Browser SSL warnings shown to be ineffective
“The big takeaway is that computer security warnings are not an effective way of addressing computer security,” study researcher and co-author Lorrie Faith Cranor, an associate professor of computer science, engineering and public policy at Carnegie Mellon University, told SCMagazineUS.com on Tuesday. “People don't read warnings and don't understand them when they do read them.”
The study, conducted by Carnegie Mellon University researchers during 2008, tested 400 internet users' behaviors when SSL warnings were displayed on Firefox 2, 3 and Internet Explorer 7. Researchers wrote a paper based on the study called, “Crying Wolf: An Empirical Study of SSL Warning Effectiveness” and will present their findings August 14 at the USENIX Security Symposium in Montreal.
The study found that the different web browsers had different approaches to dealing with warnings, and that Firefox (3.0) made it more difficult for users to override the warnings and proceed to the page, Cranor said. But, still the warnings on all three browsers were largely ineffective, and one browser didn't manage to communicate the risks any better than another.
By not paying attention to SSL warnings, or being unable to understand them, a user is more susceptible to falling for phishing attacks, Cranor said. The worse-case scenario is when an attacker has launched an MITM attack, and the user connects to a bogus site. If a user gets a warning about an invalid certificate, ignores it, then tries to buy something on the site, the user could be handing their credit card information over to attackers.
In addition, researchers also surveyed experts – those with an IT-related degree, computer security work experience or programming knowledge – to see if they would behave any differently when receiving a warning. Researchers found that even experts often ignored the warnings, indicating that the system of relying on warnings to communicate computer security risks is “fundamentally broken,” Cranor said.
Researchers then re-worded warnings, trying to convey the risk of proceeding to the web page without using “technical jargon,” Cranor said. When presented with the new warnings, more users paid attention but many still did not.
“Our results suggest that, while warnings can be improved, a better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections and eliminating warnings in benign situations,” the paper states.