Making Chromium’s Certificate Transparency integration more accessible

[Daniel Waxweiler]

Hello,

I wanted to share my Master thesis about Chromium's CT integration.

Abstract:
Nowadays, Transport Layer Security (TLS) is the most widely used security protocol, e.g. for accessing e-mails and doing online banking. TLS relies on certificates issued by trusted certificate authorities. However, a certificate authority can issue certificates to anybody for any domain name by mistake or when being comprised. Using these certificates, governments and others have been spying on Internet users by conducting man-in-the-middle attacks. With the goal of detecting these false certificates, the Certificate Transparency (CT) framework was introduced and partly integrated into the open-source browser Chromium, which the most popular browser Google Chrome is based on. In this thesis, a user-centred iterative design process was used to design and develop new CT features for Chromium. At first, features were defined by analysing existing security indicators and by exploring user’s ideas within focus groups. After the implementation, these features were evaluated by a walk-through and an online survey. Apart from displaying the website, the browser was not expected to do anything else when all CT checks have succeeded. In contrast, when one of the CT checks has failed, an error page was expected to be shown instead. Moreover, only experts should be able to continue to the possibly false website. Such an error page was designed, implemented and positively received. As some users wanted to access CT details, the Security Panel of the DevTools was enhanced. This addition was particularly appreciated by expert users and will be included into the Chromium project in the near future. Another finding from the evaluation was that the pop-up that opens when you click on the lock icon in the location bar confused people. Overall, more simple explanations of technical terms and concepts were requested to be easily accessible from everywhere. In summary, this thesis has contributed to the adoption of CT by improving its integration in Chromium and Google Chrome.

You can download it from Google Drive: https://drive.google.com/open?id=0BzhBBSu2aOPmakVHQWdudnN5M2s

The enhancement of the DevTools is submitted as CL: https://codereview.chromium.org/1772603002/

Best greetings,

Daniel Waxweiler