Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security Pub Date : 2017-10-30 DOI:10.1145/3133956.3134007

M. Acer, Emily Stark, A. Felt, S. Fahl, R. Bhargava, Bhanu Dev, Matt Braithwaite, Ryan Sleevi, Parisa Tabriz

{"title":"Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors","authors":"M. Acer, Emily Stark, A. Felt, S. Fahl, R. Bhargava, Bhanu Dev, Matt Braithwaite, Ryan Sleevi, Parisa Tabriz","doi":"10.1145/3133956.3134007","DOIUrl":null,"url":null,"abstract":"HTTPS error warnings are supposed to alert browser users to network attacks. Unfortunately, a wide range of non-attack circumstances trigger hundreds of millions of spurious browser warnings per month. Spurious warnings frustrate users, hinder the widespread adoption of HTTPS, and undermine trust in browser warnings. We investigate the root causes of HTTPS error warnings in the field, with the goal of resolving benign errors. We study a sample of over 300 million errors that Google Chrome users encountered in the course of normal browsing. After manually reviewing more than 2,000 error reports, we developed automated rules to classify the top causes of HTTPS error warnings. We are able to automatically diagnose the root causes of two-thirds of error reports. To our surprise, we find that more than half of errors are caused by client-side or network issues instead of server misconfigurations. Based on these findings, we implemented more actionable warnings and other browser changes to address client-side error causes. We further propose solutions for other classes of root causes.","PeriodicalId":191367,"journal":{"name":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","volume":"162 5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"47","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3133956.3134007","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 47

Abstract

HTTPS error warnings are supposed to alert browser users to network attacks. Unfortunately, a wide range of non-attack circumstances trigger hundreds of millions of spurious browser warnings per month. Spurious warnings frustrate users, hinder the widespread adoption of HTTPS, and undermine trust in browser warnings. We investigate the root causes of HTTPS error warnings in the field, with the goal of resolving benign errors. We study a sample of over 300 million errors that Google Chrome users encountered in the course of normal browsing. After manually reviewing more than 2,000 error reports, we developed automated rules to classify the top causes of HTTPS error warnings. We are able to automatically diagnose the root causes of two-thirds of error reports. To our surprise, we find that more than half of errors are caused by client-side or network issues instead of server misconfigurations. Based on these findings, we implemented more actionable warnings and other browser changes to address client-side error causes. We further propose solutions for other classes of root causes.

查看原文本刊更多论文

哪里的野生警告是:Chrome HTTPS证书错误的根本原因

HTTPS错误警告应该提醒浏览器用户注意网络攻击。不幸的是，各种各样的非攻击情况每个月都会引发数以亿计的虚假浏览器警告。虚假的警告使用户感到沮丧，阻碍了HTTPS的广泛采用，并破坏了对浏览器警告的信任。我们在现场调查HTTPS错误警告的根本原因，目的是解决良性错误。我们研究了Google Chrome用户在正常浏览过程中遇到的超过3亿个错误的样本。在手动检查了2000多个错误报告之后，我们开发了自动规则来对HTTPS错误警告的主要原因进行分类。我们能够自动诊断三分之二错误报告的根本原因。令我们惊讶的是，我们发现一半以上的错误是由客户端或网络问题引起的，而不是服务器配置错误。基于这些发现，我们实现了更多可操作的警告和其他浏览器更改，以解决客户端错误原因。我们进一步针对其他类型的根本原因提出解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

自引率

0.00%

发文量