholar 

  6. BrentgMS: Mixed content and Internet Explorer 8.0 (2009). https://blogs.msdn.microsoft.com/askie/2009/05/14/mixed-content-and-internet-explorer-8-0/

  7. Burzstein, E.: Evolution of the https lock icon (infographic) (2011). https://elie.net/blog/security/evolution-of-the-https-lock-icon-infographic

  8. CA Security Council: Browser UI security indicators (2017). https://casecurity.org/browser-ui-security-indicators/

  9. CA/Browser Forum: Guidelines for the issuance and management of extended validation certificates (2007). https://cabforum.org/wp-content/uploads/EV_Certificate_Guidelines.pdf

  10. Delignat-Lavaud, A., Abadi, M., Birrell, A., Mironov, I., Wobber, T., Xie, Y.: Web PKI: closing the gap between guidelines and practices. In: Proceedings of the 2014 Internet Society Symposium on Network and Distributed System Security (NDSS). The Internet Society (2014)

    Google Scholar 

  11. Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246, IETF (January 1999). http://tools.ietf.org/rfc/rfc2246.txt

  12. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, IETF (April 2006). http://tools.ietf.org/rfc/rfc4346.txt

  13. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, IETF (August 2008). http://tools.ietf.org/rfc/rfc5246.txt

  14. Dukhovni, V., Hardaker, W.: The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance. RFC 7671, IETF (October 2015). http://tools.ietf.org/rfc/rfc7671.txt

  15. Felt, A.P., et al.: Rethinking connection security indicators. In: Proceedings of the 2016 Symposium on Usable Privacy and Security (SOUPS), pp. 1–14. USENIX Association (2016)

    Google Scholar 

  16. Fiebig, T., et al.: Learning from the past: designing secure network protocols. In: Bartsch, M., Frey, S. (eds.) Cybersecurity Best Practices, pp. 585–613. Springer, Wiesbaden (2018). https://doi.org/10.1007/978-3-658-21655-9_41

    Chapter  Google Scholar 

  17. Franco, R.: Better website identification and extended validation certificates in IE7 and other browsers (2005). https://blogs.msdn.microsoft.com/ie/2005/11/21/better-website-identification-and-extended-validation-certificates-in-ie7-and-other-browsers/

  18. Garron, L., Palmer, C.: Simplifying the page security icon in Chrome (2015). https://security.googleblog.com/2015/10/simplifying-page-security-icon-in-chrome.html

  19. Gustafsson, J., Overier, G., Arlitt, M., Carlsson, N.: A first look at the CT landscape: certificate transparency logs in practice. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 87–99. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_7

    Chapter  Google Scholar 

  20. Hunt, T.: Extended validation certificates are dead (2018). https://www.troyhunt.com/extended-validation-certificates-are-dead/

  21. Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_27

    Chapter  Google Scholar 

  22. King, A., Garron, L., Thompson, C.: Memorable site for testing clients against bad SSL configs (2018). https://badssl.com

  23. Lawrence, E.: Mixed content and Internet Explorer 8.0 (2011). https://blogs.msdn.microsoft.com/ie/2011/06/23/internet-explorer-9-security-part-4-protecting-consumers-from-malicious-mixed-content/

  24. Manousis, A., Ragsdale, R., Draffin, B., Agrawal, A., Sekar, V.: Shedding light on the adoption of Let’s Encrypt. Computing Research Repository abs/1611.00469 (2016). http://arxiv.org/abs/1611.00469

  25. Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, IETF (November 1987). http://tools.ietf.org/rfc/rfc1034.txt

  26. Naughton, J.: Netscape: the web browser that came back to haunt microsoft (2015). https://www.theguardian.com/global/2015/mar/22/web-browser-came-back-haunt-microsoft

  27. Nightingale, J.: Will Firefox have a green bar? (2007). http://blog.johnath.com/2007/06/04/will-firefox-have-a-green-bar/

  28. Orgera, S.: The history of Mozilla’s Firefox web browser (2018). https://www.lifewire.com/the-history-of-firefox-446233

  29. PCI Security standards council: payment card industry data security standards. Technical report, v3.2.1 (2018)

    Google Scholar 

  30. Reeder, R.W., Felt, A.P., Consolvo, S., Malkin, N., Thompson, C., Egelman, S.: An experience sampling study of user reactions to browser warnings in the field. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, p. 512. ACM (2018)

    Google Scholar 

  31. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, IETF (August 2018). http://tools.ietf.org/rfc/rfc8446.txt

