# Does "www." Mean Better Transport Layer Security?

**Authors:** Eman Salem Alashwali, Pawel Szalachowski, Andrew Martin

arXiv: 1906.06505 · 2019-06-19

## TL;DR

This study analyzes nearly two million domain pairs to determine if plain-domains and their www counterparts differ in TLS security, revealing that www-domains generally have stronger security and that redirection practices can introduce security vulnerabilities.

## Contribution

The paper provides the first large-scale analysis showing that plain-domains often have weaker TLS security than their www counterparts, highlighting security implications of redirection practices.

## Key findings

- www-domains tend to have stronger TLS configurations than plain-domains.
- Over 53% of weak plain-domains redirect to stronger www-domains via HTTPS.
- Redirections often involve plain-text HTTP URLs, creating potential security risks.

## Abstract

Experience shows that most researchers and developers tend to treat plain-domains (those that are not prefixed with "www" sub-domains, e.g. "example.com") as synonyms for their equivalent www-domains (those that are prefixed with "www" sub-domains, e.g. "www.example.com"). In this paper, we analyse datasets of nearly two million plain-domains against their equivalent www-domains to answer the following question: Do plain-domains and their equivalent www-domains differ in TLS security configurations and certificates? If so, to what extent? Our results provide evidence of an interesting phenomenon: plain-domains and their equivalent www-domains differ in TLS security configurations and certificates in a non-trivial number of cases. Furthermore, www-domains tend to have stronger security configurations than their equivalent plain-domains. Interestingly, this phenomenon is more prevalent in the most-visited domains than in randomly-chosen domains. Further analysis of the top domains dataset shows that 53.35% of the plain-domains that show one or more weakness indicators (e.g. expired certificate) that are not shown in their equivalent www-domains perform HTTPS redirection from HTTPS plain-domains to their equivalent HTTPS www-domains. Additionally, 24.71% of these redirections contains plain-text HTTP intermediate URLs. In these cases, users see the final www-domains with strong TLS configurations and certificates, but in fact, the HTTPS request has passed through plain-domains that have less secure TLS configurations and certificates. Clearly, such a set-up introduces a weak link in the security of the overall interaction.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1906.06505/full.md

## Figures

3 figures with captions in the complete paper: https://tomesphere.com/paper/1906.06505/full.md

## References

30 references — full list in the complete paper: https://tomesphere.com/paper/1906.06505/full.md

---
Source: https://tomesphere.com/paper/1906.06505