Let's Read: Analysing S/MIME Certificate Vendors' Efficiency and Privacy

2022 International Conference on Software, Telecommunications and Computer Networks (SoftCOM) Pub Date : 2022-09-22 DOI:10.23919/softcom55329.2022.9911516

Tobias Mueller, Max Hartenstein

{"title":"Let's Read: Analysing S/MIME Certificate Vendors' Efficiency and Privacy","authors":"Tobias Mueller, Max Hartenstein","doi":"10.23919/softcom55329.2022.9911516","DOIUrl":null,"url":null,"abstract":"Email is one of the oldest and most popular applications on today's Internet and is used for business and private communication. However, most emails are still susceptible to being intercepted or even manipulated by the servers transmitting the messages. Users with S/MIME certificates can protect their email messages. In this paper, we investigate the market for S/MIME certificates and analyse the impact of the ordering and revocation processes on the users' privacy. We complete those processes for each vendor and investigate the number of requests, the size of the data transfer, and the number of trackers on the vendor's Web site. We further collect all relevant documents, including privacy policies, and report on their number of words, readability, and quality. Our results show that users must make at least 86 HTTP requests and transfer at least 1.35 MB to obtain a certificate and 178 requests and 2.03 MB to revoke a certificate. All but one vendor employ third-party tracking during these processes, which causes between 43 and 354 third-party requests. Our results further show that the vendors' privacy policies are at least 1701 words long which requires a user approximately 7 minutes to read. The longest policy requires approximately half an hour to be read. Measurements of the readability of all vendors' privacy policies indicate that users need a level of education that is nearly equivalent to a bachelor's degree to comprehend the texts. We also report on the quality of the policies and find that the vendors achieve compliance scores between 45 % and 90 %. With our method, vendors can measure their impact on the users' privacy and create better products. On the other hand, users benefit from an analysis of all S/MIME certificate vendors in that they can make an informed choice of their vendor based on the objective metrics obtained by our study. Ultimately, the results help to increase the prevalence of encrypted emails and render society less susceptible to surveillance.","PeriodicalId":261625,"journal":{"name":"2022 International Conference on Software, Telecommunications and Computer Networks (SoftCOM)","volume":"102 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-09-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 International Conference on Software, Telecommunications and Computer Networks (SoftCOM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/softcom55329.2022.9911516","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Email is one of the oldest and most popular applications on today's Internet and is used for business and private communication. However, most emails are still susceptible to being intercepted or even manipulated by the servers transmitting the messages. Users with S/MIME certificates can protect their email messages. In this paper, we investigate the market for S/MIME certificates and analyse the impact of the ordering and revocation processes on the users' privacy. We complete those processes for each vendor and investigate the number of requests, the size of the data transfer, and the number of trackers on the vendor's Web site. We further collect all relevant documents, including privacy policies, and report on their number of words, readability, and quality. Our results show that users must make at least 86 HTTP requests and transfer at least 1.35 MB to obtain a certificate and 178 requests and 2.03 MB to revoke a certificate. All but one vendor employ third-party tracking during these processes, which causes between 43 and 354 third-party requests. Our results further show that the vendors' privacy policies are at least 1701 words long which requires a user approximately 7 minutes to read. The longest policy requires approximately half an hour to be read. Measurements of the readability of all vendors' privacy policies indicate that users need a level of education that is nearly equivalent to a bachelor's degree to comprehend the texts. We also report on the quality of the policies and find that the vendors achieve compliance scores between 45 % and 90 %. With our method, vendors can measure their impact on the users' privacy and create better products. On the other hand, users benefit from an analysis of all S/MIME certificate vendors in that they can make an informed choice of their vendor based on the objective metrics obtained by our study. Ultimately, the results help to increase the prevalence of encrypted emails and render society less susceptible to surveillance.

查看原文本刊更多论文

让我们阅读:分析S/MIME证书供应商的效率和隐私

电子邮件是当今互联网上最古老、最流行的应用程序之一，用于商业和私人通信。然而，大多数电子邮件仍然容易被拦截，甚至被发送信息的服务器操纵。拥有S/MIME证书的用户可以保护他们的电子邮件消息。本文调查了S/MIME证书的市场，并分析了订购和撤销过程对用户隐私的影响。我们为每个供应商完成这些流程，并调查请求的数量、数据传输的大小以及供应商网站上的跟踪器的数量。我们进一步收集所有相关文件，包括隐私政策，并报告其字数、可读性和质量。我们的结果表明，用户必须发出至少86个HTTP请求并传输至少1.35 MB才能获得证书，并且必须发出178个请求并传输2.03 MB才能撤销证书。除了一家供应商外，所有供应商都在这些过程中使用第三方跟踪，这导致了43到354个第三方请求。我们的结果进一步表明，供应商的隐私政策至少有1701个字长，需要用户大约7分钟阅读。最长的保单大约需要半小时阅读。对所有供应商隐私政策可读性的测量表明，用户需要几乎相当于学士学位的教育水平才能理解文本。我们还报告了政策的质量，并发现供应商达到了45%到90%之间的合规性得分。通过我们的方法，供应商可以衡量他们对用户隐私的影响，并创造更好的产品。另一方面，用户从对所有S/MIME证书供应商的分析中受益，因为他们可以根据我们的研究获得的客观指标做出明智的供应商选择。最终，这些结果有助于增加加密电子邮件的普及程度，并使社会不那么容易受到监控。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 International Conference on Software, Telecommunications and Computer Networks (SoftCOM)

自引率

0.00%

发文量