Certificate Authority Collapse
Nico A.N.M. van Eijk & Axel Arnbak, Institute for Information Law
Thursday, September 20, 12:30 pm
Wasserstein Hall, Room 3018
RSVP required for those attending in person via the form below
This event will be archived on our site shortly after.
Hypertext Transfer Protocol Secure (‘HTTPS’) has evolved into the de facto standard for secure web browsing. Through the certificate-based authentication protocol, web services and internet users protect valuable communications and transactions against interception and alteration by cybercriminals, governments and business. In only one decade, it has facilitated trust in a thriving global E-Commerce economy, while every internet user has come to depend on HTTPS for social, political and economic activities on the internet.
Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a collapse of trust in these central mediators of HTTPS communications as they revealed 'fundamental weaknesses in the design of HTTPS’ (ENISA 2011). In particular, the breach at Dutch CA Diginotar shows how a successful attack on one of the 650 Certificate Authorities across 54 jurisdictions enables attackers to create false SSL-certificates for any given website or service. Moreover, Diginotar kept the breach silent. So for 90 days, web browsers continued to trust Diginotar certificates, enabling attackers to intercept the communications of 300.000 Iranians. In its aftermath, Dutch public authorities overtook operations at Diginotar and convinced Microsoft to delay updates to its market-leading web browser to ensure ‘the continuity of the internet’. These bold interventions lacked a legitimate basis.
While serving as the de facto standard for secure web browsing, in many ways the security of HTTPS is broken. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem.
To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPS ecosystem are described through the lens of several landmark breaches. The paper then explores the rationales for regulatory intervention, discusses the EU eSignatures Regulation and abstracts from the EU proposal to develop general insights for HTTPS governance. Our findings should thus be relevant for anyone interested in HTTPS, cybersecurity and internet governance - both in Europe and abroad.
HTTPS governance apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of communication.
In the long term, a robust technical and policy overhaul must address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem. On the short term, specific regulatory measures to be considered throughout the value chain may include proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions.
The research finds that the EU eSignatures proposal lacks an integral vision on the HTTPS value chain and a coherent normative assessment of the underlying values of HTTPS governance. These omissions lead to sub-optimal provisions on liability, security requirements, security breach notifications and supervision in terms of legitimacy and addressing the systemic security vulnerabilities of the HTTPS ecosystem.
Nico van Eijk is Professor of Media and Telecommunications Law and Director of the Institute for Information Law (IViR, Faculty of Law, University of Amsterdam). He studied Law at the University of Tilburg and received his doctorate on government interference with broadcasting in 1992 from the University of Amsterdam. He also works as an independent legal adviser. Among other things, he is the Chairman of the Dutch Federation for Media and Communications Law (Vereniging voor Media- en Communicatierecht, VMC), a member of the supervisory board of the Dutch public broadcasting organisation (NPO) and chairman of two committees of The Social and Economic Council of the Netherlands (SER).
Axel Arnbak is a Ph.D. candidate at the Institute for Information Law. His research will focus on the regulatory aspects of cybersecurity.
Obtaining his LL.M. degree from IViR in 2009, he was awarded the internet law oriented Internet Thesis Award 2009 and general University of Amsterdam Thesis Award 2010 for his Master's thesis on the fundamental rights aspects of the EU Data Retention Directive and its Dutch implementation.
Upon graduation, Axel joined Bits of Freedom,the Dutch digital rights organization that had resumed its activities just before. Until mid August 2011, Axel was responsible for privacy advocacy and worked on both a national and European level.
Axel received his LL.B. degree from Leiden University (2007), interned at law firm Brinkhof (2008), studied Competitive Strategy and Game Theory at the London School of Economics (2009) and chaired the VeerStichting foundation (2005-2006). Along with his full-time affiliation at IViR, he is a member of the supervisory board at the Stichting Admiraal van Kinsbergenfonds (not compensated).