Carnegie Mellon University
Skip navigation and jump directly to page content

Joshua Sunshine

Pop-up Insecurity

Firefox SSL Warning

You wouldn't think of routinely running red lights and speeding through stop signs. Unfortunately, that's exactly what most folks do when it comes to Internet security.

Joshua Sunshine, a Ph.D. student in Carnegie Mellon's Institute for Software Research (ISR), is the lead author on a new study showing the majority of people ignore the ‘invalid certificate' warning that pops up when their web browsers encounter a site validation problem. Sunshine will present the findings next week at the USENIX Security Symposium in Montreal.

"People really don't understand what the warning means — that you may not be connecting to the site that you think. They don't understand that it's protecting them from people stealing their information," Sunshine explained. "Even in the best case, half the people [in our study] logged into their bank accounts and ignored the warning. If it had been a real case, they would have had their accounts stolen."

While a pop-up message may indicate nothing serious, it can often be the only signal a user will get to warn them of a dangerous man-in-the-middle or forgery scheme. In these cases, ignoring the warning means handing over critical personal information to criminals, especially disastrous when accessing a banking site.

Along with Carnegie Mellon Professor Lorrie Cranor, who is also the director of the CyLab Usable Privacy and Security Laboratory (CUPS), and fellow Carnegie Mellon researchers Serge Egelman, Hazim Almuhimedi, and Neha Atri, Sunshine began with an online survey of 400 participants.

They then observed 100 subjects in the lab, keeping the true purpose of the study hidden. Five different warnings were examined, including two carefully designed by the researchers themselves. Among other things, the participants were asked to access two sites, the low-risk: a library site and the high-risk: a personal bank account.

Shockingly, the majority of participants in nearly all cases bypassed the warning and accessed both sites, even though receiving this message when connecting to a bank site almost certainly means trouble. Even more surprising, many of the subjects were technically-savvy college students.

"They have a backwards understanding of when these warnings apply to them. They think, ‘I trust my bank so this warning is silly,'" Sunshine explained, noting this is precisely when they should be most careful.

The team's better-designed warnings helped, though not enough, according to Sunshine. The researchers believe the best solution is improving browser detection and blocking access to unsafe connections.

Having spent his career thus far in software engineering, Sunshine was surprised to find himself happily immersed in a social science approach to research, originally begun as a class project for Cranor's Usable Privacy and Security course.

"Carnegie Mellon does a really good job of letting people do things at the edges, using different techniques that have never been used before. If someone had told me ‘you're going to come for a Ph.D. and do social science,' I would have said no!" said Sunshine. "Carnegie Mellon, especially in the research program, gives you many different tools, allowing you to solve a different kind of problem than if you only had one."

Related Links: ISR  |  Josh's page  |  Lorrie’s lab  |  Download the Paper [.pdf]

Homepage Story Archives