Improving Comprehension of SSL Warnings: Direct Question Asking and Analogy

Debra J.

ABSTRACT

Web browsers show SSL warnings when the SSL/TLS connections are identified to be not private. Technology professionals having received cyber security training can comprehend these warnings at a glance, evaluate the risk they can take, and decide whether or not to proceed. However, people without this background knowledge might still proceed when getting these warnings because they don’t comprehend the potential danger enough.

I designed a new SSL warning by asking the web browser user a direct question, say, “are you the next victim?” and explaining the concept of the meaning of this SSL warning by analogy to let the user comprehend the potential danger. However, direct question asking was regarded as too threatening by survey respondents. Based on these responses, after modification, I proposed my final design.

INTRODUCTION

Internet, one of the greatest invention in the 20th century, speeds up the spread of information and knowledge, and also becomes the hotbed of crime. In 2018, the reported loss through cyber crime in the United States is over 1.5 billions. To secure cyberspace, SSL/TLS has been designed and introduced to websites to protect internet users from data breach. The SSL/TLS connection is set up when the web browser user tries to access the web page through HTTPS.

At a high level, the process of HTTPS connection setup has parts bellow:

  1. After setting up a TCP connection with the browser, the server sends the certificate signed by a Certificate Authority (CA) to the browser.

  2. The browser verifies server’s certificate by building this certificate’s chain of trust by the root certificate stored on the client. The browser also checks the certificate’s validity, e.g. checks if the certificate has the correct hostname or its expiration date. This step is called certificate validation

The HTTPS page loads if everything goes well. If the certificate validation fails, the browser shows an HTTPS error warning instead.

Figure 1. SSL warning pages. A is on Chrome 80, B is on Edge 44, C is on Firefox 74 and D is on Safari 5.

For well-trained information technology professionals, with gained knowledge, they have better advantage to understand the cyber security risk specified by the SSL warning. However, the others, without understanding of what the hidden meaning behind the SSL warning, might continue accessing the website. This might cause the breach of their private personal information.

To increase understanding of this warning, I presented another warning design. Comprehension was used to evaluate the effectiveness of a SSL warning design:

  • Comprehension. The extent that a user understands the data risk is taken if he or she continues accessing this website.

I tested my new SSL warning design by 103 survey responses. The new SSL warning significantly improves the comprehension of data risk. However, because the design didn't list solutions for the failed certificate validation, 35% of the survey respondents chose to proceed if they are in urgent need to access the web site. Based on the survey responses, I modified my original design and proposed the final one.

MOTIVATION

I was motivated by my best friends’ experience. Moreover, the current SSL warning has lots of room to improve.

My Friend’s Story

My best friend was phished and lost a large fortune around the Christmas Eve in 2014—in a week, she lost $150,000, the saving she had accumulated from her salary for three years. What is worse is that she needed to conceal this from her family and pretended that everything was fine. She survived, but loneliness, humiliation, desperation, hatred and sadness turned her to be another stranger. Witnessing this change, I decided that I would try my best to use my skills and knowledge to make the cyberspace safer.

Definition of Comprehension

Ideally, a good SSL warning design should increase user’s comprehension to potential danger in cyberspace. This comprehension is divided into following categories:

  • Threat source. The extent that the user realizes that some attackers are in the middle between the user’s computer and the website’s server.

  • Data risk. The extent that the user realizes that his or her personal data is at risk of eavesdropping or tampering.

  • False positives. The extent that the user realizes that the SSL warning might display in the absence of an attack.

However, practically, in terms of a good graphical design, it’s impossible to make a design simple, brief, and specific while at the same time contain the information of all the three types of comprehension. So, the comprehension has to be prioritized, and only the most crucial one can be achieved. After prioritization, data risk is the most immediate concern for the user, and I will focus on increasing understanding of data risk in the new design. Trade-offs are listed below:

  • Threat source. On the SSL warning level, threat source initiates cyber attacks or starts cheating when enough user’s personal data is collected. So, stopping data risk is a higher priority, and realizing the existence of the threat source is not in my definition of comprehension.

