crying wolf an empirical study of ssl warning
play

Crying Wolf: An Empirical Study of SSL Warning Effectiveness Joshua - PowerPoint PPT Presentation

Dec 07, 2023 •215 likes •536 views

Crying Wolf: An Empirical Study of SSL Warning Effectiveness Joshua Sunshine Serge Egelman Hazim Almuhimedi Neha Atri Lorrie Faith Cranor C yLab U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ CyLab Usable Privacy and

  1. Crying Wolf: An Empirical Study of SSL Warning Effectiveness Joshua Sunshine Serge Egelman Hazim Almuhimedi Neha Atri Lorrie Faith Cranor C yLab U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1

  2. SSL Certificate Warnings  Browser’s warn about SSL Cert problems: – Domain Mismatch – Unknown Certificate Authority – Expired  These warnings: – May be user’s only protection – Commonly encountered when connecting to legitimate servers CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2

  3. FF2 Warning CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3

  4. FF2 Warning Adapted from Jonathan Nightingale CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4

  5. IE7 Warning CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5

  6. FF3 Warning CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6

  7. FF3 Warning CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7

  8. FF3 Warning CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8

  9. FF3 Warning CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9

  10. Warning Design Strategies  Lessons from online survey: – Context sensitivity – Prevent habituation – Avoid confusion with other, less serious, warnings  Warning science guidance: – Avoid warnings when possible – Clearly explain risk – Provide straightforward instructions for avoiding the hazard CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 10

  11. Idea: Ask users a question Multi-page warning CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 11

  12. Idea: Make risk obvious Single-page warning CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12

  13. Laboratory Study  100 participants – CMU students – Recruited by fliers, emails, and participant list  5 Randomly-assigned conditions: FF2, FF3, IE7, Single page custom warning and multi-page custom warning  Warning was triggered twice: – Bank – Library catalog CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13

  14. Laboratory Study  Users were instructed to find: – Total area of Italy using Google – Account balance at bank website* – Price of Freakonomics at Amazon – Richistan call number with CMU library catalog* *warning appeared  Alternate tasks provided – Required calling or using a different site  Post-experiment survey on reactions CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14

  15. Task Step 1 Use online banking (https://www.bank.com) to find your current account balance. Write down only the last two digits of your account balance . Alternate: Use automated phone banking (Phone: 1-888-555- 1212 ). Please use the campus phone in front of you and don’t forget to first dial ‘9.’ Please remember to “think aloud” as you complete this task. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15

  16. Task walkthrough GO CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16

  17. Task walkthrough GO https://www.bank.com/ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 17

  18. Task walkthrough GO https://www.bank.com/ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 18

  19. Task walkthrough GO https://www.bank.com/ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 19

  20. Task walkthrough GO https://www.bank.com/ BANK username: sunshine password: •••••••• GO CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 20

  21. Task walkthrough alternate GO https://www.bank.com/ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21

  22. Task walkthrough alternate CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22

  23. Hypotheses  Participants would be likely to ignore the IE7 and FF2 warnings on both websites  Participants would be likely to obey the FF3 and our single-page warning on both websites  Participants who saw our multi-page warning would obey on bank website, but continue to library website CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23

  24. Bank Results 100% Ignored Warning 80% 60% 40% 20% 0% FF2 FF3 IE7 1-page Multipage  In risky situation, significantly fewer people heeded IE7 and FF2 than other warnings CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24

  25. Library Results 100% Ignored Warning 80% 60% 40% 20% 0% FF2 FF3 IE7 1-page Multipage  In low risk situation, almost all users overrode warnings except in FF3 condition CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 25

  26. Library vs. Bank 100% Ignored Warning 80% 60% Bank 40% Library 20% 0% FF2 FF3 IE7 1-page Multipage  In native warning conditions, no significant difference in reactions at library and bank  In new warning conditions, users more likely to heed warnings at bank than at library CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 26

