Crying Wolf: An empirical study of SSL warning effectiveness

Proceedings of the 18th USENIX Security Symposium

Volumn , Issue , 2009, Pages 399-416

  Sunshine, Joshua ^a   Egelman, Serge ^a   Almuhimedi, Hazim ^a   Atri, Neha ^a   Cranor, Lorrie Faith ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

NETWORK SECURITY; SURVEYS; WEBSITES;

EMPIRICAL STUDIES; INTERNET USERS; LABORATORY STUDIES; MAN IN THE MIDDLE ATTACKS; SSL WARNINGS; WARNING CONDITIONS; WEB USERS;

WEB BROWSERS;

EID: 84926351578     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (24)

1. J. C. Brustoloni and R. Villamarín-Salomón. Improving security decisions with polymorphic and audited dialogs. In Proceedings of the 3rd symposium on Usable privacy and security, pages 76–85, New York, NY, USA, 2007. ACM Press.
2. Certification Authority/Browser Forum. Extended validation SSL certificates, Accessed: July 27, 2007. http://cabforum.org/.
3. L. F. Cranor. A framework for reasoning about the human in the loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security, pages 1–15, Berkeley, CA, USA, 2008. USENIX Association.
4. R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 581–590, New York, NY, USA, 2006. ACM.
5. I. E-Soft. SSL server survey, February 1, 2007. http://www.securityspace.com/s survey/sdata/200701/ certca.html.
6. S. Egelman, L. F. Cranor, and J. Hong. You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceeding of the SIGCHI Conference on Human Factors in Computing Systems, pages 1065–1074, New York, NY, USA, 2008. ACM.
7. B. Fogg, J. Marshall, O. Laraki, A. Osipovich, C. Varma, N. Fang, J. Paul, A. Rangekar, J. Shon, P. Swani, and M. Treinen. What makes web sites credible? a report on a large quantitative study. In Proceedings of the SIGCHI Conference on in Computing Systems, Seattle, WA, March 31 - April 4, 2001. ACM.
8. B. Friedman, D. Hurley, D. C. Howe, E. Felten, and H. Nissenbaum. Users’ conceptions of web security: a comparative study. In Extended Abstracts on Human Factors in Computing Systems, pages 746–747, New York, NY, USA, 2002. ACM.
9. C. Jackson and A. Barth. Beware of finer-grained origins. In Proceedings of the Web 2.0 Security and Privacy Workshop, 2008.
10. C. Jackson and A. Barth. ForceHTTPS: protecting high-security web sites from network attacks. In Proceeding of the 17th International World Wide Web Conference, pages 525–534, New York, NY, USA, 2008. ACM.
11. C. Jackson, D. R. Simon, D. S. Tan, and A. Barth. An evaluation of extended validation and picture-in-picture phishing attacks. In Proceeding of the 1st International Workshop on Usable Security, pages 281–293, Berlin / Heidelberg, Germany, February 2007. Springer.
12. S. Milgram. Obedience to Authority: An Experimental View. Harpercollins, 1974.
13. J. Nightingale. SSL information wants to be free, January 2009. http://blog.johnath.com/2009/01/21/ ssl- information- wants- to- be- free/.
14. A. Patrick. Commentary on research on new security indicators. Self-published Online Essay, Accessed: January 15, 2009. http://www.andrewpatrick.ca/essays/commentary-on-research-on-new-security-indicators/.
15. R. Rasmussen and G. Aaron. Global phishing survey: Domain name use and trends 1h2008. Anti-Phishing Working Group Advisory, November 2008. http://www.antiphishing.org/reports/APWGGlobalPhishingSurvey1H2008.pdf.
16. B. Ross. Firefox and the worry free web. In L. F. Cranor and S. Garfinkel, editors, Security and Usability: Designing Secure Systems that People Can Use, pages 577–588. O’Reilly Media, Inc., Sebastopol, CA, USA, August 2005.
17. S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor’s new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 51–65, Washington, DC, USA, 2007. IEEE Computer Society.
18. J. Sobey, R. Biddle, P. C. van Oorschot, and A. S. Patrick. Exploring user reactions to new browser cues for extended validation certificates. In Proceedings of the 13th European Symposium on Research in Computer Security, pages 411–427, 2008.
19. D. W. Stewart and I. M. Martin. Intended and unintended consequences of warning messages: A review and synthesis of empirical research. Journal of Public Policy & Marketing, 13(1):1–1, 1994.
20. D. Wendlandt, D. G. Andersen, and A. Perrig. Perspectives: Improving SSH-style host authentication with multi-path probing. In Proceedings of the 2008 USENIX Annual Technical Conference, Berkeley, CA, USA, June 2008. USENIX Association.
21. T. Whalen and K. M. Inkpen. Gathering Evidence: Use of Visual Security Cues in Web Browsers. In Proceedings of the 2005 Conference on Graphics Interface, pages 137–144, Victoria, British Columbia, 2005.
22. M. Wogalter. Purpose and scope of warnings. In M. Wogalter, editor, Handbook of Warnings, pages 3–9. Lawrence Erlbaum Associates, Mahway, NJ, USA, 2006.
23. M. Wu, R. C. Miller, and S. L. Garfinkel. Do security tool-bars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 601–610, New York, NY, USA, 2006. ACM.
24. H. Xia and J. C. Brustoloni. Hardening web browsers against man-in-the-middle and eavesdropping attacks. In Proceedings of the 14th International World Wide Web Conference, pages 489–498, New York, NY, USA, 2005. ACM.