Many users do not understand, let-alone listen to, browser-based SSL warnings. Google wants to change that and its newest browser warnings are based on years of interdisciplinary research about how human beings respond to warning signs.
“Dissidents, drug dealers, and diplomats have one thing in common,” begins a joint University of Pennsylvania and Google study called Improving SSL Warnings: Comprehension and Adherence [pdf]. “They rely on SSL to help keep their online communication private. SSL protects their e-mails, tweets, and bank statements from eavesdropping or tampering in transit.”
Interestingly, the efficacy of SSL warnings has almost nothing to do with security, according to new research. In fact, it’s increasingly certain that SSL warnings need to be brief, easy to read — both in terms of comprehension and design choice — and provide clear instructions.
In other words, SSL warnings need to be dumbed down. Newspaper articles, the study’s authors say, are written at about a sixth grade reading level so that anyone can read and understand the news. SSL warnings therefore should follow that same principle.
Google’s latest SSL warning study gathered the results of prior research in an attempt to build the perfect SSL warning through a combination of three comprehension categories: user understanding of the source of a threat, the data at risk and the likelihood of seeing a false positive warning. This study suggested that even following the best practices established by previous research has little impact on user adherence to warnings.
However, parts of the study offer glimmers of hope. Despite a failed hypothesis for this particular study, Google has taken note of some key components of a solid SSL warning and incorporated them into the latest version of Chrome.
To this point, most SSL warnings seem to be made by security professionals for security professionals. To the uninitiated user, the SSL warnings in Chrome 36 and Internet Explorer 11 are almost entirely meaningless:
- “…the server presented a certificate issued by an entity that is not trusted by your computer’s operating system.”
- “The security certificate presented by this website was not issued by a trusted certificate authority.”
Dissidents, drug dealers, and diplomats have one thing in common: they rely on SSL to help keep their online communication private.Tweet
Firefox’s warnings have performed better than Google’s or Microsoft’s, which Google says is because Mozilla has been removing the technical terms from its SSL warnings with each browser release.
Ideally, Google says a solid SSL browser warning should empower users to make an informed and intelligent decision or, at the very least, guide users away from a potentially dangerous site and back toward safety. There are a lot of figures floating around, but Google says that some 66 percent of Chrome users ignore SSL warnings. Ultimately, the company wants to create warnings that are easy to understand and which users are likely to follow. In its own words, Google wants to increase warning comprehension and adherence.
Google believes that a concept called “opinionated design,” or the use of visual design cues to promote a recommended course of action, is the best way to proceed. So instead of confusing warnings containing complicated security jargon, the warnings in the latest versions of Chrome will simply say, “You’re connection is not private,” in red letters on a grey background with a red padlock with an ‘X’ on it. Google also explains beneath the primary warning that “attackers might be trying to steal your information from [some website] (for example, passwords, messages, or credit cards).”
In addition to the warning, user are encouraged to click the big blue button that will deliver them “back to safety.” If the user chooses, she can click on the less visible “advanced” link to see a more technical explanation of the problem and follow yet another link to proceed to the site despite the warning. This second step and additional hurdles, Google says, further deterred users between two and 15 percent of the time.
“Adherence in the field subsequently increased from 37% to 62%,” Google said of its new warnings, “meaning that millions of additional users a month choose to act safely due to our warning design changes.”
The study was penned by Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, and Helen Harris of Google, as well as Jeff Grimes of University of Pennsylvania.
Google took similar measures with browser-based malware warnings last year. First it performed a study about using psychology to build a better browser warning, then it used that study as guidance to implement new malware warnings in its Chrome browser.