{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T12:22:27Z","timestamp":1769948547724,"version":"3.49.0"},"reference-count":52,"publisher":"SAGE Publications","issue":"1","license":[{"start":{"date-parts":[[2020,11,27]],"date-time":"2020-11-27T00:00:00Z","timestamp":1606435200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2021,2,3]]},"abstract":"<jats:p> HTTPS refers to an application-specific implementation that runs HyperText Transfer Protocol (HTTP) on top of Secure Socket Layer (SSL) or Transport Layer Security (TLS). HTTPS is used to provide encrypted communication and secure identification of web servers and clients, for different purposes such as online banking and e-commerce. However, many HTTPS vulnerabilities have been disclosed in recent years. Although many studies have pointed out that these vulnerabilities can lead to serious consequences, domain administrators seem to ignore them. In this study, we evaluate the HTTPS security level of Alexa\u2019s top 1 million domains from two perspectives. First, we explore which popular sites are still affected by those well-known security issues. Our results show that less than 0.1% of HTTPS-enabled servers in the measured domains are still vulnerable to known attacks including Rivest Cipher 4 (RC4), Compression Ratio Info-Leak Mass Exploitation (CRIME), Padding Oracle On Downgraded Legacy Encryption (POODLE), Factoring RSA Export Keys (FREAK), Logjam, and Decrypting Rivest\u2013Shamir\u2013Adleman (RSA) using Obsolete and Weakened eNcryption (DROWN). Second, we assess the security level of the digital certificates used by each measured HTTPS domain. Our results highlight that less than 0.52% domains use the expired certificate, 0.42% HTTPS certificates contain different hostnames, and 2.59% HTTPS domains use a self-signed certificate. The domains we investigate in our study cover 5 regions (including ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC) and 61 different categories such as online shopping websites, banking websites, educational websites, and government websites. Although our results show that the problem still exists, we find that changes have been taking place when HTTPS vulnerabilities were discovered. Through this three-year study, we found that more attention has been paid to the use and configuration of HTTPS. For example, more and more domains begin to enable the HTTPS protocol to ensure a secure communication channel between users and websites. From the first measurement, we observed that many domains are still using TLS 1.0 and 1.1, SSL 2.0, and SSL 3.0 protocols to support user clients that use outdated systems. As the previous studies revealed security risks of using these protocols, in the subsequent studies, we found that the majority of domains updated their TLS protocol on time. Our 2020 results suggest that most HTTPS domains use the TLS 1.2 protocol and show that some HTTPS domains are still vulnerable to the existing known attacks. As academics and industry professionals continue to disclose attacks against HTTPS and recommend the secure configuration of HTTPS, we found that the number of vulnerable domain is gradually decreasing every year. <\/jats:p>","DOI":"10.3233\/jcs-200070","type":"journal-article","created":{"date-parts":[[2020,11,27]],"date-time":"2020-11-27T16:15:24Z","timestamp":1606493724000},"page":"25-50","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":12,"title":["A large-scale analysis of HTTPS deployments: Challenges, solutions, and recommendations"],"prefix":"10.1177","volume":"29","author":[{"given":"Qinwen","family":"Hu","sequence":"first","affiliation":[{"name":"School