Web users ignoring security certificate warnings

Digital certificate warnings in Web browsers are not an effective security measure, according to Carnegie Mellon researchers.

The researchers, who plan to present their findings on August 14 at the Usenix Security Symposium in Montreal, found over the course of two experiments that certificate warnings were ineffectual. The warnings appear when a browser detects a problem with a Web site's certificate and arrive as a pop-up with a message such as: "There is a problem with this Web site's security certificate."

In an online study conducted among 409 participants, the researchers found that the majority of respondents would ignore warnings about an expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the user, the more likely they would be to ignore it, the study found.

SSL certificates are designed to provide the user with a degree of confidence about the authenticity of a Web site they are visiting. As a technical security mechanism, the certificate allows the browser to validate the authentication chain for the Web site server. While SSL certificates often expire for benign reasons, an expired certificate can also indicate that the user could be the victim of a man-in-the-middle attack.

The Carnegie Mellon researchers found that a high percentage of users were willing to ignore warnings about certificates that were out of date. For example, of the 50 percent of Firefox 2 users polled who could identify the term "expired security certificate," 71 percent said they would ignore the warning.

"Far too many participants exhibited dangerous behavior in all warning conditions," wrote the researchers in their paper, titled "Crying Wolf: An Empirical Study of SSL Warning Effectiveness."

Respondents were able to identify other risks indicated by browser certificate notifications. Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard. A domain mismatch, where the URL displayed does not match the URL of the destination site, indicates the user may be the victim of a phishing attack.

The Carnegie Mellon team conducted a second study, with 100 participants and under lab conditions. Online businesses can pay to have authorities vouch for the digital certificate on their Web sites, and browsers keep a list of these 'trusted authorities' for checking when a site is visited. To spoof a phishing site, the researchers removed these certificate authorities from the trusted authorities list in each of the browsers used in the study, which were iterations of Firefox 2, Firefox 3, and Internet Explorer 7. As a consequence, the participants were shown an invalid certificate warning when they navigated to a bank Web site.

Again, high percentages of users ignored the warnings. For example, of the technologically savvy Firefox 2 users, 69 percent ignored an expired certificate warning from their bank.

There has been some debate as to whether browser warnings could be so onerous they make people simply switch to a different browser. This behavior was observed by the researchers, who noted that a small percentage of participants asked the researchers if they could switch to using a different browser when presented with a certificate warning.

The findings for the second study are also presented in the "Crying Wolf" paper.

The Carnegie Mellon team advocated scrapping certificate-validity warnings, saying that a better approach may be to block users from making unsafe connections and get rid of warnings in benign situations.

Tom Espiner of ZDNet UK reported from London.

[basraw]

www.hotmail.com often throws certificate warnings. they are usually expired.

I want my mail, I know I'm there, so I ignore them.

microsoft is the biggest abuser of bad certificates.

[monkeyfun14]

Lol? After years of using hotmail I have never gotten one bad certificate warning.

[ca5ter]

My hotmail account has problems on my Ford Phone.

[basraw]

also microsoft uses certificates from different sites

[BogusBasin]

Ever notice how some users consistently defend Microsoft no matter what? Kinda makes you wonder doesn't it? Ballmer? Is that you?

Amen

[JoeF2]

@Basin:
No, Ballmer doesn't post here. He just pays shills like monkey (I can't imagine anybody doing that for free...)

[monkeyfun14]

@Bogus

Notice how Apple users do the same thing? But you never say anything to them? Steve is that you?

[BogusBasin]

Notice how those same MS loyalists keep bringing up Apple over and over for no apparent reason? Source?

Amen

[monkeyfun14]

Notice how you do the same thing?

[joshsc]

most people don't know what the warning is anyway. It's kinda pointless.

[Michichael]

Most people don't care, myself included, because we are bombarded with false positives all the time. I get cert warnings constantly, it's a matter of course to ignore them.

[ballmerisanape]

exactly.

[pcfish]

Let's face it, what option do you have? Don't go to the site even if you need to?

[Lerianis3]

Ah, but those things are supposed to warn you that you might not be going to the site you think you are going to or the site has been maliciously hacked to redirect you.

[Neotrope]

Wow. It's amazing how many people "ignore" a notice that they may be visiting the wrong website, that a vendor hasn't paid their bills and let a security patch lapse (and may run with your money, not ship product, and keep your credit card data for evil purposes). I was on a site the other day to buy something, and their SSL cert, their BBBonline, had both lapsed for non payment, and their site still said "beta" on it after two years. I chose not to buy their software, since they obviously didn't have their act together. Sure, it's a pain to PAY ATTENTION to what you're doing online - like you would check the expiration date on a steak before you cook it, right? Perhaps the study should have been called "The Darwin Awards" ... and false positives? In 15+ years of web surfing, EVERY notice I've seen in Netscape, Firefox, IE, AOL-IE, Opera, Safari, Chrome, et al regarding a "bad" expired SSL cert has been correct .. just "examine" the cert, which will tell you it's validity. A self-signed cert is another bad thing for ecommerce, as anybody could be anybody. Sure, it's inconvenient, but how inconvenient would it be to have your credit card info and identity stolen, your credit ruined, and the rest. PAY ATTENTION OUT THERE!

