Browser security warnings can work to protect users from phishing and malware sites – but “warning fatigue” means important alerts over site security can be conmpletely ignored.
Users of Google’s Chrome ignored SSL warnings (relating to a secure protocol used for passwords, internet transactions and banking) 70.2% of the time, a study of 25 million real-life warnings found. Overall, a study using metrics Firefox and Chrome found that the effectiveness of warnings varies widely.
“Google Chrome’s SSL warning had a clickthrough rate of 70.2%. Such a high clickthrough rate is undesirable:either users are not heeding valid warnings, or the browser is annoying users with invalid warnings and possibly causing warning fatigue,” said the U.C. Berkeley researchers. The study, Alice in Warningland, was part-funded by Google.
“During our field study, users continued through a tenth of Mozilla Firefox’s malware and phishing warnings, a quarter of Google Chrome’s malware and phishing warnings, and a third of Mozilla Firefox’s SSL warnings,” the researchers said.
The researchers analysed the size, type and frequency of warning messages and found that users tended to click rapidly through warnings about “untrusted issuers” and name and date errors – both common warnings, and ignored by nearly half of users.
The researchers say that “warning fatigue” has significant impact – “users click through more-frequent errors more quickly,” they say.
The researchers concluded that previous studies – showing that browser warnings simply did not work – relied on outdated data, harvested in a period between 2002 and 2009 when browsers were rapidly evolving. In particular, the large phishing warnings now delivered by modern browsers were much more effective than previous, more discreet warnings.
“Phishing toolbars have been replaced with browser-provided, full-page interstitial warnings. As a result, studies of passive indicators and phishing toolbars no longer represent the state of modern browser technology. In contrast, a majority of users heeded five of the sixtypes of browser warnings that we studied,” the researchers said.
Users with high levels of technical knowledge – such as Linux users – might be even more likely to ignore warnings, the researchers said. Warnings should be tailored to their audience, the paper concludes.
“Technically advanced users might feel more confident in the security of their computers, be more curious about blocked websites, or feel patronized by warnings,” the researchers said. “Studies of these users could help improve their warning responses.Designers of new warning mechanisms should always perform an analysis of the number of times the system is projected to raise a warning, and security practitioners should consider the effectsthat warning architectures have on warning fatigue.”
Author Rob Waugh, We Live Security