Learning Center
Plans & pricing Sign in
Sign Out

Security Certificate Warnings dont work


									Security Certificate Warnings Don't Work, Researchers Say                                                                      

                                                                                                             Print Article    Close Window


                                   Security Certificate Warnings Don't Work, Researchers Say
                                   – Robert McMillan, IDG News Service

                                   July 24, 2009

                                   Every Web surfer has seen them. Those
                                   "invalid certificate" warnings you sometimes
                                   get when you're trying to visit a secure Web

                                   They say things like "There is a problem
                                   with this Web site's security certificate." If
                                   you're like most people, you may feel
                                   vaguely uneasy, and -- according to a new
                                   paper from researchers at Carnegie Mellon
                                   University -- there's a good chance you'll
                                   ignore the warning and click through

                                   In a laboratory experiment, researchers
                                   found that between 55 percent and 100
                                   percent of participants ignored certificate
                                   security warnings, depending on which
                                   browser they were using (different
                                   browsers use different language to warn
                                   their users).

                                   "Everyone knew that there was a problem with these warnings," said Joshua Sunshine, a Carnegie
                                   Mellon graduate student and one of the paper's co-authors. "Our study showed dramatically how big
                                   the problem was."

                                   That's not great news. Often the warnings pop up because of a technical problem on the Web site, but
                                   they can also mean that the Web surfer is being redirected somehow to a fake Web site. URLs for
                                   secure Web sites begin with "https."

                                   The researchers first conducted an online survey of more than 400 Web surfers, to learn what they
                                   thought about certificate warnings. They then brought 100 people into a lab and studied how they surf
                                   the Web.

                                   They found that people often had a mixed-up understanding of certificate warnings. For example, many
                                   thought they could ignore the messages when visiting a site they trust, but that they should be more
                                   wary at less-trustworthy sites.

                                   "That's sort of a backwards understanding of what these messages mean," Sunshine said. "The
                                   message is validating that you're visiting the site you think you're visiting, not that the site is

                                   If a banking Web site shows a message that its security certificate is invalid, that's a very bad sign,
                                   security experts say. It could mean the Web surfer is being subjected to a so-called man-in-the-middle
                                   attack. In this type of attack, the criminal inserts himself between the Web surfer and the site he's
                                   visiting, in the hopes of stealing information.

                                   Security experts have long known that these security warnings are ineffective, said Jeremiah
                                   Grossman, chief technology officer with Web security consultancy White Hat Security. That's because
                                   users "really don't know what the security risks mean," he said via instant message. "So they take the

                                   In the Firefox 3 browser, Mozilla tried to use simpler language and better warnings for bad certificates.
                                   And the browser makes it harder to ignore a bad certificate warning. In the Carnegie Mellon lab,
                                   Firefox 3 users were the least likely to click through after being shown a warning.

                                   The researchers experimented with several redesigned security warnings they'd written themselves,
                                   which appeared to be even more effective. They plan to report their findings Aug. 14th at the Usenix
                                   Security Symposium in Montreal.

                                   Still, Sunshine believes that better warnings will help only so much. Instead of warnings, browsers
                                   should use systems that can analyze the error messages. "If those systems decide this is likely to be
                                   an attack, they should just block the user altogether," he said.

                                   Even when visiting important Web sites like banks, "people are still dramatically ignoring the warnings,"
                                   he said.

                                   Copyright © 2008 IDG News Service. All rights reserved. IDG News Service is a trademark of
                                   International Data Group, Inc.

1 of 2                                                                                                                                                       7/26/2009 3:39 PM
Security Certificate Warnings Don't Work, Researchers Say

2 of 2                                                                          7/26/2009 3:39 PM

To top