  27. Explain what to do  “Why did you choose to heed or ignore the warning?”  Mentioned risk: – FF2: 2 – FF3: 2 – IE7: 2 – Single-Page: 11 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27

  28. Explain what to do  “What action(s) did you think the warning at the bank wanted you to take?”  Wanted them not to proceed: – FF2: 3 – FF3: 2 – IE7: 4 – Single-page: 10 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28

  29. Making It Difficult CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29

  30. Asking a Question  15/20 participants answered correctly at bank – 3 knowingly gave the wrong answer – 2 confused warning with server unavailable error  Critical Weakness: Finer grained origins attack – attacker circumvents question by forcing connection to unintended website – See paper for details  Need a different context sensitive approach CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30

  31. Conclusion  We evaluated a wide class of warnings embodying three solid strategies  Custom warnings conveyed risks and allowed users to take risk into account when making a decision  Custom warnings were still not good enough  Need systems solutions that avoid warnings altogether (e.g. Perspectives, ForceHTTPs) – Need to evaluate false positive rate CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IN THE NAME OF GOD CRYING AND COLIC INTRODUCTION Incessant crying is one of the frequent

IN THE NAME OF GOD CRYING AND COLIC INTRODUCTION Incessant crying is one of the frequent

IN THE NAME OF GOD CRYING AND COLIC INTRODUCTION Incessant crying is one of the frequent complaints for which young infants are brought to pediatricians. Crying in young infants is a part of normal behavioral and neuronal development

444 views • 19 slides
? Message sound Message P(wolf|sound) P(sound| wolf) x P(wolf) 1 9/4/19 P(sound| wolf)

? Message sound Message P(wolf|sound) P(sound| wolf) x P(wolf) 1 9/4/19 P(sound| wolf)

9/4/19 Speech Hynek Hermansky Elecrical and Computer Engineering Hackerman 324Fp ? Message sound Message P(wolf|sound) P(sound| wolf) x P(wolf) 1 9/4/19 P(sound| wolf) no wolf wolf loudness timbre (sound color) More

334 views • 14 slides
AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical

AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical

AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical studies of how developer decisions Irene Manotas, * Christian Bird, impact energy consumption (design patterns, web Lori Pollock, * and James

354 views • 32 slides
Empirical Study: Expert Finding Matthieu Vergne vergne@fbk.eu Fondazione Bruno Kessler

Empirical Study: Expert Finding Matthieu Vergne vergne@fbk.eu Fondazione Bruno Kessler

Presentation Experiment Conclusion Empirical Study: Expert Finding Matthieu Vergne vergne@fbk.eu Fondazione Bruno Kessler Information and Communication Technology University of Trento February 19th, 2014 Empirical Study: Expert Finding 1/

484 views • 24 slides
An empirical study of Gaussian belief propagation and application in the detection of F-formations

An empirical study of Gaussian belief propagation and application in the detection of F-formations

Regularized Gaussian belief propagation Empirical Study F-formation detection Concluding Remarks An empirical study of Gaussian belief propagation and application in the detection of F-formations Francois Kamper Stellenbosch University

578 views • 20 slides
An Empirical Study of Code Clone Genealogies

An Empirical Study of Code Clone Genealogies

An Empirical Study of Code Clone Genealogies MiryungKim,VibhaSazawal,DavidNotkin,andGailMurphy UniversityofWashington UniversityofBritishColumbia ESEC/FSESept2005 Conventional Wisdom

491 views • 25 slides
An Empirical Security Study of An Empirical Security Study of the Native Code in the JDK the

An Empirical Security Study of An Empirical Security Study of the Native Code in the JDK the

An Empirical Security Study of An Empirical Security Study of the Native Code in the JDK the Native Code in the JDK Gang Tan, Boston College Lehigh University Jason Croft Boston College Jason Croft, Boston College J Java Security S i

817 views • 29 slides
Dr. E. George Wolf (study director) Hyperbaric Medicine San Antonio, TX 210-359-8018

Dr. E. George Wolf (study director) Hyperbaric Medicine San Antonio, TX 210-359-8018

Trauma ma&c Brain Inju jury and Hyperbaric Oxygen Th Ther erapy: D Dawn of of a a Ne New D Day APWCA 16th Annual Na&onal Clinical Conference 7-9 Sep 17 Dr. E. George Wolf (study director) Hyperbaric Medicine San Antonio, TX

340 views • 21 slides
The wolf in the Free State of Saxony Statement on the handling of the wolf in Saxony 1 | XX.

