Results show users commonly do not understand the meaning of current security context information or are prone to using information that has nothing to do with security.
Most users are unaware of the purpose or meaning of certificates. Those who are aware of their purpose may not know what information to look for or do not know the proper meaning of terms like certificate authority. They do not know how to correctly check the information is valid or if it matches the domain.
Users were presented sites with and without the green address bar and asked to determine whether the site was real or fake. Results from the questionnaire show the color of the address bar was not used in making this decision.
Users who know to look for https may not notice the absence of the s when they are presented with a site at http.
Users have been told to look for the lock icon and are aware it is linked in some way to security. But, users may not know what the lock means to them, and a high number don't know where the lock should appear. There isn't a distinction between the chrome, page content, and favicons.
( Anyone know of any results for Mozilla's yellow address bar? )
User Agents - Code and Language Capabilities
HTML, Code Capabilities
- Target URI for a hyperlink or form submission - usually a user would need to view the page source to see this information. The user is not given a convenient way to view where the information will be submitted to.
- URIs, anchors, embedded images and other elements that contain URIs as parameters - a user would have to view the page source usually for this information also.
- cookies - users may be unaware of what a cookie is, how to view a cookie, what's in a cookie or how to manage their cookies. In some browsers the information is hidden in a few layers of internet options.
Users are unable to make the distinction between the browser chrome and the content of the page. They are unsure of who controls the information displayed in different parts of the chrome.
Messsages / Dialogs
Messages are ineffective because users have been trained to click through warnings, do not understand the technical terms in warnings, or check the box to never receive the warning again.
- Pre-installed - the CA's the browser comes with don't necessarily represent those the user trusts.
- User configured - Once a certificate is installed, a user may not be able to remove it or later change their trust decision.
- default configuration - user may not be aware of what their security policy is according to the configuration.
- Bookmarks - responses to questionnaires show these are commonly used for the user's trusted sites so they know when they navigate from their bookmarks they are on the correct site. This does not however protect the user that also clicks on random links to reach the same site.
- Browsing History - similar to the use of bookmarks, a user will click on results from their history rather than typing in the entire domain name, if they typed it in correctly the first time, they are led to the correct site.
- Authentication Robustness
- ID/PW - Users can not be depended on to pick a secure password, or to protect their password.
- ID / PW + Personalisation - Users will still enter their password in the absence of the personalization. There is also the risk of the user not recalling their personalization.
- submitted form values - Some users will stop on a fake page if the page doesn't auto-fill their username.
- How was the URL entered?
- typed into address bar - simple typos can lead the user to the wrong site without their knowledge, homographic attacks are successful.
- clicked hyperlink - Users don't realize the text of a link can be anything and doesn't necessarily correspond to the actual destination.
- user agent customization - is useful when the user purposefully navigates to the site using the tool, but if they click on a link they may not be protected.
- reputation service - Wen asked to focus on the information security toolbars presented, users still made incorrect decisions on whether the page was real or fake. Users reason away the information presented or trust their own judgement more.