- Certificate authority collapse: regulating systemic vulnerabilities in the HTTPS value chain
- Telecommunications Policy Research Conference 2012
- Book/source title
- TPRC: the research conference on communication, information and internet policy: 2012 program with paper links
- [Schertz, TX]: TPRC
- Document type
- Conference contribution
- Faculty of Law (FdR)
- Institute for Information Law (IViR)
Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a global collapse of trust in these central mediators of Hypertext Transfer Protocol Secure (HTTPS) communications. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem. To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPs ecosystem are described through the lens of several landmark breaches. The paper explores the rationales for regulatory intervention, discusses the proposed EU eSignatures Regulation and ultimately develops a conceptual framework for HTTPS governance. It apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of expression. On the short term, specific regulatory measures to be considered throughout the value chain includes proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions. The EU eSignatures proposal falls short on many of these aspects. In the long term, a robust technical and policy overhaul is needed to address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem.
If you believe that digital publication of certain material infringes any of your rights or (privacy) interests, please let the Library know, stating your reasons. In case of a legitimate complaint, the Library will make the material inaccessible and/or remove it from the website. Please Ask the Library, or send a letter to: Library of the University of Amsterdam, Secretariat, Singel 425, 1012 WP Amsterdam, The Netherlands. You will be contacted as soon as possible.