Improving SSL Warnings: Comprehension and Adherence

Browsers warn users when the privacy of an SSL/TLS connection might be at risk. An ideal SSL warning would empower users to make informed decisions and, failing that, guide confused users to safety. Unfortunately, users struggle to understand and often disregard real SSL warnings. We report on the task of designing a new SSL warning, with the goal of improving comprehension and adherence. We designed a new SSL warning based on recommendations from warning literature and tested our proposal with microsurveys and a field experiment. We ultimately failed at our goal of a well-understood warning. However, nearly 30% more total users chose to remain safe after seeing our warning. We attribute this success to opinionated design, which promotes safety with visual cues. Subsequently, our proposal was released as the new Google Chrome SSL warning. We raise questions about warning comprehension advice and recommend that other warning designers use opinionated design.

[1]  Curt C. Braun,et al.  Differences in Behavioral Compliance as a Function of Warning Color , 1994 .

[2]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[3]  V. Leirer,et al.  Icons improve older and younger adults' comprehension of medication information. , 1998, The journals of gerontology. Series B, Psychological sciences and social sciences.

[4]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[5]  Michael S. Wogalter,et al.  Pest-Control Products: Reading Warnings and Purchasing Intentions , 1989 .

[6]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.

[7]  Michael S. Wogalter,et al.  Measuring Visual Search Time for a Product Warning Label as a Function of Icon, Color, Column and Vertical Placement , 1999 .

[8]  Sunny Consolvo,et al.  Online microsurveys for user experience research , 2014, CHI Extended Abstracts.

[9]  Lorrie Faith Cranor,et al.  Your attention please: designing security-decision UIs to make genuine risks harder to ignore , 2013, SOUPS.

[10]  Robin Kinross,et al.  Designing Instructional Text , 1979 .

[11]  Lujo Bauer,et al.  Warning Design Guidelines (CMU-CyLab-13-002) , 2013 .

[12]  Rolph E. Anderson,et al.  Technical Wording in Advertising: Implications for Market Segmentation , 1980 .

[13]  Kenneth R. Laughery,et al.  Effects of Warning Explicitness on Product Perceptions , 1989 .

[14]  Michael S. Wogalter,et al.  Using a Computer Simulated World to Study Behavioral Compliance with Warnings: Effects of Salience and Gender , 1997 .

[15]  Robert Biddle,et al.  Browser interfaces and extended validation SSL certificates: an empirical study , 2009, CCSW '09.

[16]  S. Breznitz Cry Wolf: The Psychology of False Alarms , 1984 .

[17]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[18]  J. Paul Frantz Effect of Location and Procedural Explicitness on User Processing of and Compliance with Product Warnings , 1994 .

[19]  John W. Brelsford,et al.  Explicitness of consequence information in warnings , 1993 .

[20]  Mitchell J. Small,et al.  What information belongs in a warning , 1998 .

[21]  Michael S. Wogalter,et al.  Pharmaceutical container labels: enhancing preference perceptions with alternative designs and pictorials , 1996 .

[22]  Alan H. S. Chan,et al.  Warning Design: A Research Prospective , 1999 .

[23]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[24]  Kent P. Vaubel,et al.  The Noticeability of Warnings on Alcoholic Beverage Containers , 1993 .

[25]  Irena Turnau,et al.  "Signs and Symbols. Their Design and Meaning", Adrian Frutinger, London 1989 : [recenzja] / Irena Turnau. , 1991 .

[26]  Michael S. Wogalter,et al.  Handbook of Warnings , 2006 .

[27]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[28]  David J. Mela,et al.  PARADOXICAL EFFECT OF A NUTRITION LABELLING SCHEME IN A STUDENT CAFETERIA , 1995 .

[29]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[30]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[31]  R. Sharpe On the importance of being Earnest , 1995 .

[32]  Sunny Consolvo,et al.  Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning , 2014, SOUPS.

[33]  Kirstie Hawkey,et al.  On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings , 2011, SOUPS.

[34]  Monica Trommelen Effectiveness of explicit warnings , 1997 .

[35]  G. Harry McLaughlin,et al.  SMOG Grading - A New Readability Formula. , 1969 .

[36]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.