A Week to Remember: The Impact of Browser Warning Storage Policies

When someone decides to ignore an HTTPS error warning, how long should the browser remember that decision? If they return to the website in five minutes, an hour, a day, or a week, should the browser show them the warning again or respect their previous decision? There is no clear industry consensus, with eight major browsers exhibiting four different HTTPS error exception storage policies. Ideally, a browser would not ask someone about the same warning over and over again. If a user believes the warning is a false alarm, repeated warnings undermine the browser’s trustworthiness without providing a security benefit. However, some people might change their mind, and we do not want one security mistake to become permanent. We evaluated six storage policies with a large-scale, multimonth field experiment. We found substantial differences between the policies and that one of the storage policies achieved more of our goals than the rest. Google Chrome 45 adopted our proposal, and it has proved successful since deployed. Subsequently, we ran Mechanical Turk and Google Consumer Surveys to learn about user expectations for warnings. Respondents generally lacked knowledge about Chrome’s new storage policy, but we remain satisfied with our proposal due to the behavioral benefits we have observed in the field.

[1]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[2]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[3]  Robin Sommer,et al.  Here's my cert, so trust me, maybe?: understanding TLS errors on the web , 2013, WWW.

[4]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[5]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[6]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[7]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[8]  Kirstie Hawkey,et al.  On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings , 2011, SOUPS.

[9]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[10]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[11]  Kat Krol,et al.  Don't work. Can't work? Why it's time to rethink security warnings , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[12]  Bonnie Brinton Anderson,et al.  How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study , 2015, CHI.

[13]  Michael S. Wogalter,et al.  Habituation, Dishabituation, and Recovery Effects in Visual Warnings , 2009 .

[14]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.