Publications

Top Keywords

De wind van Snowden in de Amerikaanse informatieparaplu external link

Arnbak, A. & van Hoboken, J.
Mediaforum, num: 7/8, pp: 173, 2013

Bescherming van communicatie, Grondrechten

Bibtex

Article{nokey, title = {De wind van Snowden in de Amerikaanse informatieparaplu}, author = {Arnbak, A. and van Hoboken, J.}, url = {http://www.ivir.nl/publicaties/download/981.pdf}, year = {0806}, date = {2013-08-06}, journal = {Mediaforum}, number = {7/8}, keywords = {Bescherming van communicatie, Grondrechten}, }

Security Economics in the HTTPS Value Chain external link

Asghari, H., Eeten, M.J.G. van, Arnbak, A. & van Eijk, N.
pp: 1-35, 2013

Abstract

Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.

Bescherming van communicatie, Grondrechten

Bibtex

Presentation{nokey, title = {Security Economics in the HTTPS Value Chain}, author = {Asghari, H. and Eeten, M.J.G. van and Arnbak, A. and van Eijk, N.}, url = {http://www.ivir.nl/publicaties/download/paper_WEIS_2013.pdf}, year = {0711}, date = {2013-07-11}, abstract = {Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.}, keywords = {Bescherming van communicatie, Grondrechten}, }

PRISM: Obscured by Clouds or the Dark Side of the Moon?: How to Address Governmental Access to Cloud Data from Abroad external link

Arnbak, A.
2013

Grondrechten, Privacy

Bibtex

Presentation{nokey, title = {PRISM: Obscured by Clouds or the Dark Side of the Moon?: How to Address Governmental Access to Cloud Data from Abroad}, author = {Arnbak, A.}, url = {http://www.ivir.nl/publicaties/download/979.pdf}, year = {0627}, date = {2013-06-27}, keywords = {Grondrechten, Privacy}, }

Gespreksnotitie RTG ‘praktijken, gevolgen en wettelijke kaders inzake het aftappen van persoonsgegevens’ external link

Arnbak, A. & van Hoboken, J.
2013

Grondrechten, Privacy

Bibtex

Presentation{nokey, title = {Gespreksnotitie RTG ‘praktijken, gevolgen en wettelijke kaders inzake het aftappen van persoonsgegevens’}, author = {Arnbak, A. and van Hoboken, J.}, url = {http://www.ivir.nl/publicaties/download/978.pdf}, year = {0625}, date = {2013-06-25}, keywords = {Grondrechten, Privacy}, }

Obscured by Clouds or How to Address Governmental Access to Cloud Data From Abroad external link

van Hoboken, J., Arnbak, A. & van Eijk, N.
2013

Grondrechten, Privacy

Bibtex

Presentation{nokey, title = {Obscured by Clouds or How to Address Governmental Access to Cloud Data From Abroad}, author = {van Hoboken, J. and Arnbak, A. and van Eijk, N.}, url = {http://www.ivir.nl/publicaties/download/obscured_by_clouds.pdf}, year = {0611}, date = {2013-06-11}, keywords = {Grondrechten, Privacy}, }

Certificate Authority Collapse: Regulating Systemic Vulnerabilities in the HTTPS Value Chain external link

Arnbak, A. & van Eijk, N.
2012

Abstract

Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a global collapse of trust in these central mediators of Hypertext Transfer Protocol Secure (HTTPS) communications. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem. To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPs ecosystem are described through the lens of several landmark breaches. The paper explores the rationales for regulatory intervention, discusses the proposed EU eSignatures Regulation and ultimately develops a conceptual framework for HTTPS governance. It apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of expression. On the short term, specific regulatory measures to be considered throughout the value chain includes proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions. The EU eSignatures proposal falls short on many of these aspects. In the long term, a robust technical and policy overhaul is needed to address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem.

Telecommunicatierecht

Bibtex

Presentation{nokey, title = {Certificate Authority Collapse: Regulating Systemic Vulnerabilities in the HTTPS Value Chain}, author = {Arnbak, A. and van Eijk, N.}, url = {http://www.ivir.nl/publicaties/download/paper_TPRC_2012.pdf}, year = {0907}, date = {2012-09-07}, abstract = {Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a global collapse of trust in these central mediators of Hypertext Transfer Protocol Secure (HTTPS) communications. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem. To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPs ecosystem are described through the lens of several landmark breaches. The paper explores the rationales for regulatory intervention, discusses the proposed EU eSignatures Regulation and ultimately develops a conceptual framework for HTTPS governance. It apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of expression. On the short term, specific regulatory measures to be considered throughout the value chain includes proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions. The EU eSignatures proposal falls short on many of these aspects. In the long term, a robust technical and policy overhaul is needed to address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem.}, keywords = {Telecommunicatierecht}, }

Annotatie bij Rb. ‘s-Gravenhage 11 januari 2012 (Brein / Ziggo & XS4ALL) external link

Arnbak, A.
AMI, num: 3, pp: 119-131, 2012

Grondrechten

Bibtex

Case note{nokey, title = {Annotatie bij Rb. ‘s-Gravenhage 11 januari 2012 (Brein / Ziggo & XS4ALL)}, author = {Arnbak, A.}, url = {http://www.ivir.nl/publicaties/download/AMI_2012_3.pdf}, year = {0615}, date = {2012-06-15}, journal = {AMI}, number = {3}, keywords = {Grondrechten}, }

Alles onder controle? Een kritische blik op de door de dataretentierichtlijn in het leven geroepen driehoeksverhouding tussen de Wet Bewaarplicht Telecommunicatiegegevens, de strafvorderlijke toegangs external link

Arnbak, A.
2011

Telecommunicatierecht

Bibtex

Report{nokey, title = {Alles onder controle? Een kritische blik op de door de dataretentierichtlijn in het leven geroepen driehoeksverhouding tussen de Wet Bewaarplicht Telecommunicatiegegevens, de strafvorderlijke toegangs}, author = {Arnbak, A.}, url = {http://www.ivir.nl/publicaties/download/973.pdf}, year = {1213}, date = {2011-12-13}, keywords = {Telecommunicatierecht}, }

Handhaving van intellectuele eigendomrechten external link

van Eechoud, M. & van Daalen, O.
2003

Abstract

Rapport in opdracht van het Ministerie van Economische Zaken ten behoeve van de ICT-toets 2002. Bijdrage over de stand van wetgeving(sinitiatieven) op wereld- en Europees niveau en in Nederland, Canada, Duitsland, Frankrijk, Japan, Verenigd Koninkrijk, Verenigde Staten en Zweden op het gebied van intellectuele eigendom in de digitale omgeving, m.n. wat betreft auteursrecht, naburige rechten en octrooien op software en bedrijfsmethoden.

Intellectuele eigendom

Bibtex

Other{nokey, title = {Handhaving van intellectuele eigendomrechten}, author = {van Eechoud, M. and van Daalen, O.}, url = {http://www.ivir.nl/publicaties/download/972.pdf}, year = {0815}, date = {2003-08-15}, abstract = {Rapport in opdracht van het Ministerie van Economische Zaken ten behoeve van de ICT-toets 2002. Bijdrage over de stand van wetgeving(sinitiatieven) op wereld- en Europees niveau en in Nederland, Canada, Duitsland, Frankrijk, Japan, Verenigd Koninkrijk, Verenigde Staten en Zweden op het gebied van intellectuele eigendom in de digitale omgeving, m.n. wat betreft auteursrecht, naburige rechten en octrooien op software en bedrijfsmethoden.}, keywords = {Intellectuele eigendom}, }