Will you trust this TLS certificate?: perceptions of people working in IT

Flawed TLS certificates are not uncommon on the Internet. While they signal a potential issue, in most cases they have benign causes (e.g., misconfiguration or even deliberate deployment). This adds fuzziness to the decision on whether to trust a connection or not. Little is known about perceptions of flawed certificates by IT professionals, even though their decisions impact high numbers of end users. Moreover, it is unclear how much does the content of error messages and documentation influence these perceptions. To shed light on these issues, we observed 75 attendees of an industrial IT conference investigating different certificate validation errors. We also analysed the influence of re-worded error messages and redesigned documentation. We find that people working in IT have very nuanced opinions with trust decisions being far from binary. The self-signed and the name constrained certificates seem to be over-trusted (the latter also being poorly understood). We show that even small changes in existing error messages can positively influence resource use, comprehension, and trust assessment. Our re-worded error messages and documentation can be directly adopted.

[1]  Robin Sommer,et al.  Here's my cert, so trust me, maybe?: understanding TLS errors on the web , 2013, WWW.

[2]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[3]  Robert Biddle,et al.  Browser interfaces and extended validation SSL certificates: an empirical study , 2009, CCSW '09.

[4]  Katharina Krombholz,et al.  "If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[5]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[6]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[7]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[8]  Michelle L. Mazurek,et al.  Security Developer Studies with GitHub Users: Exploring a Convenience Sample , 2017, SOUPS.

[9]  Katharina Krombholz,et al.  Investigating System Operators' Perspective on Security Misconfigurations , 2018, CCS.

[10]  Vashek Matyas,et al.  Measuring Popularity of Cryptographic Libraries in Internet-Wide Scans , 2017, ACSAC.

[11]  M. Sandelowski Focus on Research Methods Whatever Happened to Qualitative Description? , 2022 .

[12]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[13]  Sunny Consolvo,et al.  An Experience Sampling Study of User Reactions to Browser Warnings in the Field , 2018, CHI.

[14]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[15]  Sebastian Möller,et al.  Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse , 2018, SOUPS @ USENIX Security Symposium.

[16]  Bruce M. Maggs,et al.  Measuring and Applying Invalid SSL Certificates: The Silent Majority , 2016, Internet Measurement Conference.

[17]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[18]  Adrienne Porter Felt,et al.  Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors , 2017, CCS.

[19]  Matthew Smith,et al.  Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study , 2017, CCS.

[20]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[21]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[22]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[23]  Luigi Lo Iacono,et al.  Towards the Usability Evaluation of Security APIs , 2016, HAISA.

[24]  Lujo Bauer,et al.  Warning Design Guidelines , 2013 .

[25]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[26]  Edgar R. Weippl,et al.  "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS , 2017, USENIX Security Symposium.

[27]  M. Angela Sasse,et al.  Scaring and Bullying People into Security Won't Work , 2015, IEEE Security & Privacy.

[28]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[29]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[30]  Matthew Smith,et al.  Why eve and mallory (also) love webmasters: a study on the root causes of SSL misconfigurations , 2014, AsiaCCS.

[31]  Luigi Lo Iacono,et al.  I Do and I Understand. Not Yet True for Security APIs. So Sad , 2017 .

[32]  Martin P. Robillard,et al.  What Makes APIs Hard to Learn? Answers from Developers , 2009, IEEE Software.

[33]  Brandy L. Simula Book Review: The Coding Manual for Qualitative Researchers, 3rd ed. , 2018 .

[34]  Martin P. Robillard,et al.  What Makes APIs Hard to Learn? The Answers of Developers , 2011 .

[35]  Vashek Matyas,et al.  Why Johnny the Developer Can't Work with Public Key Certificates - An Experimental Study of OpenSSL Usability , 2018, CT-RSA.