Jun 01 2017
Basic Background
In earlier work (Biddle, 2009), our group explored user understanding of the issues involved in web certificates. In particular, the distinction between encryption and identity were probed, with several strategies compared to test user comprehension. The results suggested that with appropriate design, users might perceive the key information being provided by browsers about certificates, appreciating critical nuances about both encryption and identity. Since that work, browser certificate interface design has become both more sophisticated and also more coordinated. This suggests the time is right to conduce user studies to explore user understanding of current and proposed practice.
Information from CAs and browsers is something users should expect, look for, recognize and rely on. Where this works properly, online security is strongly supported. Important early work in this area includes that of Dhamija et al. (2006) which identifies why malicious websites are able to deceive. Egelman et al. (2008) conducted empirical studies and showed that by far most participants were deceived by at least one phishing strategy. In our work, mentioned above, we used low and high fidelity prototypes to study user behaviour, and used eye-tracking to study attention (Sobey, 2008; Biddle, 2009).
Bravo-Lillo et al. (2011) suggested that a “Mental Models” approach might be a good strategy for helping users detect malice, but made it clear that while this approach offered hope, there was much work needed to turn this into a solution. Sotirakopoulos et al. (2011) conducted a study that highlighted a particular difficult related to research on website trust: that participants of in-lab studies might be to assured by consent forms that no harm could result, so influencing users to be less cautious than they might be in real life. This shows that special care is needed in experimental design in this area.
Akhawe and Felt (2013) conducted a large scale study of user reactions to browser warnings. They did not focus specifically on certificates, but rather on browser warnings, both on the basis of certificates, but also on warnings from external sources such as search engines. They found that they were effective in helping most users avoid malicious sites, though many users still ignored them. They suggested eliminating excessive demands on user attention and reducing interaction might improve compliance. Almuhimedi et al. (2014) followed up to investigate the sources of user’s lack of regard for warnings. They found that users did not well distinguish the reasons for the warnings, and often ignored them, especially if the warnings appeared for sites they had previously visited. Felt et al. (2013) report on their effort to apply the safety warning literature to improve browser warnings. While the effect was not as strong as hoped, it did make an impact in improving overall results, and was influential in changing the design in the Google Chrome browser.