Does "www." Mean Better Transport Layer Security?

by   Eman Salem Alashwali, et al.

Experience shows that most researchers and developers tend to treat plain-domains (those that are not prefixed with www sub-domains, e.g. as synonyms for their equivalent www-domains (those that are prefixed with www sub-domains, e.g. In this paper, we analyse datasets of nearly two million plain-domains against their equivalent www-domains to answer the following question: Do plain-domains and their equivalent www-domains differ in TLS security configurations and certificates? If so, to what extent? Our results provide evidence of an interesting phenomenon: plain-domains and their equivalent www-domains differ in TLS security configurations and certificates in a non-trivial number of cases. Furthermore, www-domains tend to have stronger security configurations than their equivalent plain-domains. Interestingly, this phenomenon is more prevalent in the most-visited domains than in randomly-chosen domains. Further analysis of the top domains dataset shows that 53.35% of the plain-domains that show one or more weakness indicators (e.g. expired certificate) that are not shown in their equivalent www-domains perform HTTPS redirection from HTTPS plain-domains to their equivalent HTTPS www-domains. Additionally, 24.71% of these redirections contains plain-text HTTP intermediate URLs. In these cases, users see the final www-domains with strong TLS configurations and certificates, but in fact, the HTTPS request has passed through plain-domains that have less secure TLS configurations and certificates. Clearly, such a set-up introduces a weak link in the security of the overall interaction.


page 1

page 2

page 3

page 4


Exploring HTTPS Security Inconsistencies: A Cross-Regional Perspective

If two or more identical HTTPS clients, located at different geographic ...

On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name

Most modern web browsers today sacrifice optimal TLS security for backwa...

Latent-free equivalent mDAGs

We show that the marginal model for a discrete directed acyclic graph (D...

Infinitely growing configurations in Emil Post's tag system problem

Emil Post's tag system problem is the question of whether or not a tag s...

Please sign up or login with your details

Forgot password? Click here to reset