Security certificate warnings don't work, researchers say

Most users click through after they're warned of an "invalid certificate"

Every Web surfer has seen them. Those "invalid certificate" warnings you sometimes get when you're trying to visit a secure Web site.

They say things like "There is a problem with this Web site's security certificate." If you're like most people, you may feel vaguely uneasy, and -- according to a new paper from researchers at Carnegie Mellon University -- there's a good chance you'll ignore the warning and click through anyway.

In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users).

"Everyone knew that there was a problem with these warnings," said Joshua Sunshine, a Carnegie Mellon graduate student and one of the paper's co-authors. "Our study showed dramatically how big the problem was."

That's not great news. Often the warnings pop up because of a technical problem on the Web site, but they can also mean that the Web surfer is being redirected somehow to a fake Web site. URLs for secure Web sites begin with "https."

The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web.

They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites.

"That's sort of a backwards understanding of what these messages mean," Sunshine said. "The message is validating that you're visiting the site you think you're visiting, not that the site is trustworthy."

If a banking Web site shows a message that its security certificate is invalid, that's a very bad sign, security experts say. It could mean the Web surfer is being subjected to a so-called man-in-the-middle attack. In this type of attack, the criminal inserts himself between the Web surfer and the site he's visiting, in the hopes of stealing information.

Security experts have long known that these security warnings are ineffective, said Jeremiah Grossman, chief technology officer with Web security consultancy White Hat Security. That's because users "really don't know what the security risks mean," he said via instant message. "So they take the gamble."

In the Firefox 3 browser, Mozilla tried to use simpler language and better warnings for bad certificates. And the browser makes it harder to ignore a bad certificate warning. In the Carnegie Mellon lab, Firefox 3 users were the least likely to click through after being shown a warning.

The researchers experimented with several redesigned security warnings they'd written themselves, which appeared to be even more effective. They plan to report their findings Aug. 14th at the Usenix Security Symposium in Montreal.

Still, Sunshine believes that better warnings will help only so much. Instead of warnings, browsers should use systems that can analyze the error messages. "If those systems decide this is likely to be an attack, they should just block the user altogether," he said.

Even when visiting important Web sites like banks, "people are still dramatically ignoring the warnings," he said.

Tags SSL Certificates

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

10 Comments

Anonymous

1

Anon

<cite>Security experts have long known that these security warnings are ineffective, said Jeremiah Grossman, chief technology officer with Web security consultancy White Hat Security. That's because users "really don't know what the security risks mean," he said via instant message. "So they take the gamble."</cite>

These researchers show a complete lack of understanding. They actually hit on it earlier in the article, but apparently dismissed it.

"Often the warnings pop up because of a technical problem on the Web site"

If 99% of the time it's because of a technical problem, then the users will ignore the warning. The 1% of the time that you actually do need the warning to work, it won't because of too many false positives. It's The Boy Who Cried Wolf syndrome. Maybe if websites stop having technical problems then the general public will take the warnings more seriously.

Anonymous

2

Link to the paper?

Has the paper been published yet?

Is there a link to it?

Anonymous

3

This isn't "Chicken Little"

A "Technical Problem" on an HTTPS site is a *big* problem. The site is HTTPS specifically because it is the type of web site that needs to be secure (like a bank). In that case, a user should never ever ignore the security warning, in fact they shouldn't be allowed to.

If someone can't set up a web server properly with a correct certificate, then they simply shouldn't be running an SSL web site.

Anonymous

4

security certs are a joke anyway. 5 cents to make, charged for $50+ dollars, without any verification of any sort.

Any joker / hacker / scammer can go get a valid ssl cert and cause massive damage before anything is done.

Anonymous

5

Encryption, not identification

SSL Certificates primarily exist to encrypt data, not to ensure the site is the site that you want to visit. If you browse to https://mybakn.com and there is a cert for mybakn.com and the page looks just like mybank.com, there will be no warning at all and the data is encrypted, just as the SSL is meant to do. It doesn't prevent typos and doesn't identify a website any more than the server's security -- if that server has been compromised then so has the https:// session and the user data.

Anonymous

6

I'm not a tech

I'm a PC user, not a tech. In my opinion, if software is not placed to block the user from going to the questionable site, then there is no security at all. Warning pop-ups by themselves are never going to help. Few people who drive cars are mechanical. Few who drive PC's are at all technical.

Anonymous

7

Re: security certs are a joke

<cite>security certs are a joke anyway. 5 cents to make, charged for $50+ dollars, without any verification of any sort.

<cite>Any joker / hacker / scammer can go get a valid ssl cert and cause massive damage before anything is done.</cite>

Can you point me to this place where they are easy to get? I always find that it is a pain, what with all of the hoops and verifications they make us jump through when we want one...

Anonymous

8

not quite

Yes, you can throw together an untrusted CA for dirt cheap, but you'll pop up the warnings to not trust it (which this site nicely points out are frequently ignored). That, however, is not the case for the professional certificate vendors.

Commercial certs cost a lot more than 5 cents to make. Considering most of the providers that are in the trusted root stores of popular browsers shell out over 5 million/year, some much more than that. The costs of the specialized hardware, software & physical security way beyond that of a normal server room, IT specialty professional wages for at least a dozen people (not including management, marketing, sales, etc.), $200k+/year audits and much more go into it. They also do a lot of footwork so that you can have the built-in satisfaction of your browser trusting the providers that operate in a trustworthy fashion.

Not really sure what the volume each of them does, but to get down to 5 cents a cert they would need to issue 100 million each, minimum. Yes, they make money on them - that's what businesses do. They charge what people are willing to pay for. Larger purchasers also tend to get volume discounts, like most other products.

Every cert gets validated. How much validation they do increases the trustworthiness of the cert as well as increases the cost - that's part of why Verisign costs so much more than say GoDaddy that may only check public records for website registration info. A lot of this is done behind the scenes so you probably don't even know it happens.

As the sales process gets more convenient to customers that complain about the "difficulty" of installing a cert and the overall cost of the cert, the processes are streamlined to make them more cost effective. Its like outsourcing your helpdesk - its cheaper for them so you pay less now, but the industry becomes worse for the wear down the line. It is not a perfect system for verification, but there are controls that are required to be in a trusted root program - hence the 'trust' aspect of it.

The concept of the cert is dead on - unfortunately people have gotten so used to their computers having issues that they just curse for a second, shrug, and then continue anyways. That's what this article is about - pointing out that the user education and notification needs to be improved. The certs work great - we need to try to push back against some of the 'quick issuance' providers like GoDaddy to get better validation back in place. That is part of what the EV (extended validation) certs do - they require a stronger set of verification of the customer prior to issuance, then you get the green bar in your browser. EV certs should be pushed harder for all site usage.

Anonymous

9

If websites stop having techincal problems...

>> Maybe if websites stop having technical problems then the general public will take the warnings more seriously.

Um, yeah. And if people stop having health issues then the general public will take illness more seriously.

I get what you're trying to say, but unfortunately a lot of admins either don't know or don't care about securing their sites properly. They put a cert on and it must magically be all better. Or they get frustrated because they don't understand a technicality and move on.

The 'technical issues' aren't like a failure of the system most of the time, in these cases, but rather a result of incompetency and lack of testing.

Anonymous

10

certs are a joke

Hackers claiming to be Microsoft were verified by Versign:

http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx

Most people trust certs regardless if the URL is correct. Ex:

mlcrosoft.com does not look like microsoft.com but if the cert says it is Microsoft it has to be.

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?