Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Improving SSL Warnings - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Improving SSL Warnings

One of the things that has concerned me for the last few years is how we are slowly creating a click-thru culture.  Microsoft started it with the UAC warnings, and browsers exacerbated it with SSL certificate warnings. You know the ones...

I honestly believe the intent is correct, but the implementation is faulty.  The messages are not in tune with the average Internet user's knowledge level.  In other words the warnings are incomprehensible to my sister, my parents and my grandparents, the average Internet users of today. Given a choice between going to their favorite website or trusting an incomprehensible warning message...well you know what happens next.

A team at Google has been looking at these issues and are driving browser changes in Chrome base on their research.  As they point out the vast majority of these errors are attributable to webmaster mistakes with only a very small fraction being actual attacks.  

The paper, is "Improving SSL Warnings: Comprehension and Adherence", and there is an accompanying presentation.

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

289 Posts
ISC Handler
Could you please fix your rss-feeds such that content is not filtered out? It seems to be some erroneous sanitizing code. In this entry the second sentence is replaced by '" />' (double-quote, space, slash, greater-than).
Anonymous
@Rick,
While today is super bowl Sunday, the high light of my day is to see another person recognize that, since the first phreaker, 100% of cyber security is waaaaay beyond the radar of 99.9999% of the public. And with the tsunami of smart-phones (now, even Granny has one), and IoEverything, what chance does cyber security have? Especially given our current extremely insecure technology (hw & sw), our highly determined opponents, the 'dash to cash', FUD, and the mantra of 'every rat for them self, and the devil take the hindmost'.
~eundv
eundv

3 Posts

Sign Up for Free or Log In to start participating in the conversation!