Web Authentication: A User-Centered Security R emy Degenne Chair - - PowerPoint PPT Presentation

Web Authentication: A User-Centered Security

R´ emy Degenne

Chair for Network Architectures and Services Department for Computer Science Technische Universit¨ at M¨ unchen

October 10, 2013

R´ emy Degenne: Web Authentication: A User-Centered Security 1

Outline

1

Motivation for an Analysis of the HTTPS Authentication Process

2

HTTPS Authentication with certificates

3

Users’ Behavior and Knowledge

4

The HTTPS Environment

5

Conclusion

R´ emy Degenne: Web Authentication: A User-Centered Security 2

Motivation

Are these warnings useful ? The user is warned about an authentication failure. This is an ineffective strategy to prevent attacks. Should the users be more carefull ?

R´ emy Degenne: Web Authentication: A User-Centered Security 3

HTTPS Authentication

What does this error mean? The certificate used to authenticate the server is not trusted. A SSL-Certificate is provided by the server in the HTTPS handshake to authenticate itself. A Certification Authority (CA) trusted by the browser must have signed it. In this case the CA is not trusted.

R´ emy Degenne: Web Authentication: A User-Centered Security 4

Visual clues

A connection to a web site using HTTPS is shown with visual indicators in the browser.

R´ emy Degenne: Web Authentication: A User-Centered Security 5

The Certification system

Why use a certificate? The user wants to be sure that he does not give sensible data to somebody he doesn’t trust. The organization owning the server wants to convey a sense

• f security.

The browser company offers protection as a service and thus make the browser react to the security errors. The browser raises a warning, the user stops and the system is secure.

R´ emy Degenne: Web Authentication: A User-Centered Security 6

User-centered Security

In this system, the user’s behavior defines the level of security. The user faces a choice and his behavior defines his own security. This is not the only possibility : the browser could stop the connexion instead of showing a warning. The user is not the only actor of the authentication process.

R´ emy Degenne: Web Authentication: A User-Centered Security 7

Warnings do not work

The user doesn’t follow the security advice. Studies of the reaction of the users show that the warning system does not work. Confronted to the untrusted CA error, 48% of the IE7 or Firefox3 users and 55% of the Firefox2 users consider that nothing bad is happening. The use of stronger certificates does not influence the response.

R´ emy Degenne: Web Authentication: A User-Centered Security 8

The user doesn’t understand how it works

The average user has a poor understanding of web security. Few users (less than 46%) associate ’secure web site’ with the idea of authentication. Many users (11%) think the site itself is secure. False representations are also common among the ones who tried to educate themselves.

R´ emy Degenne: Web Authentication: A User-Centered Security 9

The clues are not universally known

What is a security clue is not clear. The visual indicators are not effectively used. The difference between browser chrome and the content of a page is sometimes not clearly made. A significant number of users do not know if their browser has HTTPS clues. The majority of users stop looking at the indicators after the sign-in page. (eye-tracking studies)

R´ emy Degenne: Web Authentication: A User-Centered Security 10

HTTPS deployment - not for every site

HTTPS is not everywhere. Some companies use good HTTPS implementations with valid

• certificates. Most web sites use basic certificates, sometimes

poorly.

HTTPS is supported by 34%

• f the top 1000000 web sites.

Only 14.5% of the certificates are valid, from a trusted CA and do not raise any warning. The most common error is domain mismatch: certificate for www.example.com used for example.com

R´ emy Degenne: Web Authentication: A User-Centered Security 11

HTTPS indicators

HTTPS is not always visible and there are some false clues Some web sites use HTTPS only for the sign-in page (linkedIn). It is usual to sign in securely but to navigate without https clues. The use of other clues in the content of some sites is

• misleading. Example : the Norton-Verisign seal.

R´ emy Degenne: Web Authentication: A User-Centered Security 12

Security for CAs and Browsers

The different actors of the authentication process may want more security but also have other interests.

Certification Authorities risk bankruptcy if their certificates cannot be trusted. Some CAs are too big : the browsers will not revoke their certificates. Any CA can make certificates for every domains: it is as profitable to attack the weakest CA as the strongest. Incentive to be only more secure as the weakest CA.

Browsers offer security to their customers. They also offer the possibility to access every web site. Warnings maintain usability.

R´ emy Degenne: Web Authentication: A User-Centered Security 13

Always proceed, a rational behavior?

There are indirect costs associated with a risk-aware behavior. By trying to figure out what is a risk and what is not, the user spends effort. The majority of the web is accessible with HTTP only. The frequent false-positives train the user to ignore the errors. Paying attention to the certificate is not enough to be secure. Are the benefits greater than the costs?

R´ emy Degenne: Web Authentication: A User-Centered Security 14

Conclusion

The HTTPS authentication is a user-centered security system. The average user does not know how to use it and ignoring every warning may be a valid strategy. The other actors of the authentication process transfer the responsibility on the user. The user-centered security currently does not work. It could be improved by designing better ways to help the user (warnings, indicators). To change to another type of security, an external influence is needed.

R´ emy Degenne: Web Authentication: A User-Centered Security 15