Computer systems security area has received increased attention from both academics and in industry. However, recent work indicates that substantial security gaps emerge when systems are deployed, even with the use of state-of-the-art security protocols. Our findings suggest that wide-spread security problems exist even when protocols such as SSL and SSH are deployed because systems today do not give security warnings properly or make it trivial for users to bypass them. Even when these protocols are deployed correctly, systems often leave themselves vulnerable to social-engineering attacks as an artifact of their design. In one of our studies, we examined the web sites of 706 financial institutions and found over 90% of them to have made poor design choices when it comes to security, even though all deployed SSL for communicating passwords and doing transactions. In another study, we examined the usage of SSH within our own department and found that most users would be susceptible to a man-in-the-middle attack. Based on our studies, we postulate that some of the most interesting challenges for security researchers and practitioners lie at the intersection of security theory, their application to practice, and user behavior. We point out some of those challenges and hope that the research community can help address them.
[1]
Lorrie Faith Cranor,et al.
User interfaces for privacy agents
,
2006,
TCHI.
[2]
J. Doug Tygar,et al.
Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0
,
1999,
USENIX Security Symposium.
[3]
Stuart E. Schechter,et al.
The Emperor's New Security Indicators
,
2007,
2007 IEEE Symposium on Security and Privacy (SP '07).
[4]
Tatu Ylönen,et al.
The Secure Shell (SSH) Protocol Architecture
,
2006,
RFC.
[5]
Stuart E. Schechter,et al.
The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies †
,
2007
.
[6]
Patrick D. McDaniel,et al.
On context in authorization policy
,
2003,
SACMAT '03.
[7]
Bruce Schneier,et al.
Analysis of the SSL 3.0 protocol
,
1996
.
[8]
Eric Rescorla,et al.
SSL and TLS: Designing and Building Secure Systems
,
2000
.