  32. Roessler, T., Saldhana, A.: Web security context: user interface guidelines. W3C recommendation, W3C (2010). https://www.w3.org/TR/wsc-ui/

  33. Schechter, E.: Moving towards a more secure web (2016). https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

  34. Sheffer, Y., Holz, R., Saint-Andre, P.: Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). RFC 7525, IETF (May 2015). http://tools.ietf.org/rfc/rfc7525.txt

  35. Sheffer, Y., Holz, R., Saint-Andre, P.: Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). RFC 7457, IETF (February 2015). http://tools.ietf.org/rfc/rfc7457.txt

  36. Sobey, J., Van Oorschot, P.C., Patrick, A.S.: Browser interfaces and EV-SSL certificates: Confusion, inconsistencies and HCI challenges. Technical report, TR-09-02, Carleton University School of Computer Science, Canada (2009)

    Google Scholar 

  37. Staikos, G.: Web browser developers work together on security (2005). https://dot.kde.org/2005/11/22/web-browser-developers-work-together-security

  38. Stallings, W.: SSL: foundation for web security. Int. Protoc. J. 1(1), 20–29 (1998)

    Google Scholar 

  39. Stark, E., et al.: Does certificate transparency break the web? Measuring adoption and error rate. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (S&P) (2019, to appear)

    Google Scholar 

  40. Statcounter GlobalStats: Browser market share worldwide (2018). http://gs.statcounter.com/browser-market-share/desktop/worldwide

  41. Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of SSL warning effectiveness. In: Proceedings of the 2009 USENIX Security Symposium, pp. 399–416. USENIX Association (2009)

    Google Scholar 

  42. The Chromium projects: Marking HTTP as non-secure (2016). https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

  43. Thomas, S.A.: SSL and TLS Essentials: Securing the Web. Wiley, New York, NY, USA (2000)

    Google Scholar 

  44. Turner, S., Polk, T.: Prohibiting Secure Sockets Layer (SSL) Version 2.0. RFC 6176, IETF (March 2011). http://tools.ietf.org/rfc/rfc6176.txt

  45. Vyas, T.: Updated Firefox security indicators (2015). https://blog.mozilla.org/security/2015/11/03/updated-firefox-security-indicators-2/

  46. Vyas, T., Dolanjski, P.: Communicating the dangers of non-secure HTTP (2017). https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

  47. Yiu, K.: Improving SSL: extended validation (EV) SSL certificates coming in January (2006). https://blogs.msdn.microsoft.com/ie/2006/11/07/improving-ssl-extended-validation-ev-ssl-certificates-coming-in-january/

Download references

Acknowledgements

We would like to thank Petr Švenda, Matúš Nemec, Marek Sýs and Adam Janovský for their comments during the paper writing and the participants of the 2019 Security Protocols Workshop for the lively discussion and the useful hints for our research and the paper. Furthermore, we would like to acknowledge the help of Richard Pánek and Filip Gontko with the collection of TLS warning screen shots.

This work has been partly funded by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 830929 (CyberSec4Europe), and No. 825225 (Safe-DEED). The content herein reflects only the authors’ view, and not that of the involved funding bodies.

Author information

Authors and Affiliations

  1. Masaryk University, Brno, Czech Republic

    Lydia Kraus, Martin Ukrop & Vashek Matyas

  2. TU Delft, Delft, Netherlands

    Tobias Fiebig

Authors
  1. Lydia Kraus
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Ukrop
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vashek Matyas
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tobias Fiebig
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lydia Kraus .

Editor information

Editors and Affiliations

  1. Memorial University, St. John's, NL, Canada

    Jonathan Anderson

  2. Computer Laboratory, University of Cambridge, Cambridge, UK

    Frank Stajano

  3. University of Hertfordshire, Hatfield, UK

    Bruce Christianson

  4. Masaryk University, Brno, Czech Republic

    Vashek Matyáš

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kraus, L., Ukrop, M., Matyas, V., Fiebig, T. (2020). Evolution of SSL/TLS Indicators and Warnings in Web Browsers. In: Anderson, J., Stajano, F., Christianson, B., Matyáš, V. (eds) Security Protocols XXVII. Security Protocols 2019. Lecture Notes in Computer Science(), vol 12287. Springer, Cham. https://doi.org/10.1007/978-3-030-57043-9_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-57043-9_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-57042-2

  • Online ISBN: 978-3-030-57043-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation