Study says SSL-certficate warnings are as good as useless

Researchers at Carnegie Mellon University have discovered that warnings of invalid SSL certificates on web servers hardly deter users from visiting web sites. They observed that more than 55 per cent of the study subjects simply ignored the warnings and carried on clicking. This certainly isn't a new discovery, but it’s the first time the scale of the problem has been measured.

They say most users fundamentally misunderstand SSL certificates, thinking they could ignore warning messages when visiting web sites they trusted, but should be more careful with untrusted sites. An attempted man-in-the-middle attack would therefore arouse less suspicion on a banking page than on an unknown shopping page. According to the researchers, many people don't realize that a certificate is only meant to guarantee they've arrived on the correct page. An SSL certificate does not say whether the site operator is trustworthy.

The problem is apparently that users can't correctly interpret error messages from their browser when there are problems with the certificate, if perhaps it has expired or the requested domain doesn't match the server name on the certificate. A further problem is said to be that such problems keep on occurring because of technical errors, so users get used to clicking the blues away.

But the study isn't really representative. Only the behaviour of 100 subjects with various web browsers was investigated. The findings apparently show that users of the Firefox browser were the least likely to ignore warnings, because it uses simpler language and better dialogues. The researchers then experimented with their own warnings, and they intend to present their results at the coming USENIX Security Symposium.

(djwm)