The wolf in the Free State of Saxony Statement on the handling of the wolf in Saxony 1 | XX.

The wolf in the Free State of Saxony Statement on the handling of the wolf in Saxony 1 | XX. Monat 2016 | Name des Prsentators Return of the wolf to Saxony Pack Pair Resident single wolf 2 | 17. Juni 2019 | Vanessa Ludwig Return of the

480 views • 15 slides
An Empirical Study of Delay Introduction Jitter Management Policies Want to support

An Empirical Study of Delay Introduction Jitter Management Policies Want to support

An Empirical Study of Delay Introduction Jitter Management Policies Want to support interactive audio Last mile is LAN (including bridges, hubs) to D. Stone and K. Jeffay desktop Computer Science Department Study that

702 views • 7 slides
Waterway Capacity Study (WCS) of the Gulf Intracoastal Waterway between Mobile Bay and Wolf Bay

Waterway Capacity Study (WCS) of the Gulf Intracoastal Waterway between Mobile Bay and Wolf Bay

Waterway Capacity Study (WCS) of the Gulf Intracoastal Waterway between Mobile Bay and Wolf Bay Taylor Engineering, Inc. Christopher Bender, Ph.D., P.E. John Adams, P.E . Terry Hull, P.E. Introduction : Location Scope of the WCS Determine

272 views • 26 slides
Empirical problem solving Statistical method R.W. Oldford Empirical problem solving - PPDAC The

Empirical problem solving Statistical method R.W. Oldford Empirical problem solving - PPDAC The

Empirical problem solving Statistical method R.W. Oldford Empirical problem solving - PPDAC The reasoning chain of any empirical study has five essential links or stages: Each stage has its own concerns to be dealt with. Each stage

428 views • 27 slides
An Empirical Study on the Use of Defect U N I VE R SI TY OF WASHI N G TON Prediction for Test

An Empirical Study on the Use of Defect U N I VE R SI TY OF WASHI N G TON Prediction for Test

D AVID PATERSON, U N I VE RSI TY O F S HE FFI ELD JOSE CAMPOS, An Empirical Study on the Use of Defect U N I VE R SI TY OF WASHI N G TON Prediction for Test Case Prioritization RUI ABREU, U N I VE R SI TY OF LI SB ON GREGORY M. KAPFHAMMER,

611 views • 44 slides
CRYING TO THE UNCHANGING GOD P S A L M 7 WATCH THE LIVE STREAM ON SUNDAY 9AM 1 O Lord my God,

CRYING TO THE UNCHANGING GOD P S A L M 7 WATCH THE LIVE STREAM ON SUNDAY 9AM 1 O Lord my God,

CRYING TO THE UNCHANGING GOD P S A L M 7 WATCH THE LIVE STREAM ON SUNDAY 9AM 1 O Lord my God, in You I have taken refuge; save me from all those who pursue me, and deliver me, 2 or he will tear my soul like a lion, dragging me away, while

1.09k views • 35 slides
An Empirical Study of How Developers Use - Results - Discussion Autocompletion Sheldon Chi

An Empirical Study of How Developers Use - Results - Discussion Autocompletion Sheldon Chi

Outline - Introduction - Dataset An Empirical Study of How Developers Use - Results - Discussion Autocompletion Sheldon Chi and Abdul Khader Naik Autocomplete Research Questions - Standard in modern IDEs - RQ1: What are the common

80 views • 4 slides
An Empirical Study on Reducing Omission Errors in Practice Jihun

