Web users ignoring security certificate warnings

Digital certificate warnings in Web browsers are not an effective security measure, according to Carnegie Mellon researchers.

The researchers, who plan to present their findings on August 14 at the Usenix Security Symposium in Montreal, found over the course of two experiments that certificate warnings were ineffectual. The warnings appear when a browser detects a problem with a Web site's certificate and arrive as a pop-up with a message such as: "There is a problem with this Web site's security certificate."

In an online study conducted among 409 participants, the researchers found that the majority of respondents would ignore warnings about an expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the user, the more likely they would be to ignore it, the study found.

SSL certificates are designed to provide the user with a degree of confidence about the authenticity of a Web site they are visiting. As a technical security mechanism, the certificate allows the browser to validate the authentication chain for the Web site server. While SSL certificates often expire for benign reasons, an expired certificate can also indicate that the user could be the victim of a man-in-the-middle attack.

The Carnegie Mellon researchers found that a high percentage of users were willing to ignore warnings about certificates that were out of date. For example, of the 50 percent of Firefox 2 users polled who could identify the term "expired security certificate," 71 percent said they would ignore the warning.

"Far too many participants exhibited dangerous behavior in all warning conditions," wrote the researchers in their paper, titled "Crying Wolf: An Empirical Study of SSL Warning Effectiveness."

Respondents were able to identify other risks indicated by browser certificate notifications. Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard. A domain mismatch, where the URL displayed does not match the URL of the destination site, indicates the user may be the victim of a phishing attack.

The Carnegie Mellon team conducted a second study, with 100 participants and under lab conditions. Online businesses can pay to have authorities vouch for the digital certificate on their Web sites, and browsers keep a list of these 'trusted authorities' for checking when a site is visited. To spoof a phishing site, the researchers removed these certificate authorities from the trusted authorities list in each of the browsers used in the study, which were iterations of Firefox 2, Firefox 3, and Internet Explorer 7. As a consequence, the participants were shown an invalid certificate warning when they navigated to a bank Web site.

Again, high percentages of users ignored the warnings. For example, of the technologically savvy Firefox 2 users, 69 percent ignored an expired certificate warning from their bank.

There has been some debate as to whether browser warnings could be so onerous they make people simply switch to a different browser. This behavior was observed by the researchers, who noted that a small percentage of participants asked the researchers if they could switch to using a different browser when presented with a certificate warning.

The findings for the second study are also presented in the "Crying Wolf" paper.

The Carnegie Mellon team advocated scrapping certificate-validity warnings, saying that a better approach may be to block users from making unsafe connections and get rid of warnings in benign situations.

Tom Espiner of ZDNet UK reported from London.