of Computer Science, The University of Auckland, Auckland, New Zealand"}]},{"given":"Muhammad Rizwan","family":"Asghar","sequence":"additional","affiliation":[{"name":"School of Computer Science, The University of Auckland, Auckland, New Zealand"}]},{"given":"Nevil","family":"Brownlee","sequence":"additional","affiliation":[{"name":"School of Computer Science, The University of Auckland, Auckland, New Zealand"}]}],"member":"179","published-online":{"date-parts":[[2020,11,27]]},"reference":[{"key":"ref001","unstructured":"Acmetek, GoDaddy Let\u015b Encrypt Causes Security Concerns and Leaks, Acmetek, 2020. https:\/\/www.zdnet.com\/article\/lets-encrypt-to-revoke-3-million-certificates-on-march-4-due-to-bug."},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"D.\u00a0Adrian, K.\u00a0Bhargavan, Z.\u00a0Durumeric, P.\u00a0Gaudry, M.\u00a0Green, J.A.\u00a0Halderman, N.\u00a0Heninger, D.\u00a0Springall, E.\u00a0Thom\u00e9, L.\u00a0Valenta et al., Imperfect forward secrecy: How Diffie\u2013Hellman fails in practice, in: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, ACM, Denver Colorado, USA, 2015, pp.\u00a05\u201317.","DOI":"10.1145\/2810103.2813707"},{"key":"ref003","unstructured":"N.\u00a0Aviram, S.\u00a0Schinzel, J.\u00a0Somorovsky, N.\u00a0Heninger, M.\u00a0Dankel, J.\u00a0Steube, L.\u00a0Valenta, D.\u00a0Adrian, J.A.\u00a0Halderman, V.\u00a0Dukhovni et al., DROWN: Breaking TLS using SSLv2, in: USENIX Security Symposium, USENIX, Austin, USA, 2016, pp.\u00a0689\u2013706."},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"R.\u00a0Barnes, M.\u00a0Thomson, A.\u00a0Pironti and A.\u00a0Langley, Deprecating secure sockets layer version 3.0, RFC7568 RFC(7568) (2015), 1\u20137.","DOI":"10.17487\/RFC7568"},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bernhard, J.\u00a0Sharman, C.Z.\u00a0Acemyan, P.\u00a0Kortum, D.S.\u00a0Wallach and J.A.\u00a0Halderman, On the usability of HTTPS deployment, in: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2019, pp.\u00a01\u201310.","DOI":"10.1145\/3290605.3300540"},{"key":"ref006","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.39"},{"key":"ref007","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(12)70103-3"},{"issue":"2","key":"ref008","first-page":"1","volume":"12","author":"Buchanan W.J.","year":"2017","journal-title":"IET Information Security"},{"key":"ref009","unstructured":"S.\u00a0Calzavara, R.\u00a0Focardi, A.\u00a0Rabitti and L.\u00a0Soligo, A hard lesson: Assessing the HTTPS deployment of Italian university websites, in: ITASEC, 2020, pp.\u00a093\u2013104."},{"key":"ref010","doi-asserted-by":"crossref","unstructured":"B.\u00a0Canvel, A.\u00a0Hiltgen, S.\u00a0Vaudenay and M.\u00a0Vuagnoux, Password interception in a SSL\/TLS channel, in: Annual International Cryptology Conference, Springer, Santa Barbara, CA, USA, 2003, pp.\u00a0583\u2013599.","DOI":"10.1007\/978-3-540-45146-4_34"},{"key":"ref011","unstructured":"Censys, The POODLE Attack and Tracking SSLv3 Deployment, Censys, 2018. https:\/\/censys.io\/blog\/poodle."},{"key":"ref012","unstructured":"Censys, The FREAK Attack, Censys, 2018. https:\/\/censys.io\/blog\/freak."},{"key":"ref013","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOMW.2018.8406957"},{"key":"ref014","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2018.8486344"},{"key":"ref015","unstructured":"C.\u00a0Cimpanu, Let\u015b Encrypt to revoke 3 million certificates on March 4 due to software bug, ZD Net, 2020. https:\/\/www.zdnet.com\/article\/lets-encrypt-to-revoke-3-million-certificates-on-march-4-due-to-bug\/."