An Empirical Study on Reducing Omission Errors in Practice Jihun

ASE 2014 An Empirical Study on Reducing Omission Errors in Practice Jihun Park 1 , Miryung Kim 2 , Doo-Hwan Bae 1 1. KAIST, South Korea 2. University of California,

300 views • 14 slides
Tighter risk certificates for (probabilistic) neural networks Omar Rivasplata

Tighter risk certificates for (probabilistic) neural networks Omar Rivasplata

Tighter risk certificates for (probabilistic) neural networks Omar Rivasplata o.rivasplata@cs.ucl.ac.uk 01 July 2020 UCL Centre for AI Slide 1 / 40 The crew Mar a P erez-Ortiz (UCL) Yours truly (UCL / DeepMind) Csaba

569 views • 40 slides
Using Strengths Based Measures to Assess and Manage Risk of Future Negative outcomes Simone

Using Strengths Based Measures to Assess and Manage Risk of Future Negative outcomes Simone

Using Strengths Based Measures to Assess and Manage Risk of Future Negative outcomes Simone Viljoen, M.Sc. Indian Health Service Clinical Rounds 02 June, 2014 Objectives 1. Discuss common negative outcomes present in AI/AN youth. 2.

623 views • 35 slides
Decision Trees COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Decision

Decision Trees COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Decision

Decision Trees COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Decision Trees 1 / 19 Outline 1 Motivation 2 Recursive Splits and Trees 3 Prediction 4 Purity 5 How to Split 6 When to Stop Splitting COMPSCI 371D Machine

423 views • 19 slides
Structured sparsity through convex optimization Francis Bach INRIA - Ecole Normale Sup

Structured sparsity through convex optimization Francis Bach INRIA - Ecole Normale Sup

Structured sparsity through convex optimization Francis Bach INRIA - Ecole Normale Sup erieure, Paris, France Joint work with R. Jenatton, J. Mairal, G. Obozinski Journ ees INRIA - Apprentissage - December 2011 Outline SIERRA

1.03k views • 77 slides
Mean estimation: median-of-means tournaments G abor Lugosi ICREA, Pompeu Fabra University,

Mean estimation: median-of-means tournaments G abor Lugosi ICREA, Pompeu Fabra University,

Mean estimation: median-of-means tournaments G abor Lugosi ICREA, Pompeu Fabra University, BGSE based on joint work with Luc Devroye (McGill, Montreal) Matthieu Lerasle (CNRS, Nice) Roberto Imbuzeiro Oliveira (IMPA, Rio) Shahar Mendelson

620 views • 51 slides
PAC Learnability and Bayes Classifier Matthieu R. Bloch 1 PAC learnability Tie last question to

PAC Learnability and Bayes Classifier Matthieu R. Bloch 1 PAC learnability Tie last question to

1 (1) learning algorithm such that: ability (PAC) as follows. In learning theory, these ideas are formalized in terms of probably approximately correct learn- (6) so that (5) (4) the minimizer of the true risk, By assumption, we have (3)

302 views • 4 slides
Model selection theory: a tutorial with applications to learning Pascal Massart Universit

Model selection theory: a tutorial with applications to learning Pascal Massart Universit

Model selection theory: a tutorial with applications to learning Pascal Massart Universit Paris-Sud, Orsay ALT 2012, October 29 Asymptotic approach to model selection - Idea of using some penalized empirical criterion goes back to the

781 views • 50 slides
MATH Opportunities in Berlin Shameless plug Postdoc and PhD positions in optimization/ML. At Zuse

MATH Opportunities in Berlin Shameless plug Postdoc and PhD positions in optimization/ML. At Zuse

Robust ML Training with Conditional Gradients Sebastian Pokutta Technische Universitt Berlin and Zuse Institute Berlin pokutta@math.tu-berlin.de @spokutta CO@Work 2020 Summer School September, 2020 Berlin Mathematics Research Center MATH

975 views • 55 slides

More recommend