Alice in warningland: A large-scale field study of browser security warning effectiveness

Proceedings of the 22nd USENIX Security Symposium

Volumn , Issue , 2013, Pages 257-272

  Akhawe, Devdatta ^a   Felt, Adrienne Porter ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b GOOGLE INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

MALWARE; WEB BROWSERS;

BROWSER SECURITY; FIELD STUDIES; MOZILLA FIREFOX; SECURITY EXPERTS; SECURITY WARNING; SYSTEM ARCHITECTS; USER BEHAVIORS; USER EXPERIENCE;

BEHAVIORAL RESEARCH;

EID: 85002862540     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (35)

1. AKHAWE, D., AMANN, B., VALLENTIN, M., and SOMMER, R. Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web. In Proceedings of the 2013 World Wide Web Conference (2013).
2. BEN ABDESSLEM, F., PARRIS, I., and HENDERSON, T. Mobile Experience Sampling: Reaching the Parts of Facebook Other Methods Cannot Reach. In Privacy and Usability Methods Powwow (2010).
3. BIDDLE, R., VAN OORSCHOT, P. C., PATRICK, A. S., SOBEY, J., AND WHALEN, T. Browser interfaces and extended validation SSL certificates: an empirical study. In Proceedings of the ACM Workshop on Cloud Computing Security (2009).
4. BÖHME, R., AND GROSSKLAGS, J. The Security Cost of Cheap User Interaction. In Proceedings of the New Security Paradigms Workshop (NSPW) (2011).
5. BRAVO-LILLO, C., CRANOR, L. F., and DOWNS., J. S., and KO-MANDURI, S. Bridging the Gap in Computer Security Warnings: A Mental Model Approach. In IEEE Security and Privacy (March 2011), Vol. 9.
6. CHRISTENSEN, T., BARRETT, L., BLISS-MOREAU, E., LEBO, K., and KASCHUB, C. A Practical Guide to Experience-Sampling Procedures. In Journal of Happiness Studies (2003), Vol. 4.
7. Google Chrome Privacy Notice. http://www.google.com/chrome/intl/en/privacy.html.
8. CHROMIUM AUTHORS. HSTS Preload and Certificate Pinning List. https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.json.
9. CONSOLVO, S., and WALKER, M. Using the Experience Sampling Method to Evaluate Ubicomp Applications. In Pervasive Computing (2003).
10. Convergence. http://www.convergence.io.
11. DHAMIJA, R., and TYGAR., J. D., and HEARST, M. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2006).
12. DUTTA, R., JARVENPAA, S., and TOMAK, K. Impact of Feedback and Usability of Online Payment Processes on Consumer Decision Making. In Proceedings of the International Conference on Information Systems (2003).
13. EGELMAN, S., and CRANOR., L. F., and HONG, J. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Proceedings of the ACM CHI Conference on Human Factors in Computing Systems (2008).
14. FELT, A. P., EGELMAN, S., FINIFTER, M., AKHAWE, D., and WAGNER, D. How to ask for permission. In Proceedings of the USENIX Conference on Hot Topics in Security (HotSec) (2012).
15. FRIEDMAN, B., HURLEY, D., HOWE, D. C., FELTEN, E., and NISSENBAUM, H. Users' Conceptions of Web Security: A Comparative Study. In CHI Extended Abstracts on Human Factors in Computing Systems (2002).
16. HABER, J. Smartscreen application reputation in ie9, May 2011. http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9. aspx.
17. HERLEY, C. The plight of the targeted attacker in a world of scale. In Proceedings of the Workshop on the Economics of Information Security (WEIS) (2010).
18. HOLZ, R., BRAUN, L., KAMMENHUBER, N., and CARLE, G. The ssl landscape: a thorough analysis of the x.509 pki using active and passive measurements. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC) (2011).
19. JACKSON, C., and SIMON., D. R., TAN, D. S., and BARTH, A. An evaluation of extended validation and picture-in-picture phishing attacks. In Proceedings of the Workshop on Usable Security (USEC) (2007).
20. LANGLEY, A. SSL Interstitial Bypass Rates, February 2012. http://www.imperialviolet.org/2012/07/20/sslbypassrates.html.
21. MCGRAW, G., FELTEN, E., and MACMICHAEL, R. Securing Java: getting down to business with mobile code. Wiley Computer Pub., 1999.
22. MOZILLA BUGZILLA. Bug 767676: Implement Security UI Telemetry. https://bugzil.la/767676.
23. Mozilla firefox privacy policy. http://www.mozilla.org/en-US/legal/privacy/firefox.html#telemetry.
24. NETCRAFT. Phishing on sites using ssl certificates, August 2012. http://news.netcraft.com/archives/2012/08/22/phishing-on-sites-using-ssl-certificates.html.
25. PATERIYA, P. K., and KUMAR, S. S. Analysis of Man in the Middle Attack on SSL. International Journal of Computer Applications 45, 23 (2012).
26. PROVOS, N. Safe Browsing - Protecting Web Users for 5 Years and Counting. Google Online Security Blog. http://googleonlinesecurity.blogspot.com/2012/06/safe-browsing-protecting-web-users-for.html, June 2012.
27. SCHECHTER, S. E., DHAMIJA, R., OZMENT, A., and FISCHER, I. The Emperor's New Security Indicators. In Proceedings of the IEEE Symposium on Security and Privacy (2007).
28. SCOLLON, C. N., KIM-PRIETO, C., and DIENER, E. Experience Sampling: Promises and Pitfalls, Strengths and Weaknesses. In Journal of Happiness Studies (2003), Vol. 4.
29. SOBEY, J., BIDDLE, R., VAN OORSCHOT, P., and PATRICK, A. S. Exploring user reactions to new browser cues for extended validation certificates. In Proceedings of the European Symposium on Research in Computer Security (2008).
30. SOTIRAKOPOULOS, A., HAWKEY, K., and BEZNOSOV, K. On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings. In Proceedings of the Symposium on Usable Privacy and Security (2011).
31. SUNSHINE, J., EGELMAN, S., ALMUHIMEDI, H., ATRI, N., and CRANOR, L. F. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of the USENIX Security Symposium (2009).
32. TILSON, R., DONG, J., MARTIN, S., and KIEKE, E. Factors and Principles Affecting the Usability of Four E-commerce Sites. In Our Global Community Conference Proceedings (1998).
33. WENDLANDT, D., and ANDERSEN., D. G., and PERRIG, A. Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In USENIX Annual Technical Conference (2008).
34. WHALEN, T., and INKPEN, K. M. Gathering evidence: Use of visual security cues in web browsers. In Proceedings of the Graphics Interface Conference (2005).
35. WU, M., and MILLER., R. C., and GARFINKEL, S. L. Do Security Toolbars Actually Prevent Phishing Attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2006).