Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
“The big takeaway is that computer security warnings are not an effective way of addressing computer security,” study researcher and co-author Lorrie Faith Cranor, an associate professor of computer science, engineering and public policy at Carnegie Mellon University, told SCMagazineUS.com. “People don't read warnings and don't understand them when they do read them.”The study, conducted by Carnegie Mellon University researchers during 2008, tested 400 internet users' behaviors when SSL warnings were displayed on Firefox 2, 3 and Internet Explorer 7. Researchers wrote a paper based on the study called “Crying Wolf: An Empirical Study of SSL Warning Effectiveness”, and will present their findings at the USENIX Security Symposium in Montreal. The study found that the different web browsers had different approaches to dealing with warnings, and that Firefox 3.0 made it more difficult for users to override the warnings and proceed to the page, Cranor said. But, still the warnings on all three browsers were largely ineffective, and one browser didn't manage to communicate the risks any better than another. By not paying attention to SSL warnings, or being unable to understand them, a user is more susceptible to falling for phishing attacks, Cranor said. The worse-case scenario is when an attacker has launched an MITM attack, and the user connects to a bogus site. If a user gets a warning about an invalid certificate, ignores it, then tries to buy something on the site, the user could be handing their credit card information over to attackers. In addition, researchers also surveyed experts – those with an IT-related degree, computer security work experience or programming knowledge – to see if they would behave any differently when receiving a warning. Researchers found that even experts often ignored the warnings, indicating that the system of relying on warnings to communicate computer security risks is “fundamentally broken,” Cranor said.Researchers then re-worded warnings, trying to convey the risk of proceeding to the web page without using “technical jargon”, Cranor said. When presented with the new warnings, more users paid attention but many still did not.“Our results suggest that, while warnings can be improved, a better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections and eliminating warnings in benign situations,” the paper states.See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.