“The big takeaway is that computer security warnings are not an effective way of addressing computer security,” study researcher and co-author Lorrie Faith Cranor, an associate professor of computer science, engineering and public policy at Carnegie Mellon University, told SCMagazineUS.com. “People don't read warnings and don't understand them when they do read them.”
The study, conducted by Carnegie Mellon University researchers during 2008, tested 400 internet users' behaviors when SSL warnings were displayed on Firefox 2, 3 and Internet Explorer 7. Researchers wrote a paper based on the study called “Crying Wolf: An Empirical Study of SSL Warning Effectiveness”, and will present their findings at the USENIX Security Symposium in Montreal.
The study found that the different web browsers had different approaches to dealing with warnings, and that Firefox 3.0 made it more difficult for users to override the warnings and proceed to the page, Cranor said. But, still the warnings on all three browsers were largely ineffective, and one browser didn't manage to communicate the risks any better than another.
By not paying attention to SSL warnings, or being unable to understand them, a user is more susceptible to falling for phishing attacks, Cranor said. The worse-case scenario is when an attacker has launched an MITM attack, and the user connects to a bogus site. If a user gets a warning about an invalid certificate, ignores it, then tries to buy something on the site, the user could be handing their credit card information over to attackers.
In addition, researchers also surveyed experts – those with an IT-related degree, computer security work experience or programming knowledge – to see if they would behave any differently when receiving a warning. Researchers found that even experts often ignored the warnings, indicating that the system of relying on warnings to communicate computer security risks is “fundamentally broken,” Cranor said.
Researchers then re-worded warnings, trying to convey the risk of proceeding to the web page without using “technical jargon”, Cranor said. When presented with the new warnings, more users paid attention but many still did not.
“Our results suggest that, while warnings can be improved, a better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections and eliminating warnings in benign situations,” the paper states.
See original article on scmagazineus.com
Browser SSL warnings shown to be ineffective
New research shows that Secure Socket Layer (SSL) warnings, used in web browsers to indicate a problem with a web page's certificate or the potential for a man-in-the-middle attack (MITM), are ineffective.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Partner Content
What Embracing the AI Platform Shift Really Means
Promoted Content
AI in cybersecurity: weapon or shield?
.png&h=140&w=231&c=1&s=0)
Partner Content
Machine identity a key priority for organisations’ security strategies: CyberArk
Partner Content
AI Supercharged: How Search is Powering the Future
Sponsored Whitepapers
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
.png&w=120&c=1&s=0)
EDUtech AU
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
