Quite a bit of thought goes into selecting which cryptographic primitives are in charge of securing HTTPS traffic: many were safe yesterday but will not be tomorrow. TLS relies on a negotiation step to get the client and the server to agree on what to use. Both have preferences, both have limitations, and the handshake should keep both of them happy and secure -- and allow for a seamless switch to new ciphers should an issue appear. In practice, however, transitions have been held back for years.

A mix of protocol rigidity and compatibility pressure led to a "reaction" that was not fully expected when the protocol was designed: nowadays both client programs and server administrators try to "override" each other. This is the case with all major browsers and with around two thirds of the top HTTPS sites, and has been a "best-practice" recommendation for the past few years.

Besides the complicated state of affairs, this thesis examines how one-sided enforcement can also lead to unexpected results, including paradoxical "downgrades": cases in which both sides support modern components yet end up negotiating obsolete (i.e., non-AEAD) ones.

For instance, this currently happens with Firefox (and Chrome, up to a couple of weeks ago) when visiting sites that prefer 256-bit symmetric keys with higher priority than AEAD (e.g., AES GCM) modes. Examples include many sites in the financial sector, and even some default configurations. To better understand this issue, the thesis includes a tool designed to "reverse-engineer" the server configuration and check how common clients would behave when facing it. The tool has been used to gather configurations of popular websites, and uncovered many potentially-unwanted results.

Finally, this thesis explores how even though many TLS problem instances have been fixed, some factors that made them hard to address in practice are still there. In particular, a burden is still imposed on individual developers and system administrators to validate and update configurations as part of their own deployments. Therefore, the thesis also examines a possible change to the negotiation protocol to ease future transitions and configurations.