  • False positives. The user doesn’t have to realize the possibility of false positives when reading the SSL warning; he can get this knowledge in the solution link in the final design; details are in latter sections. So, false positives is not in my definition of comprehension.

Motivating Literature

Prior studies have shown that the user doesn’t understand the meaning of the current SSL warning thoroughly. Without enough comprehension, adherence is fragile and unpredictable.

Little Comprehension Leads to Less Adherence

With insufficient comprehension to a security warning, a user can only guess and make a decision with the everything-will-be-okay mindset, and in turn might tend to make a risky decision. Bravo-Lillo et al. composed a mental model explaining that, with lack of understanding to a security warning, the decision making process is long and error-prone. Adrienne Porter Felt et al. found a new Google Chrome SSL warning with a new opinionated design lets nearly 30% more total users stop proceeding when, but the comprehension remains low.

Self-Questioning

To increase comprehension of written texts, Daiute et al. also proposed that the self-questioning can be used to increase young writers’ revising processes. This strategy allows young writers to engage in reading their texts. For college students, self-questioning can also increase their comprehension of lectures.

Analogy

Analogy, as another strategy to increase learners’ comprehension, is extensively used by educators. Hayes found that students can increase background knowledge through analogy. Bean et al. illustrated how analogies can serve to help students understand unfamiliar concepts in science.

DESIGNING A NEW WARNING

Based on literatures from different professional fields, I propose a new warning design for web browsers. Figure 2 shows my proposed design. In this section, I describe how I came up with it.

Figure 2. My proposed SSL warning design.

Layout

In graphic design, texts are always in left aligned paragraphs because these paragraphs deliver a straight left edge. This explains why the image, warning title and the paragraph of SSL warnings in figure 1 are all left aligned.

It’s reasonable display texts in left aligned paragraphs. However, I decided to center align the image with a question mark. There are two reasons for this change.

  1. The image is not a text, so it is not read as a text. It was placed in the middle to give a viewer a clear concept of what an issue he was facing.

  2. Because question asking helps the viewer realize, this SSL warning design asked the viewer a direct question. So, I showed a question mark image above the title.

Figure 3. The comparison of left and centered aligned paragraphs.

The Question-mark Image

To trigger users to think more before they move on, and alert them that they need to take responsibility of their decisions, I put a question-mark image to remind them that now is the time for them to make good decisions.

Question Asking

Specifically, the question is, “Are you the next victim?” This question is used to help users understand what the worst consequence they might have.

Analogy

I convert the concept of an internet connection into a conversation between two parties. In a conversation, people can spread hatred or show gratitude—either good or bad things can happen with a connection. So does an internet connection.

VERIFICATION

Survey Design

Survey Questions

The new SSL warning design is expected to increase user’s understanding of data risk hidden in a not secure network connection. To measure that understanding, I designed questions to see if the respondent could apply the same understanding to slightly different situations.

In the survey, the respondent first was asked to imagine that a SSL warning shows on Chrome when he tries to connect Bank of America’s official site. Then, he had to answer questions below:

  1. What might happen if you ignore this SSL warning and continue to connect this Bank of America website?

  2. Which steps may you take after reading such a SSL warning?

  3. Let's imagine another situation. If you ignored this warning while paying bills online, how likely is it that a hacker could see your bank account balance?

  4. Do you think this new SSL warning design is more understandable than the original one? Tell us your opinions.

1 and 2 provides check boxes for answers, and 3 has a five-point Likert-style scale, ranging from “Unlikely” (left) to “Very likely” (right). 4 is a short-answer question to collect respondents’ ideas if any.

Survey Results

Sample Size

There are total 103 responses in this survey.

Demographics

Most of the survey respondents are students in Tufts University, my colleagues and friends. The majority of respondents are between 18 and 64 years old. Specifically, 46.6% of them are 25-39 years old, 22.4% of them are 40-46 years old, and 28.4% of them are 18-24 years old.

