Are HTTPS Configurations Still a Challenge?: Validating Theories of Administrators’ Difficulties with TLS Configurations

HTTPS has been the standard for securing online communications for over 20 years. Despite the availability of tools to make the configuration process easier (e.g., Let’s Encrypt, Certbot), SSL Pulse scans show that still more than 50% of the most popular websites are poorly configured, which emphasizes room for improvement. Although a few recent studies looked at the remaining challenges for administrators in configuring HTTPS from a qualitative perspective, there is little work that produced quantitative results. Therefore, we conducted a survey with 96 experienced administrators (as opposed to a student sample) to investigate to which extent configuration problems revealed in prior studies actually exist in the wild. Our results confirm that Let’s Encrypt and ACME clients, such as Certbot, simplify configuration and maintenance for administrators, thus increasing the security of HTTPS configurations. Moreover, we extend the current body of work by examining the trust administrators put into Let’s Encrypt and Certbot. We found that trust and usability issues are currently barriers to the widespread adoption of Certbot.