Browser interfaces and extended validation SSL certificates: An empirical study

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 19-30

  Biddle, Robert ^a   Van Oorschot, P C ^a   Patrick, Andrew S ^a   Sobey, Jennifer ^a   Whalen, Tara ^a  

^a CARLETON UNIVERSITY   (Canada)

Author keywords

Browser user interfaces; Extended validation; SSL certificates; Usability and security; User study; Web site identity

Indexed keywords

BROWSER INTERFACES; DESIGN CHALLENGES; DESIGN EFFORT; EMPIRICAL STUDIES; INTERNET EXPLORERS; INTERNET TRUST; USABILITY AND SECURITY; USABLE SECURITY; USER STUDY; VARIOUS ATTACKS;

EXPOSURE CONTROLS; INTERNET; NETWORK SECURITY; USER INTERFACES; WEBSITES;

WEB BROWSERS;

EID: 74049152241     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1655008.1655012     Document Type: Conference Paper

References (24)

1. CA/Browser Forum. http://www.cabforum.org/
2. R. Dhamija and J. Tygar. The Battle Against Phishing: Dynamic Security Skins. In Proc. of the Symp. on Usable Privacy and Security, (2005).
3. R. Dhamija, J. Tygar, and M. Hearst. Why Phishing Works. In CHI Conf. on Human Factors in Computing Systems, April 22-27 (2006).
4. J. S. Downs, M. Holbrook, and L.F. Cranor. Decision strategies and susceptibility to phishing. In Proc. of the Symp. on Usable Privacy and Security, (2006).
5. P. Hallam-Baker. Does Anyone Fall for Phishing Scams Anymore? IT Security Journal.com, (2008). http://www.itsecurityjournal.com/index.php/ Latest/ Does-Anyone-Fall-for-Phishing-Scams-Anymore.html
6. C. Jackson, D.R. Simon, D.S. Tan, and A. Barth. An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In Proc. of Usable Security, (2007).
7. P. Kumaraguru, Y. Rhee, A. Acquisti, L.F. Cranor, J. Hong, and E. Nunge. Protecting People From Phishing: The Design and Evaluation of an Embedded Training Email System. In CHI Conf. on Human Factors in Computing Systems, (2007).
8. M. Marlinspike. Null Prefix Attacks Against SSL/TLS Certificates. http://www.thoughtcrime.org/papers/ null-prefix-attacks.pdf. 29 July (2009).
9. R. McGill, R.W. Tukey, and W.A. Larsen. Variations of box plots. The American Statistician, 32(1):12-16, Feb. (1978).
10. Microsoft Security Bulletin MS01-017 (Mar.22 2001; updated Mar.28 2001). Erroneous VeriSign-Issued Digital Certificates Pose Spoo ng Hazard, http://www.microsoft.com/technet/security/bulletin/ ms01-017.mspx
11. D. Molnar, M. Stevens, A. Lenstra, B. de Weger, A. Sotirov, J. Appelbaum, and D.A. Osvik. MD5 Considered Harmful Today: Creating a Rogue CA Certificate. 25th Chaos Communication Congress, Berlin, Germany, December 30 (2008).
12. Net Applications. Global Market Share Statistics, March 2009, http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2 (retrieved April 11, 2009)
13. E. Nigg. Untrusted Certificates. Personal blog, December 23, 2008, https://blog.startcom.org/?p=145
14. E. Rescorla. SSL and TLS: Designing and Building Secure Systems, Addison-Wesley (2001).
15. S.E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The Emperor's New Security Indicators. In Proc. 2007 IEEE Symp. on Security and Privacy, May (2007).
16. S.W. Smith. Humans in the Loop: Human-Computer Interaction and Security. IEEE Security and Privacy, 1(3):75-79, May/June (2003).
17. J. Sobey, R. Biddle, P.C. van Oorschot, and A.S. Patrick. Exploring User Reactions to New Browser Cues for Extended Validation Certificates. Proc. of European Symposium on Research in Computer Security (ESORICS), 2008.
18. J. Sobey, P.C. van Oorschot, A.S. Patrick. Browser Interfaces and EV-SSL Certificates: Confusion, Inconsistencies and HCI Challenges. Technical Report TR-09-02 (January 15, 2009), School of Computer Science, Carleton University, Canada.
19. J. Sobey, T. Whalen,, R. Biddle, P.C. van Oorschot, and A.S. Patrick. Browser Interfaces and Extended Validation SSL Certificates: An Empirical Study. Carleton University, School of Computer Science, Technical Report TR-09-06 (July 2009).
20. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L.F. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proc. of the 18th Usenix Security Symposium, August (2009).
21. T. Whalen and K. Inkpen. Gathering Evidence: Use of Visual Security Cues in Web Browsing. In Proc. of Graphics Interface 2005, pp. 137-145, May (2005).
22. A. Whitten and J.D. Tygar. Why Johnny Can't Encrypt: A Usability Case Study of PGP 5.0. In Proc. of the 8th USENIX Security Symposium, August (1999).
23. Z. Ye, S. Smith, and D. Anthony. Trusted Paths for Browsers. ACM Trans. on Information and System Security, pp. 153-186, May (2005).
24. M. Zusman and A. Sotirov. Sub-Prime PKI: Attacking Extended Validation SSL. Black Hat Security Briefings, Las Vegas, USA, July (2009).