[JoeF2]

Here's a nice example: the TSA. https://www.tsa.gov/

[pcfish]

@JoeF2. That's a good one.

@Neotrope. of course the browser can correctly tell you a certificate is not valid against the site you are visiting. But there are many legit sites (open source forum, e.g.) that have self-signed cert. Not everyone uses SSL to protect authenticity, some just use it to encrypt the data between both end.

[ti99_forever]

Yep. I recently got cert warnings when going directly to nutrisystem's website. What *are*we supposed to do with them, anyway? Just slink away and avoid the website until it works again? Contact the webmaster, who will ignore it anyway?

I usually try to verify it, but even still, expired certs are really becoming a PITA on the internet. And to make it worse, while some browsers ignore them, some constantly WARN you about them even when you go to the trouble to INSTALL the cert. Are you listening, Apple?

[lkrupp]

"Yep. I recently got cert warnings when going directly to nutrisystem's website. What *are*we supposed to do with them, anyway? Just slink away and avoid the website until it works again? Contact the webmaster, who will ignore it anyway?"

Exactly. How would one go about advising a website that there's a problem with their certificate? We all know how responsive most companies are these days to customer complaints. They are generally ignored. If you want to get to the site you HAVE to ignore the certificate warning, assuming you are reasonably confident there's no hanky-panky going on. It's a catch-22 situation that needs addressing.

[egghead1619]

@lkrupp:

Use the WhoIs information for the website; there should at least be one point of contact listed.

[TV James]

That's the crux of it, right? There's no obvious indicator to the website and/or no incentive to the website's owner to make it a top priority to fix.

A server that would refuse to serve pages after its certificate had expired would solve that, except that no one would buy it.

[funkyboot]

I know hard evidence is always a good thing, but did we really need a study for this? Of course users ignore certificates. Anytime a box appears on a screen, the user is going to take the action that will make the box go away and allow them to do what they were attempting to in the first place. Asking the user to read (and comprehend) whatever the box is prompting them for, is simply too much to ask.

Online security should include protecting the user from their own bad decisions and only allowing the advanced users to bypass whatever constraints are put into place. Bypassing the security restrictions should also be harder and occur on an individual case basis.

[dave_p_1]

I have seen warnings for expired certificates with the proper domain on the expired certificate and for domain mismatches with a domain which is associated with the domain I am accessing shown. In all my years of surfing, however, I have never seen anything but false positives.

[pcfish]

There are just too much sites out there with bad certificates. And certificates are expensive. If you change your domain, you have to buy a new one, the issuer is not going to reissue it for free.

[Random_Walk]

If it involves transacting money (for any reason), then no, don't ignore the things, period.

Otherwise, always assume that it's open communication between you and the site in question.

The chance of an interception is far lower than the occurence of false positives, so it's pretty obvious that most folks plow through them.

[FF2009]

This are the same people who click on every .exe a web page prompt them. And they don't know why their PC is Hijacked. lol

[Mergatroid Mania]

It's funny this article should appear today. Just last night I was looking for a way to remove Windows Live from my WinMo 6 smart phone. There is no such way, but that's another story.

I was jumping from site to site, and I started searching MS sites. One MS site I went to gave me an expired certificate warning. I knew it was still a MS site, and most likely fine, so I jumped through the hoops I needed to to get past the warnings and onto the site. And this was an MS site.

These certificates are useless if they can't tell you why there is a problem with a site. If it's just an expired certificate, who cares? Big deal. However if it's a URL error, then I most likely wouldn't go to that site.

Since I don't do banking, and never use a credit card on-line I will never have a financial problem from visiting a site with an expired certificate.

People who do, well they should know better. If you don't know what the error means, and you continue on to use your credit card or enter your banking information, then maybe you shouldn't be using a computer in the first place. After all, people who don't know not to drive into a wall most likely don't drive (with some exceptions).

I still think anyone who does banking or uses credit cards on the Internet is a sucker anyway. Let them lose their money, maybe it will teach them a lesson.

[Lerianis3]

No, they are not a sucker. It is no more or less safe than using a credit card at a store or going to a regular bank and doing your business..... your information could be stolen in either instance.

[jgoto]

Expired certs are really not a big deal. They are really no less secure the day they expire as they are the day before. The only difference is that the site owner needs to give Verisign more money to make the warning go away. The site already had to verify their identity to get the cert in the first place and the encryption doesn't stop when the certificate expires. Granted it the cert expired months or years past it is better to not continue but as far as certificate error go an expired cert is really low risk especially if it expired only recently.

[basraw]

www.hotmail.com often throws certificate warnings. they are usually expired.

I want my mail, I know I'm there, so I ignore them.

microsoft is the biggest abuser of bad certificates.

