Go to CYSSS 2022 homepageUnderstanding the Security of Free Content Websites by Analyzing their SSL Certificates: A Comparative Study
Abstract: Online services that provide books, music, movies, etc., for free have existed on the Internet for decades. While there are some common beliefs and warnings that such online services may contain hidden security risks, many ordinary users still visit such websites, making them a convenient vehicle for subsequent exploitation. In this paper, we investigate and quantify through measurements the potential vulnerability of such free content websites (FCWs). For this purpose, we curated 834 FCWs offering books, games, movies, music, and software. For a comparison purpose, we also sampled a comparable number of premium content websites, where users need to pay for using the service for the same type of content. For our modality of analysis, we use SSL certificates. Namely, we explore SSL certificates' structural and fundamental differences between free and premium content websites. Through our analysis, we unveil that 36% of the free websites' certificates have major issues, with 17% invalid certificates, 7% expired, and 12% with mismatched domain names. Moreover, although surprisingly, we uncover the usage of ECDSA predominantly among the free websites. Among other observations, we notice that 38% of the FCWs use ECDSA-256, compared to only 20% of their premium counterparts, which provides better security guarantees (and performance) than the common algorithm option and key size (RSA-2048) in premium websites. Our observations raise concerns regarding the safety of using such free services from a transport standpoint and call for in-depth analysis of their risks.
0 Replies
Loading