Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
public:papers:acsac2019 [2019-12-13 00:49] – xukrop | public:papers:acsac2019 [2023-08-12 21:03] (current) – [Research artifacts (supplementary material)] xukrop | ||
---|---|---|---|
Line 6: | Line 6: | ||
<TEXT size=" | <TEXT size=" | ||
- | \_{{fa> | + | \_{{fa> |
{{fa> | {{fa> | ||
{{fa> | {{fa> | ||
+ | |||
+ | \_{{fa> | ||
</ | </ | ||
</ | </ | ||
Line 17: | Line 19: | ||
<TEXT align=" | <TEXT align=" | ||
- | <button type=" | + | <button type=" |
\_ | \_ | ||
- | <button type=" | + | <button type=" |
\_ | \_ | ||
- | <popover trigger=" | + | /*<popover trigger=" |
- | <button icon=" | + | <button icon=" |
- | </ | + | /*</ |
\_ | \_ | ||
- | <button collapse=" | + | <button collapse=" |
</ | </ | ||
</ | </ | ||
Line 50: | Line 52: | ||
===== Selected conclusions ===== | ===== Selected conclusions ===== | ||
- | * We investigated perceived trust in five certificate cases: hostname mismatch, self-signed, | + | |
- | * When validating certificates, | + | * When validating certificates, |
- | * In case of expired certificates, | + | * In case of expired certificates, |
- | * The certificate subject plays a role: Flaws were less likely to be tolerated for big, established companies (Microsoft was mentioned as an example). | + | * The certificate subject plays a role: Flaws were less likely to be tolerated for big, established companies (Microsoft was mentioned as an example). |
- | * We found some certificate cases as over-trusted. | + | * We found some certificate cases as over-trusted. |
- | * 21% of the participants considered the self-signed certificate as _" | + | * 21% of the participants considered the self-signed certificate as __" |
- | * Similarly, 20% of the participants considered the name constrained certificate as _" | + | * Similarly, 20% of the participants considered the name constrained certificate as __" |
- | * We had half of the participants interact with real OpenSSL error messages and the other half with our re-designed error messages and documentation. Here is the comparison: | + | * We had half of the participants interact with real OpenSSL error messages and the other half with our re-designed error messages and documentation. Here is the comparison: |
- | * The self-signed case was considered significantly less trustworthy with our error message (which we consider a success). | + | * The self-signed case was considered significantly less trustworthy with our error message (which we consider a success). |
- | * The name constrained case was also perceived as less trusted and required less time and less online browsing to undestand. | + | * The name constrained case was also perceived as less trusted and required less time and less online browsing to understand. |
- | * The other attributes were comparable – thus, we see our documentation in these cases as better than the existing one. | + | * The other attributes were comparable – thus, we see our documentation in these cases as better than the existing one. |
- | * In the redesigned error messages, we included a link to the documentation. To our surprise, 71% of the participants clicked this link. This suggests a nice opportunity of directing the developers to a usable place recommended by the library designers. | + | * In the redesigned error messages, we included a link to the documentation. To our surprise, 71% of the participants clicked this link. This suggests a nice opportunity of directing the developers to a usable place recommended by the library designers. |
- | * As a follow-up work, we started gathering X.509 certificate validation errors and documentation from multiple libraries to consolidate the documentation on a single place. | + | * As a follow-up work, we started gathering X.509 certificate validation errors and documentation from multiple libraries to consolidate the documentation on a single place. |
- | <button type=" | + | |
+ | <button type=" | ||
===== Talk at DevConf 2019 ===== | ===== Talk at DevConf 2019 ===== | ||
- | The content of this research was partially covered at the DevConf 2019 talk that can be seen below. | + | The content of this research was partially covered at the DevConf 2019 talk that can be seen below. |
{{ youtube> | {{ youtube> | ||
Line 79: | Line 82: | ||
The collected data is presented in a single dataset (SPSS format; you can use PSPP as a free alternative). It includes the analysis syntax files to obtain the numerical results presented in the paper. For each participant, | The collected data is presented in a single dataset (SPSS format; you can use PSPP as a free alternative). It includes the analysis syntax files to obtain the numerical results presented in the paper. For each participant, | ||
- | <button type=" | + | <button type=" |