Improving the Usability of Web Browser Security

Short Description
We implemented CSCV and SPW in a Web browser and. evaluated them in a second user study, involving the same users. and attacks as the first study. …

Website: cups.cs.cmu.edu | Filesize: 20kb

Content
Improving the Usability of Web Browser Security
Haidong Xia and Jos’e Carlos Brustoloni
Department of Computer Science, University of Pittsburgh
{hdxia,jcb}@cs.pitt.edu
ABSTRACT
Existing Web browsers handle security errors in a manner that often
confuses users. In particular, when a user visits a secure site
whose certificate the browser cannot verify, the browser typically
allows the user to view and install the certificate and connect to
the site despite the verification failure. However, few users understand
the risk of man-in-the-middle attacks and the principles behind
certificate-based authentication. We propose context-sensitive
certificate verification (CSCV), whereby the browser interrogates
the user about the context in which a certificate verification error
occurs. Considering the context, the browser then guides the user
in handling and possibly overcoming the security error. We also
propose specific password warnings (SPW) when users are about
to send passwords in a form vulnerable to eavesdropping. We performed
user studies to evaluate CSCV and SPW. Our results suggest
that CSCV and SPW can greatly improve Web browsing security
and are easy to use even without training. Moreover, CSCV
had greater impact than did staged security training.
1….