Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Improving SSL Warnings InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Improving SSL Warnings

Published: 2015-02-01
Last Updated: 2015-02-01 16:44:19 UTC
by Rick Wanner (Version: 1)
2 comment(s)

One of the things that has concerned me for the last few years is how we are slowly creating a click-thru culture.  Microsoft started it with the UAC warnings, and browsers exacerbated it with SSL certificate warnings. You know the ones...

I honestly believe the intent is correct, but the implementation is faulty.  The messages are not in tune with the average Internet user's knowledge level.  In other words the warnings are incomprehensible to my sister, my parents and my grandparents, the average Internet users of today. Given a choice between going to their favorite website or trusting an incomprehensible warning message...well you know what happens next.

A team at Google has been looking at these issues and are driving browser changes in Chrome base on their research.  As they point out the vast majority of these errors are attributable to webmaster mistakes with only a very small fraction being actual attacks.  

The paper, is "Improving SSL Warnings: Comprehension and Adherence", and there is an accompanying presentation.

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: Chrome Google SSL
2 comment(s)
Diary Archives