},{"key":"ref016","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.41"},{"key":"ref017","doi-asserted-by":"crossref","unstructured":"T.\u00a0Dierks and C.\u00a0Allen, The TLS protocol version 1.0, RFC2246 RFC(2246) (1999), 1\u201314.","DOI":"10.17487\/rfc2246"},{"key":"ref018","doi-asserted-by":"crossref","unstructured":"T.\u00a0Dierks and E.\u00a0Rescorla, The Transport Layer Security (TLS) protocol, RFC5246 RFC(5246) (2008), 1\u201319.","DOI":"10.17487\/rfc5246"},{"key":"ref019","unstructured":"T.\u00a0Duong and J.\u00a0Rizzo, Here come the ninjas, 2011."},{"key":"ref020","doi-asserted-by":"crossref","unstructured":"Z.\u00a0Durumeric, J.\u00a0Kasten, D.\u00a0Adrian, J.A.\u00a0Halderman, M.\u00a0Bailey, F.\u00a0Li, N.\u00a0Weaver, J.\u00a0Amann, J.\u00a0Beekman, M.\u00a0Payer et al., The matter of Heartbleed, in: Proceedings of the 2014 Conference on Internet Measurement Conference, ACM, SAN JOSE, CA, 2014, pp.\u00a01\u201314.","DOI":"10.1145\/2663716.2663755"},{"key":"ref021","doi-asserted-by":"crossref","unstructured":"Z.\u00a0Durumeric, Z.\u00a0Ma, D.\u00a0Springall, R.\u00a0Barnes, N.\u00a0Sullivan, E.\u00a0Bursztein, M.\u00a0Bailey, J.A.\u00a0Halderman and V.\u00a0Paxson, The security impact of HTTPS interception, in: NDSS, NDSS, San Diego, USA, 2017, pp.\u00a01\u201314.","DOI":"10.14722\/ndss.2017.23456"},{"key":"ref022","doi-asserted-by":"crossref","unstructured":"S.\u00a0Fahl, M.\u00a0Harbach, H.\u00a0Perl, M.\u00a0Koetter and M.\u00a0Smith, Rethinking SSL development in an appified world, in: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ACM, NY, USA, 2013, pp.\u00a049\u201360.","DOI":"10.1145\/2508859.2516655"},{"key":"ref023","unstructured":"A.P.\u00a0Felt, R.\u00a0Barnes, A.\u00a0King, C.\u00a0Palmer, C.\u00a0Bentzel and P.\u00a0Tabriz, Measuring HTTPS adoption on the web, in: 26th USENIX Security Symposium (USENIX Security, Vol.\u00a017, 2017, pp.\u00a01323\u20131338."},{"key":"ref024","doi-asserted-by":"crossref","unstructured":"M.\u00a0Georgiev, S.\u00a0Iyengar, S.\u00a0Jana, R.\u00a0Anubhai, D.\u00a0Boneh and V.\u00a0Shmatikov, The most dangerous code in the world: Validating SSL certificates in non-browser software, in: Proceedings of the 2012 ACM Conference on Computer and Communications Security, ACM, NY, USA, 2012, pp.\u00a038\u201349.","DOI":"10.1145\/2382196.2382204"},{"key":"ref025","unstructured":"S.\u00a0Gooding, More Than 50% of Web Traffic is Now Encrypted, WP Tavern, 2017. https:\/\/wptavern.com\/more-than-50-of-web-traffic-is-now-encrypted."},{"key":"ref026","doi-asserted-by":"crossref","unstructured":"J.\u00a0Hodges, C.\u00a0Jackson and A.\u00a0Barth, HTTP Strict Transport Security (HSTS), RFC6797 RFC(6797) (2012), 1\u201316.","DOI":"10.17487\/rfc6797"},{"key":"ref027","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068856"},{"key":"ref028","doi-asserted-by":"publisher","DOI":"10.5296\/npa.v10i1.12478"},{"key":"ref029","unstructured":"M.\u00a0Kikuchi, How I discovered CCS Injection Vulnerability, Lepidum, 2014. http:\/\/ccsinjection.lepidum.co.jp\/blog\/2014-06-05\/CCS-Injection-en\/index.html."},{"key":"ref030","doi-asserted-by":"publisher","DOI":"10.1145\/3291533.3291556"},{"key":"ref031","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.05.013"},{"key":"ref032","doi-asserted-by":"publisher","DOI":"10.1145\/2659897"},{"key":"ref033","unstructured":"Let\u015b Encrypt, A phishing website has a valid Let\u015b Encrypt certificate, Let\u015b Encrypt, 2019. https:\/\/community.letsencrypt.org\/t\/a-phishing-website-has-a-valid-lets-encrypt-certificate\/108527."