ABSTRACT: HTTPS is one of the most important protocols used to secure communication and is, fortunately, becoming more pervasive. However, especially the long tail of websites is still not sufficiently secured. HTTPS involves different types of users, e.g., end users who are faced with trust indicators and warnings or administrators who are required to deal with cryptographic fundamentals and complex decisions concerning compatibility.
In this talk, I present recent users-centric research that explains why different types of users still struggle with making informed security decisions. Based on empirical studies with administrators and end users, I discuss multidimensional reasons for vulnerabilities in the HTTPS ecosystem and how a more human-centric approach to the design of cryptographic protocols could mitigate them.