Improving SSL warnings
Adrienne Porter Felt
Chrome security team
felt@chromium.org
THE HOLY GRAIL
1. Warn only when under attack
THE HOLY GRAIL
2. Users understand warnings
THE HOLY GRAIL
3. Users follow warning advice
How can browsers stop crying wolf?
Photo credit: https://www.flickr.com/photos/tambako
Webmaster mistakes
Real
attacks
HOW I IMAGINED ERRORS
0%
DEVELOPER
SSL ERRORS,
MEASURED
10%
20%
WWW SUBDOMAIN
SUBDOMAIN
SUBDOMAIN REV
OUTSIDE WILDCARD
UNKNOWN TLD
MULTI-TENANT
LOCALHOST
PRIVATE URL
% OVERRIDABLE SSL ERRORS
a248.e.akamai.net
Client clock wrong
Captive
portal
Client missing
root certificate
Certificate mis-issuance
Anti-virus software
School or employer
State attacks
Malware
ISP adding advertisements
Gov’t content filter
Expired certificate
FALSE POSITIVE
REAL ATTACK
a248.e.akamai.net
Client clock wrong
Captive
portal
Client missing
root certificate
Certificate mis-issuance
Anti-virus software
School or employer
State attacks
Malware
ISP adding advertisements
Gov’t content filter
Expired certificate
FALSE POSITIVE
REAL ATTACK
a248.e.akamai.net
Client clock wrong
Captive
portal
Client missing
root certificate
Certificate mis-issuance
Anti-virus software
School or employer
State attacks
Malware
ISP adding advertisements
Gov’t content filter
Expired certificate
FALSE POSITIVE
REAL ATTACK
a248.e.akamai.net
Client clock wrong
Captive
portal
Client missing
root certificate
Certificate mis-issuance
Anti-virus software
School or employer
State attacks
Malware
ISP adding advertisements
Gov’t content filter
Expired certificate
FALSE POSITIVE
REAL ATTACK
a248.e.akamai.net
Client clock wrong
Captive
portal
Client missing
root certificate
Certificate mis-issuance
Anti-virus software
School or employer
State attacks
Malware
ISP adding advertisements
Gov’t content filter
Expired certificate
FALSE POSITIVE
REAL ATTACK
Blame
the clock
Wrong clocks cause 20% of HSTS errors
Captive
portals
4.5% of all errors caused by redirects
Wonky
trust stores
Expired and missing certificates
Traffic shaping
Throttle or block expensive streaming
Schools &
employers
Network admins want to filter content
Traffic
is $$$$$
Monetizing traffic with ads, search, etc.
Clear-cut
attack
More common than we think?
define,
identify,
fix
define,
identify,
fix
define,
identify,
fix
define,
identify,
fix
How do we explain this to users?
Photo credit: https://www.flickr.com/photos/sandras_weeds
WHAT WE WANT TO CONVEY
Threat source: the attacker is on the network, not a malicious website
WHAT WE WANT TO CONVEY
Data risk: the data on foo.com is at risk (and no other data)
WHAT WE WANT TO CONVEY
False positives: be more concerned about errors on well-regarded sites
“...the server presented a certificate issued by an entity that is not trusted by your computer’s operating system.”
“The security certificate presented by this website
was not issued by a trusted certificate authority.”
...security is
up to date on
your computer
...security is
up to date on
your computer
I don’t know if my information is safe…
I don’t know what encrypted means
“Your connection is not private. Attackers might be trying to steal your information from www.irs.gov (for example, passwords, messages, or credit cards).”
Threat source
| CORRECT |
Chrome 37 | 49% |
Chrome 36 | 38% |
Safari | 36% |
Firefox | 39% |
IE | 39% |
Data risk
| BANK | ALL |
Chrome 37 | 18% | 65% |
Chrome 36 | 18% | 62% |
Safari | 14% | 67% |
Firefox | 20% | 69% |
IE | 19% | 51% |
None succeed yet; how do we do better?
Can we nudge users to heed our advice?
Photo credit: https://www.flickr.com/photos/lara604/
OLD CHROME SSL WARNING
OLD CHROME SSL WARNING
OLD CHROME SSL WARNING
ADHERENCE | N |
30.9% | 4,551 |
32.1% | 4,075 |
58.3% | 4,644 |
Opinionated design works where text fails
So in conclusion...
Photo credit: https://www.flickr.com/photos/sandras_weeds
TODO LIST
Adrienne Porter Felt
felt@chromium.org
In collaboration with...
Mustafa Acer
Alex Ainslie
Alan Bettes
Radhika Bharghava
Sunny Consolvo
Lucas Garron
Helen Harris
Elisabeth Morant
Chris Palmer
Robert W. Reeder
Ryan Sleevi
Parisa Tabriz
Somas Thyagaraja
Joel Weinberger