},{"key":"ref034","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.12"},{"key":"ref035","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815685"},{"key":"ref036","unstructured":"B.\u00a0Lokhande, Assessment Tools, 2017, https:\/\/github.com\/ssllabs\/research\/wiki\/Assessment-Tools."},{"key":"ref037","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-69710-1_16"},{"key":"ref038","doi-asserted-by":"crossref","unstructured":"M.\u00a0Matsui, Linear cryptanalysis method for DES cipher, in: Workshop on the Theory and Application of Cryptographic Techniques, Springer, Norway, 1993, pp.\u00a0386\u2013397.","DOI":"10.1007\/3-540-48285-7_33"},{"key":"ref039","unstructured":"E.\u00a0Mill, Fraudulent Google certificate points to Internet attack, CNET, 2011. https:\/\/www.cnet.com\/news\/fraudulent-google-certificate-points-to-internet-attack."},{"key":"ref040","unstructured":"A.\u00a0Mirian, C.\u00a0Thompson, S.\u00a0Savage, G.M.\u00a0Voelker and A.P.\u00a0Felt, 2018, HTTPS Adoption in the Longtail."},{"key":"ref041","unstructured":"B.\u00a0M\u00f6ller, T.\u00a0Duong and K.\u00a0Kotowicz, This POODLE Bites: Exploiting The SSL 3.0 Fallback, Google, 2014. https:\/\/www.openssl.org\/~bodo\/ssl-poodle.pdf."},{"key":"ref042","unstructured":"MozillaWiki, Networking\/HTTP2, Networking\/http2, 2014. https:\/\/wiki.mozilla.org\/Networking\/http2."},{"key":"ref043","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-49100-4_7"},{"key":"ref044","unstructured":"J.\u00a0Rizzo and T.\u00a0Duong, The CRIME attack, Ekoparty, 2012. https:\/\/www.ekoparty.org\/archive\/2012\/CRIME_ekoparty2012.pdf."},{"key":"ref045","doi-asserted-by":"publisher","DOI":"10.1016\/j.csi.2016.09.011"},{"key":"ref046","doi-asserted-by":"crossref","unstructured":"R.\u00a0Seggelmann, M.\u00a0Tuexen and M.\u00a0Williams, Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension, RFC6520 RFC(6520) (2012), 1\u20137.","DOI":"10.17487\/rfc6520"},{"key":"ref047","unstructured":"Synopsys, The Heartbleed Bug, Synopsys, 2014. http:\/\/heartbleed.com."},{"key":"ref048","unstructured":"L.\u00a0Tung, Google Chrome gets ready to mark all HTTP sites as \u2018bad\u2019, ZDNet, 2016. http:\/\/www.zdnet.com\/article\/google-chrome-gets-ready-to-mark-all-http-sites-as-bad."},{"key":"ref049","doi-asserted-by":"crossref","unstructured":"S.\u00a0Turner and T.\u00a0Polk, Prohibiting Secure Sockets Layer (SSL) version 2.0, RFC6176 RFC(6176) (2011), 1\u20134.","DOI":"10.17487\/rfc6176"},{"key":"ref050","unstructured":"M.\u00a0Vanhoef and F.\u00a0Piessens, All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS, in: USENIX Security Symposium, USENIX, Austin, TX, 2015, pp.\u00a097\u2013112."},{"key":"ref051","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4614-1981-5_5"},{"key":"ref052","unstructured":"D.\u00a0Wagner, B.\u00a0Schneier et al., Analysis of the SSL 3.0 protocol, in: The Second USENIX Workshop on Electronic Commerce Proceedings, USENIX, Oakland, California, NY, USA, 1996, pp.\u00a029\u201340."}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-200070","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-200070","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-200070","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,11]],"date-time":"2025-03-11T07:11:34Z","timestamp":1741677094000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-200070"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,11,27]]},"references-count":52,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,2,3]]}},"alternative-id":["10.3233\/JCS-200070"],"URL":"https:\/\/doi.org\/10.3233\/jcs-200070","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,11,27]]}}}