Discussion

With this new design, 84.5% of respondents realized the potential data risk. When they experienced that risk, most of them would contact the other party, Bank of America in this survey, to figure things out. Interestingly, 35% of them would rather continue this connection if things were really urgent.

In the short-answer question, even though some respondents indicated that the new design is more alarming, personal, and understandable, it’s important to notice that other respondents indicated that the new design’s direct question asking is too frightening, and in turn was felt like a anti-virus spam. It was also suggested that the exclamation mark image is more alarming and in turn better. Some respondents also mentioned that they still don’t know what to do next when either warning design shows.

Old SSL warning design

New SSL warning design

Ways of expression

Not very clear

Too frightening, too clickbaity, exaggeration of danger

How it is felt

Leaves it up to you

More personal

Readability

Clear

Verbose

Image

Exclamation mark is clearer/ alarming

N/A

Figure 4. Rate of responses to the question, “What might happen if you ignore this SSL warning and continue to connect this Bank of America website?”

Figure 5. Rate of responses to the question, “Which steps may you take after reading such a SSL warning?”

Figure 6. Rate of responses to the question, “Let's imagine another situation. If you ignored this warning while paying bills online, how likely is it that a hacker could see your bank account balance?”

IMPROVING THE WARNING

In terms of responses, I improved my SSL design and proposed its second version.

Figure 7. Final SSL warning design

The Warning Image

Although the exclamation image is alarming, I use the stop sign to emphasize the necessity of stopping connection.

Title

I reuse the title of the old SSL warning design instead of the direct question asking to avoid being the threatening tone.

Explanation

To keep the explanation concise, the explanation includes the analogy and illustration of the potential data risk.

Solutions

This link redirects the user to another page listing suggested steps to solve the warning issue. My suggested list shows below.

  1. Stop proceeding.

  2. Check if you are using a secure wire or wireless connection

  3. Check if you input the correct website address.

  4. Call the website owner to get help.

  5. Update the web browser to its latest version.

  6. Update the operating system to its latest version.

  7. Install the latest operating system.

Details

Details folds technical details of this warning.

CONCLUSION

This report illustrates the possibility of using humans’ old knowledge to gain the new one. Undoubtedly, everyday there is newly found knowledge, but the logic behind it might be similar with the one behind the old one. If designers can present that logic well, maybe everyone could unlock the potential of being tech-savvy.

REFERENCES

  1. Acer, E. M., Stark, E., Felt, P. A., Fahl, S., Bhargava, R., Dev, B., Braithwaite, M., Sleevi, R., Tabriz, P., Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors In CCS (2017).

  2. Felt, P. A., Ainslie, A., Reeder, W. R., Consolvo, S., Thyagaraja, S., Bettes, A., Harris, H., Grimes, J. Improving SSL Warnings: Comprehension and Adherence. In CHI (2015).

  3. Dhamija, R., Tygar, J. D., and Hearst, M. A. Why phishing works. In CHI (2006).

  4. Bravo-Lillo, C., Cranor, L. F., Downs, J., and Komanduri, S. Bridging the gap in computer security warnings: A mental model approach. IEEE Security and Privacy 9, 2 (2011).

  5. King, A. Effects of Self-Questioning Training on College Students’ Comprehension of Lectures. Contemporary Educational Psychology 14, 366 (1989).

  6. Daiute, C., Kruidenier, J. A Self-Questioning Strategy to Increase Young Writers' Revising Processes. Applied Psycholinguistics 6, 307 (1985).

  7. Hayes, A. D., Tierney, J. R. Increasing Background Knowledge through Analogy: Its Effects upon Comprehension and Learning. In Technical Report, Center for the Study of Reading (1980).

  8. Bean, W. T., Singer, H., Cowan, S. Analogical study guides: Improving comprehension in science. In Journal of Reading (1985).

  9. Ambrose Designs, Align Text to Read More https://ambrosedesigns.co.uk/aligning-text/ (2014).

NextA Case Study of TLS Man-in-the-middle Attack

Last updated