News
Business
Highlights
Partners
About
Contact
Recruitment

Industry News


















Web Users Ignoring Security Certificate Warnings --- (2009-07-31)

Digital certificate warnings in Web browsers are not an effective security measure, according to Carnegie Mellon researchers.

The researchers, who plan to present their findings on August 14 at the Usenix Security Symposium in Montreal, found over the course of two experiments that certificate warnings were ineffectual. The warnings appear when a browser detects a problem with a Web site's certificate and arrive as a pop-up with a message such as: "There is a problem with this Web site's security certificate."

In an online study conducted among 409 participants, the researchers found that the majority of respondents would ignore warnings about an expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the user, the more likely they would be to ignore it, the study found.

SSL certificates are designed to provide the user with a degree of confidence about the authenticity of a Web site they are visiting. As a technical security mechanism, the certificate allows the browser to validate the authentication chain for the Web site server. While SSL certificates often expire for benign reasons, an expired certificate can also indicate that the user could be the victim of a man-in-the-middle attack.

The Carnegie Mellon researchers found that a high percentage of users were willing to ignore warnings about certificates that were out of date. For example, of the 50 percent of Firefox 2 users polled who could identify the term "expired security certificate," 71 percent said they would ignore the warning.

"Far too many participants exhibited dangerous behavior in all warning conditions," wrote the researchers in their paper, titled "Crying Wolf: An Empirical Study of SSL Warning Effectiveness."

Respondents were able to identify other risks indicated by browser certificate notifications. Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard. A domain mismatch, where the URL displayed does not match the URL of the destination site, indicates the user may be the victim of a phishing attack.

(View the full articel in: cnet news)


© 2011-2019 ITOPIA Limited. All Rights Reserved.