1 of 37

Improving Chrome’s

Security Warnings

Adrienne Porter Felt

Chrome Security (Enamel)

2 of 37

The role of warnings:

Browser warnings stand between users and dangerous situations (malware, phishing, surveillance)

3 of 37

Given a choice between

dancing pigs and security

the user will pick

dancing pigs every time

4 of 37

Given a choice between

dancing pigs and security

the user will pick

dancing pigs every time

5 of 37

Challenges:

  • Low false positive rate
  • Users really want their content
  • Highly technical situation
  • No immediate consequences

6 of 37

How well do warnings work?

7 of 37

MALICIOUS DOWNLOAD

THREAT:�User tries to download & run bad binary

CTR: <5%

CONFIDENCE:�

8 of 37

MALWARE INTERSTITIAL

THREAT:�User at risk of drive-by download

CTR: ~18%

CONFIDENCE:�

9 of 37

NON-FATAL SSL INTERSTITIAL

THREAT:�Active network attacker

CTR: 68%

CONFIDENCE:�

10 of 37

Takeaway:

  • Warnings can be effective
  • Some work better than others
  • Room for improvement

11 of 37

Case study: malicious downloads

12 of 37

We dramatically reduced the CTR with UX changes

30%

20%

10%

0%

new

old

13 of 37

1: DOWNLOAD SHELF

old

new

14 of 37

2: chrome://downloads

old

new

15 of 37

3: FINAL CONFIRMATION

old

new

16 of 37

4: BROWSER SHUTDOWN

old

new

17 of 37

5: GENERIC PDF WARNINGS

18 of 37

Case study: malware interstitial

19 of 37

MALWARE INTERSTITIAL

CTR: ~18%

CONFIDENCE:�

THREAT:�User at risk of drive-by download

20 of 37

FIELD STUDY: OCTOBER 2013

15%

15%

15%

16%

15%

15%

16%

17%

21%

21%

23%

15%

15%

18%

16%

18%

15%

11%

10%

12%

14%

21%

18%

24%

27%

14%

14%

15%

21 of 37

EFFECT OF PRIOR EXPERIENCE

22 of 37

Mechanical Turk experiment:

Does the reputation of the destination affect perception?

Low-reputation

High-reputation

23 of 37

Mechanical Turk experiment:

Does the reputation of the destination affect perception? Yes

Low-reputation 5% (471)

High-reputation 38% (357)

24 of 37

REPUTATION

I have never heard

of this site so I wouldn’t trust it.

Youtube is a well-known and

highly trusted site.

I frequent youtube.com

a lot and I have never gotten any malware

25 of 37

INVINCIBLE

I would still proceed knowing I have an anti virus

Because I own a mac

and i don’t worry about that stuff

I use Linux I’m not afraid of anything

26 of 37

Takeaway:

We need to figure out how to override normal indicators of trustworthiness

27 of 37

Case study: non-fatal SSL interstitial

28 of 37

NON-FATAL SSL INTERSTITIAL

CTR: 68%

CONFIDENCE:�

THREAT:�Active network attacker

29 of 37

A few reasons for false positives:

  • Developers use self-signed cert
  • Enterprise deployment of certs
  • Captive portals
  • Subdomain name mismatch

30 of 37

Works in progress:

  • Remember previously-seen certs
  • Better integration with captive portal detection
  • Categorize errors by severity

31 of 37

FIREFOX’S SSL ERROR

CTR: 33%

CONFIDENCE:�

32 of 37

Firefox experiment:

Is the Firefox warning UI better?�

Conditions:

  • Chrome warning
  • Firefox warning in Chrome
  • Firefox warning in Firefox

33 of 37

Firefox experiment:

Is the Firefox warning UI better?�Yes, but that’s not the whole story

Conditions:

  • Chrome warning 68%
  • Firefox warning in Chrome 56% (47%?)
  • Firefox warning in Firefox 33%

34 of 37

Firefox experiment:

Is the Firefox warning UI better?�Yes, but that’s not the whole story

Conditions:

  • Chrome warning 68%
  • Firefox warning in Chrome 56% (47%?)
  • Firefox warning in Firefox 33%

35 of 37

WORK IN PROGRESS

M O C K

36 of 37

Do warnings work?

Case study: malicious downloads

Case study: malware interstitial

Case study: non-fatal SSL interstitial

37 of 37

felt@chromium.org

Mustafa Acer

Alex Ainslie

Alan Bettes

Sunny Consolvo

Hazim Almuhimedi

Robert Reeder

Chris Palmer

Somas Thyagaraja

Joel Weinberger

CREDITS...