The world is full of foolish users who click on things without knowing better, but it is also filled with badly-designed products that don’t do a good enough job of warning them about the dangers they’re facing. How do we fix it?
Studies over the years have told us what we instinctively knew – that users tend to ignore security warnings. A 2013 UC Berkeley study found that Google Chrome’s SSL warnings had a click through rate of 70.2%.
That’s a problem for a hyperscale Web company trying to keep its playground secure, so Google worked with researchers at the University of Pennsylvania to design a new one. They used techniques such as ‘opinionated design’ – presenting the ‘safe’ option on security warnings more prominently than the ‘unsafe’ ones – and saw some results.
Nearly 30% more users took notice of the redesigned certificate’s warnings, but the team still “ultimately failed at our goal of a well-understood warning,” it said. That’s a little worrying, as the fruits of that research subsequently became the new SSL warning in Google Chrome.
A broken system
Perhaps SSL certificate warnings simply aren’t meant to be understood because the whole mechanism is broken?
“To me, messing around with the design of those is a totally dysfunctional mechanism,” complained Angela Sasse, professor of human-centred security at University College London and director of the UK Research Institute in Science of Cybersecurity.
She frets about the large numbers of false positives in SSL certificate warnings. These are often down to poor governance by web site admins. Self-signing certificates will trigger an alert, and Google has had to start systematically warning admins to include domain names in their certificates to avoid errors. Even missing out on a Windows update can cause problems.
Logging in from public Wi-Fi will sometimes trigger false positives, and airline Gogo was even reportedly issuing false positive warnings to stop people from chewing up its bandwidth.
Is it any wonder that most people just click on through, where possible?
Poisoning the well
“To argue that people should pay attention to this is completely problematic,” Sasse said. The problem is that false positives are damaging, she warned. They numb even those people who understand them, let alone those people who already have no clue what the warnings mean in the first place.
“There are these downstream consequences that we’ve basically poisoned the well. It’s very rational to stop paying attention to warnings in these circumstances,” she argued.
The problem is compounded by false negatives. Bad actors are getting through the net by stealing or fraudulently obtaining SSL certificates that they shouldn’t get. Last year, Microsoft admitted that a Windows Live certificate had been improperly issued. In October 2015, Google warned Symantec to stop issuing bogus security certificates by mistake or it would start creating problems for Symantec products.
Companies can opt for certificates that take more effort to get. Domain-validated (DV) certificates are relatively easy to get, but the processes used to verify the organizations are automated. Organizational Validation (OV) and Extended Validation (EV) are harder, and costlier, and businesses should ideally be using them.
The question is, after a torrent of both false negatives and positives, and with warnings that still aren’t clearly understood, will it matter to the average user?