Robert Biddle
P. C. van Oorschot
Andrew S. Patrick
ABSTRACT
There has been a loss of confidence in the security provided by SSL certificates and browser interfaces in the face of various attacks. As one response, basic SSL server certificates are being demoted to second-class status in conjunction with the introduction of Extended Validation (EV) SSL certificates. Unfortunately, EV SSL certificates may complicate the already difficult design challenge of effectively conveying certificate information to the average user. This study explores the interfaces related to SSL certificates in the most widely deployed browser (Internet Explorer 7), proposes an alternative set of interface dialogs, and compares their effectiveness through a user study involving 40 participants. The alternative interface was found to offer statistically significant improvements in confidence, ease of finding information, and ease of understanding. Such results from a modest re-design effort suggest considerable room for improvement in the user interfaces of browsers today. This work motivates further study of whether EV SSL certificates offer a robust foundation for improving Internet trust, or a further compromise to usable security for ordinary users.
- CA/Browser Forum. http://www.cabforum.org/Google Scholar
- R. Dhamija and J. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proc. of the Symp. on Usable Privacy and Security, (2005). Google ScholarDigital Library
- R. Dhamija, J. Tygar, and M. Hearst. Why Phishing Works. In CHI Conf. on Human Factors in Computing Systems, April 22-27 (2006). Google ScholarDigital Library
- J. S. Downs, M. Holbrook, and L.F. Cranor. Decision strategies and susceptibility to phishing. In Proc. of the Symp. on Usable Privacy and Security, (2006). Google ScholarDigital Library
- P. Hallam-Baker. Does Anyone Fall for Phishing Scams Anymore? IT Security Journal.com, (2008). http://www.itsecurityjournal.com/index.php/Latest/Does-Anyone-Fall-for-Phishing-Scams-Anymore.htmlGoogle Scholar
- C. Jackson, D.R. Simon, D.S. Tan, and A. Barth. An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In Proc. of Usable Security, (2007). Google ScholarDigital Library
- P. Kumaraguru, Y. Rhee, A. Acquisti, L.F. Cranor, J. Hong, and E. Nunge. Protecting People From Phishing: The Design and Evaluation of an Embedded Training Email System. In CHI Conf. on Human Factors in Computing Systems, (2007). Google ScholarDigital Library
- M. Marlinspike. Null Prefix Attacks Against SSL/TLS Certificates. http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. 29 July (2009).Google Scholar
- R. McGill, R.W. Tukey, and W.A. Larsen. Variations of box plots. The American Statistician, 32(1):12--16, Feb. (1978).Google Scholar
- Microsoft Security Bulletin MS01-017 (Mar.22 2001; updated Mar.28 2001). Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard, http://www.microsoft.com/technet/security/bulletin/ms01-017.mspxGoogle Scholar
- D. Molnar, M. Stevens, A. Lenstra, B. de Weger, A. Sotirov, J. Appelbaum, and D.A. Osvik. MD5 Considered Harmful Today: Creating a Rogue CA Certificate. 25th Chaos Communication Congress, Berlin, Germany, December 30 (2008).Google Scholar
- Net Applications. Global Market Share Statistics, March 2009, http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2 (retrieved April 11, 2009)Google Scholar
- E. Nigg. Untrusted Certificates. Personal blog, December 23, 2008, https://blog.startcom.org/?p=145Google Scholar
- E. Rescorla. SSL and TLS: Designing and Building Secure Systems, Addison-Wesley (2001). Google ScholarDigital Library
- S.E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The Emperor's New Security Indicators. In Proc. 2007 IEEE Symp. on Security and Privacy, May (2007). Google ScholarDigital Library
- S.W. Smith. Humans in the Loop: Human-Computer Interaction and Security. IEEE Security and Privacy, 1(3):75--79, May/June (2003). Google ScholarDigital Library
- J. Sobey, R. Biddle, P.C. van Oorschot, and A.S. Patrick. Exploring User Reactions to New Browser Cues for Extended Validation Certificates. Proc. of European Symposium on Research in Computer Security (ESORICS), 2008. Google ScholarDigital Library
- J. Sobey, P.C. van Oorschot, A.S. Patrick. Browser Interfaces and EV-SSL Certificates: Confusion, Inconsistencies and HCI Challenges. Technical Report TR-09-02 (January 15, 2009), School of Computer Science, Carleton University, Canada.Google Scholar
- J. Sobey, T. Whalen,, R. Biddle, P.C. van Oorschot, and A.S. Patrick. Browser Interfaces and Extended Validation SSL Certificates: An Empirical Study. Carleton University, School of Computer Science, Technical Report TR-09-06 (July 2009).Google Scholar
- J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L.F. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proc. of the 18th Usenix Security Symposium, August (2009). Google ScholarDigital Library
- T. Whalen and K. Inkpen. Gathering Evidence: Use of Visual Security Cues in Web Browsing. In Proc. of Graphics Interface 2005, pp. 137--145, May (2005). Google ScholarDigital Library
- A. Whitten and J.D. Tygar. Why Johnny Can't Encrypt: A Usability Case Study of PGP 5.0. In Proc. of the 8th USENIX Security Symposium, August (1999). Google ScholarDigital Library
- Z. Ye, S. Smith, and D. Anthony. Trusted Paths for Browsers. ACM Trans. on Information and System Security, pp. 153--186, May (2005). Google ScholarDigital Library
- M. Zusman and A. Sotirov. Sub-Prime PKI: Attacking Extended Validation SSL. Black Hat Security Briefings, Las Vegas, USA, July (2009).Google Scholar
Index Terms
- Browser interfaces and extended validation SSL certificates: an empirical study
Recommendations
Analysis of SSL certificate reissues and revocations in the wake of heartbleed
IMC '14: Proceedings of the 2014 Conference on Internet Measurement ConferenceCentral to the secure operation of a public key infrastructure (PKI) is the ability to revoke certificates. While much of users' security rests on this process taking place quickly, in practice, revocation typically requires a human to decide to reissue ...
Measuring and Applying Invalid SSL Certificates: The Silent Majority
IMC '16: Proceedings of the 2016 Internet Measurement ConferenceSSL and TLS are used to secure the most commonly used Internet protocols. As a result, the ecosystem of SSL certificates has been thoroughly studied, leading to a broad understanding of the strengths and weaknesses of the certificates accepted by most ...
Exploring User Reactions to New Browser Cues for Extended Validation Certificates
ESORICS '08: Proceedings of the 13th European Symposium on Research in Computer Security: Computer SecurityWith the introduction of Extended Validation SSL certificates in Internet Explorer 7.0, web browsers are introducing new indicators to convey status information about different types of certificates. We carried out a user study which compared a proposed ...
Comments