Security-performance tradeoffs in HTTPS implementations of browsers

Abstract: Different browsers manage security in different ways when communicating with web servers. Many of these differences are due to browsers making security-performance tradeoffs in the battle to be the most popular browser. This thesis characterize and analyze how browsers manage security in the implementation of HTTPS. This is important because most of us use HTTPS regularly and thrust it with our passwords, bank accounts and everything else we communicate over the Internet. Our analysis includes which TLS version that is used for the connections, which cipher suites the browsers prefer, why they are preferred and which cipher suites the web servers selects based on this. We also compare the difference in number of secure connections and certificates between the browser in their communication with the web servers. The analysis shows that Firefox and Chrome has the latest security updates regarding TLS version 1.3. By default, they have three TLS 1.3 cipher suites on top of their list of offered cipher suites, where the safest is at the top. In contrast, Safari has their number two as its number one and it is possible that it is due to some latency in the development. When it comes to cipher suites it seems that the browsers choose security over performance. As for the number of secure connections and certificates we could see a difference between Safari and the other two browsers and these differences indicates that Safari stops more third party tracking than Firefox and Chrome.