Study of SSL warnings
We know that users routinely ignore warnings. One way of increasing attention to warnings is to only present those that have meaning to the user, and that protect users from actual risks. There is currently a debate over which SSL warnings are important to retain, which should be abandoned, and if any warning should be presented at all. If no warnings are presented, when should the user be allowed to proceed to the page in question and when should the user be stopped? The purpose of this study is to analyze which SSL warning error conditions are important to present to users (if any). In this study we will survey end-users, security experts and organizations that routinely present SSL warnings (e.g., many universities use self-signed certs) to develop a set of recommendations on how to present SSL warnings.
IRB approval at CMU
IRB approval at Columbia and Harvard?
Lo-fi prototype and survey material
Serge, Rachna, Marita
Final paper ||Nov1||All ||