Menu
Security certificate warnings don't work, researchers say

Security certificate warnings don't work, researchers say

Most users click through after they're warned of an "invalid certificate"

Every Web surfer has seen them. Those "invalid certificate" warnings you sometimes get when you're trying to visit a secure Web site.

They say things like "There is a problem with this Web site's security certificate." If you're like most people, you may feel vaguely uneasy, and -- according to a new paper from researchers at Carnegie Mellon University -- there's a good chance you'll ignore the warning and click through anyway.

In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users).

"Everyone knew that there was a problem with these warnings," said Joshua Sunshine, a Carnegie Mellon graduate student and one of the paper's co-authors. "Our study showed dramatically how big the problem was."

That's not great news. Often the warnings pop up because of a technical problem on the Web site, but they can also mean that the Web surfer is being redirected somehow to a fake Web site. URLs for secure Web sites begin with "https."

The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web.

They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites.

"That's sort of a backwards understanding of what these messages mean," Sunshine said. "The message is validating that you're visiting the site you think you're visiting, not that the site is trustworthy."

If a banking Web site shows a message that its security certificate is invalid, that's a very bad sign, security experts say. It could mean the Web surfer is being subjected to a so-called man-in-the-middle attack. In this type of attack, the criminal inserts himself between the Web surfer and the site he's visiting, in the hopes of stealing information.

Security experts have long known that these security warnings are ineffective, said Jeremiah Grossman, chief technology officer with Web security consultancy White Hat Security. That's because users "really don't know what the security risks mean," he said via instant message. "So they take the gamble."

In the Firefox 3 browser, Mozilla tried to use simpler language and better warnings for bad certificates. And the browser makes it harder to ignore a bad certificate warning. In the Carnegie Mellon lab, Firefox 3 users were the least likely to click through after being shown a warning.

The researchers experimented with several redesigned security warnings they'd written themselves, which appeared to be even more effective. They plan to report their findings Aug. 14th at the Usenix Security Symposium in Montreal.

Still, Sunshine believes that better warnings will help only so much. Instead of warnings, browsers should use systems that can analyze the error messages. "If those systems decide this is likely to be an attack, they should just block the user altogether," he said.

Even when visiting important Web sites like banks, "people are still dramatically ignoring the warnings," he said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags SSL Certificates

Featured

Slideshows

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Meet the winners of the 2020 Reseller News Innovation Awards

Meet the winners of the 2020 Reseller News Innovation Awards

Reseller News honoured the standout players of the New Zealand channel in front of more than 500 technology leaders in Auckland on 21 October, recognising the achievements of top partners, start-ups, vendors, distributors and individuals.

Meet the winners of the 2020 Reseller News Innovation Awards
Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Show Comments