Google redesigns security warnings after 70% of Chrome users ignore them

Status
Not open for further replies.

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
POPUP ALERT!!!!

Be it the iconic yellow "Yield" sign with an exclamation mark inside or, say, the red lock with a warning "X" meaning "broken!", popup alerts warn people away from risky business, right?

You would hope so. When we're talking specifically about SSL (Secure Sockets Layer) warnings, the consequences of ignoring alerts can be pretty dire: eavesdroppers modifying or reading emails or tweets, or attackers intercepting credit card or other sensitive data, for example.

Google's security team has analysed its own SSL warning interface. The team had tinkered with that interface and put out a simpler, hopefully less confusing one in Chrome 37, with the hope that it would teach users more secure behaviours.

The results of the redesign weren't exactly what you'd call breathtaking, it tells us.

In an Association for Computing Machinery (ACM) presentation and paper, the Chrome security team tells us that the redesign did in fact nudge up secure behaviour a bit, but there's still plenty of work to be done.

The problem
Prior to Chrome 37, most Google Chrome users would not back out of SSL quicksand. In fact, a mere 30% of Chrome users adhered to SSL warnings.

(For whatever reason, Firefox users are far more compliant with the browser's SSL warnings: 70% adhere to the alerts.)

Why would most - 70% - of Google Chrome users "proceed anyway" rather than get "back to safety"?

They're jaded, alert-numbed or confused, so they simply ignore alerts, Google says, particularly when the alert is jargon-filled, isn't succinct, isn't specific, or is flat-out wrong.

There are multiple reasons why alerts can be wrong. For example, 20% of HTTPS Strict Transport Security (HSTS) errors are caused by clocks being set wrong, Google says.

Other errors are produced when an employer has a DPI box or content filter between a user and the internet, or a client is missing a root certificate.

In such cases, a user will get an SSL warning that tells them nothing, and serves only to teach them to click "OK" on a dialogue, Google says.

Here's the old warning that everybody loved to ignore:

security-not-trusted-500.jpg


Confusing warnings only make users more insecure, and they normalise risky behaviour, Google says. Google had tried to make the interface easier to understand, and to restrict itself to giving warnings only when there's a real risk.

What's a real risk? Well, on one hand, there are misconfigured servers or firewalls triggering spurious warnings.

On the other hand, users who ignore an SSL warning and proceed can face physical harm or imprisonment.

From the paper:

Browsers display SSL warnings when the encryption is too weak or the server could not be authenticated. The connection is immediately halted, pending the user’s decision about the warning. In some cases, the problem indicates a real attack. Syrian Internet users saw SSL warnings when the Syrian Telecom Ministry allegedly attacked Facebook users. Similarly, SSL warnings alerted Chinese Internet users to attacks on Google and GitHub.

So how did Google seek to change user behaviour?
Google set out to explain SSL dangers in alerts, with an eye to conveying:

  • the threat source (the attacker is on the network, as opposed to being on a malicious site, for example),
  • the specific data that's at risk ("passwords, messages, or credit cards", for example), and,
  • with an emphasis on errors on well-regarded sites, such as bank sites.
The goal was to strip the alerts of jargon, to hit a sixth-grade reading level, to be as brief as possible, to be specific about the risk, and to provide enough information.

To the Google team's surprise, these types of text tweaks didn't affect user behaviour, regardless of how simple, specific, or non-technical they made it.

They managed to moderately improve users understanding of the risks, but not adherence to the desired "get me out of here!" behaviour they were after: users instead kept walking straight into the quicksand during testing.

OK, so what did work?
The one thing that did work was to change the design elements of the warning.

Google used what's called "opinionated" design, which relies on visual cues to promote the choice that designers think is the safest action.

Some of the visual elements of the so-called opinionated design, which was the one Google opted for at the end of testing:

  • The safe button is a bright blue color that stands out against the background: the same blue that Google uses in other properties for primary actions. In contrast, the unsafe choice is a dark gray text link.
  • Hiding the unsafe choice, forcing users to jump through hoops to do something unsafe. The Google Chrome malware warning hides the "proceed" button behind an "Advanced" link. For what it's worth, Firefox users actually have to click four times to proceed through Mozilla Firefox SSL warnings. That one isn't a complete win-win: Google notes that this element increases the annoyance factor, given how hard users have to work to ignore false positives.
your-connection-not-private-500.jpg


The results were dramatic: the opinionated design of the new SSL warning nearly doubled user compliance.


Read more: https://nakedsecurity.sophos.com/20...arnings-after-70-of-chrome-users-ignore-them/
 

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
Thank you, Jack!:) After reading this eye opening article, I found the new warning to be appealing (though I haven't experienced it yet) and imagined Windows UAC could also benefit from a dramatic new overhaul too!:p
 
Last edited:

oneeye

Level 4
Verified
Jul 14, 2014
174
The biggest problem I have with Google's warnings are that any app like disconnect me,or Adgaurd will generate a message telling you that the app is dangerous and could damage your device.(paraphrased) but you get the idea. Those are ad blocking apps,and have to be downloaded from the developers site because Google booted them both from playstore last year. Just like adblock plus was. But now,Ghostery has a stand alone browser available in playstore. So grab it while you can (-: and thank God for Firefox and add-ons too. As long as the app does not block or interfere with other apps,then its ok to be in playstore. Others will catch on,but blocking those dangerous ad banners should be a bigger focus for Google.
 
  • Like
Reactions: Cats-4_Owners-2
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top