[ColinABQ]

On the other side of the coin, the industry sort of did this to itself, and the SSL certificates methodologies and economies deserve to fail. Self-signed certs throw up warnings in virtually all browsers now, as do some of the lower end, purchased certs. That's silly for a lot of uses, such as just getting the data encrypted. But a wild card cert for even one domain runs into fairly big bucks, too much for many small businesses. Selling certs is a racket, close to extortion; "Don't want your clients to see pop-up warnings or blood-soaked address bars? We can do that! But it'll cost ya." If certs were a LOT cheaper, in the realm of "nominal fees," then the scope of this problem would change dramatically, all but immediately.

[pcfish]

Agree.

[best4less]

Yes. Frequent false positives are making these warning useless.

[Setithefirst]

I helped with the medical side of writing a program in 1967; but am not a programmer. I am somewhat sophisticated in computer use. I see these warnings, and don't know what to do. I don't make any money transactions on such a site; and I usually don't add any identity bits about myself. But, if I am just going to a News URL to look at some of the news, don't really know what risks I run when the warning window pops up. Can they somehow get into my computer and alter it, and destroy my hard disk. Can they cause me to die quickly and painfully, because I have gone to this site? Can they kill all my relatives? The risk, relative risk, an explanation thereof has never been clear to me. I have on the post-graduate level taught at 5 Universities, some of worldwide acclaim, used to do my own complicated taxes; so I am used to a certain amount of Gobbledygook; but wonder if some regularly published explanation of these warnings, or some short explanation with each warning could be given. It doesn't help me too much to just see a yellow or orange color displayed (although I think the Homeland Security warnings may have been better explained to the public than these computing warnings).

[Razzl]

Anyone who's been around a while remembers the problems with certificates in the early days as companies resisted having to pay Microsoft blackmail in order to be declared "safe" on the web. These old struggles have taken their toll on the present as users who fell into bad habits for good reasons continue to do what they learned long ago...

[BogusBasin]

Microsoft has done more to harm consumers than anyone.

Amen

[Been_there_Saw_it_before]

Local area connection: A network cable is unplugged.
Wireless network connection: Not connected. Right-click here for more options.
Information: You just plugged a device into the audio jack.
Information: A jack has been unplugged.
A wireless network is within range.
It looks like you are preparing a letter.
You have unread mail.
Popup advertisement on c.net home page.
Warning: The system has detected a voltage out of range.
A security certificate has expired.
Warning: You are out of memory.
Warning...
Warning...
Caution...
Notice...
Information...
Information...

Enough already. Time to go use the classified computer. No lions, no tigers, no bars, oh what a relief it is.

[Lerianis3]

Oh, shut up. You are exaggerating things so much that it is totally ridiculous, and are just making yourself look like a nut off his meds.

[pentest]

It is not surprising since the vast majority of computer users could not tell you the purpose of the certificates, much less how to ascertain whether or not to accept it(hint: deny all warnings thrown when going to commercial websites).

There are some valid reasons to accept unsigned or otherwise invalid certs, but few people run into them.

[Hokulea]

I don't encounter that many expired certs. The only exception is the college I attend. Their IT dept is lax concerning little things like that. The web-course login page for the school also recommends outdated versions of Java as well as Firefox and IE. I am also very careful when I use USB drives on campus computers.

When I do encounter an expired cert I read the warning before I click through. I certainly would not enter financial or personal information over an expired SSL cert.

Okay, so how does an article on browsing habits and expired certs degenerate into a flame war over MS and Apple? Really people, pull your head out from between your legs and take a few deep breaths.

The biggest difference between Microsoft and Apple is about $32 billion in revenue and around $16 billion in equity. That and near 80% market share. Both MS and Apple are corporate entities that only want your money. They have much more in common than they have differences. I don't do corporate loyalty.

The only reason Apple is still in the personal computer business is because there are enough fools willing to pay a lot of money for some marginally fancier computer crap made in China. After those same fools pay 2 to 3 times too much for something not much different, they try to convince not only themselves but everyone else that it somehow makes them superior. I see them as superior fools. Just because it costs more doesn't mean it's any better. It's still nothing more than a personal computer that will soon be obsolete and destined for the local landfill.

I think the people that say "I love my Mac" should seek professional help. Either that, or get a poodle.

[chetwisniewski]

Working with the Sophos team that develops our web protection gateway, we have had many discussions around how to handle bad certificates, as our product has the ability to filter HTTPS traffic against malware. Its a very tough call, many organizations prefer to block invalid certs to protect against the users "mashing keys to make a dialog go away" mentioned above.

I think the biggest issue here is why we trust the authorities that sign these certificates to determine any degree of credibility of the requestor? As pointed out in http://www.sophos.com/security/technical-papers/phishing-and-fraud.pdf Verisign issued a certificate for Microsoft.com to a random person who simply asked... To me the issue is not whether it needs an overhaul, its how we do it better.

Chet Wisniewski (@chetwisniewski on twitter)
www.sophos.com