Web Authentication: A User-Centered Security R´ emy Degenne Chair for Network Architectures and Services Department for Computer Science Technische Universit¨ at M¨ unchen October 10, 2013 R´ emy Degenne: Web Authentication: A User-Centered Security 1
Outline Motivation for an Analysis of the HTTPS Authentication 1 Process 2 HTTPS Authentication with certificates Users’ Behavior and Knowledge 3 The HTTPS Environment 4 Conclusion 5 R´ emy Degenne: Web Authentication: A User-Centered Security 2
Motivation Are these warnings useful ? The user is warned about an authentication failure. This is an ineffective strategy to prevent attacks. Should the users be more carefull ? R´ emy Degenne: Web Authentication: A User-Centered Security 3
HTTPS Authentication What does this error mean? The certificate used to authenticate the server is not trusted. A SSL-Certificate is provided by the server in the HTTPS handshake to authenticate itself. A Certification Authority (CA) trusted by the browser must have signed it. In this case the CA is not trusted. R´ emy Degenne: Web Authentication: A User-Centered Security 4
Visual clues A connection to a web site using HTTPS is shown with visual indicators in the browser. R´ emy Degenne: Web Authentication: A User-Centered Security 5
The Certification system Why use a certificate? The user wants to be sure that he does not give sensible data to somebody he doesn’t trust. The organization owning the server wants to convey a sense of security. The browser company offers protection as a service and thus make the browser react to the security errors. The browser raises a warning, the user stops and the system is secure. R´ emy Degenne: Web Authentication: A User-Centered Security 6
User-centered Security In this system, the user’s behavior defines the level of security. The user faces a choice and his behavior defines his own security. This is not the only possibility : the browser could stop the connexion instead of showing a warning. The user is not the only actor of the authentication process. R´ emy Degenne: Web Authentication: A User-Centered Security 7
Warnings do not work The user doesn’t follow the security advice. Studies of the reaction of the users show that the warning system does not work. Confronted to the untrusted CA error, 48% of the IE7 or Firefox3 users and 55% of the Firefox2 users consider that nothing bad is happening . The use of stronger certificates does not influence the response. R´ emy Degenne: Web Authentication: A User-Centered Security 8
The user doesn’t understand how it works The average user has a poor understanding of web security. Few users (less than 46%) associate ’secure web site’ with the idea of authentication. Many users (11%) think the site itself is secure. False representations are also common among the ones who tried to educate themselves. R´ emy Degenne: Web Authentication: A User-Centered Security 9
The clues are not universally known What is a security clue is not clear. The visual indicators are not effectively used. The difference between browser chrome and the content of a page is sometimes not clearly made. A significant number of users do not know if their browser has HTTPS clues. The majority of users stop looking at the indicators after the sign-in page. (eye-tracking studies) R´ emy Degenne: Web Authentication: A User-Centered Security 10
HTTPS deployment - not for every site HTTPS is not everywhere. Some companies use good HTTPS implementations with valid certificates. Most web sites use basic certificates, sometimes poorly. HTTPS is supported by 34% of the top 1000000 web sites. Only 14.5% of the certificates are valid, from a trusted CA and do not raise any warning. The most common error is domain mismatch: certificate for www.example.com used for example.com R´ emy Degenne: Web Authentication: A User-Centered Security 11
HTTPS indicators HTTPS is not always visible and there are some false clues Some web sites use HTTPS only for the sign-in page (linkedIn). It is usual to sign in securely but to navigate without https clues. The use of other clues in the content of some sites is misleading. Example : the Norton-Verisign seal. R´ emy Degenne: Web Authentication: A User-Centered Security 12
Security for CAs and Browsers The different actors of the authentication process may want more security but also have other interests. Browsers offer security to Certification Authorities risk bankruptcy if their certificates their customers. cannot be trusted. They also offer the Some CAs are too big : the possibility to access every browsers will not revoke their web site. certificates. Warnings maintain usability. Any CA can make certificates for every domains: it is as profitable to attack the weakest CA as the strongest. Incentive to be only more secure as the weakest CA. R´ emy Degenne: Web Authentication: A User-Centered Security 13
Always proceed, a rational behavior? There are indirect costs associated with a risk-aware behavior. By trying to figure out what is a risk and what is not, the user spends effort. The majority of the web is accessible with HTTP only. The frequent false-positives train the user to ignore the errors. Paying attention to the certificate is not enough to be secure. Are the benefits greater than the costs? R´ emy Degenne: Web Authentication: A User-Centered Security 14
Conclusion The HTTPS authentication is a user-centered security system. The average user does not know how to use it and ignoring every warning may be a valid strategy. The other actors of the authentication process transfer the responsibility on the user. The user-centered security currently does not work. It could be improved by designing better ways to help the user (warnings, indicators). To change to another type of security, an external influence is needed. R´ emy Degenne: Web Authentication: A User-Centered Security 15
Recommend
More recommend
