Study of SSL warnings
We know that users routinely ignore warnings. One way of increasing attention to warnings is to only present those that have meaning to the user, and that protect users from actual risks. There is currently a debate over which SSL warnings are important to retain, which should be abandoned, and if any warning should be presented at all. If no warnings are presented, when should the user be allowed to proceed to the page in question and when should the user be stopped? The purpose of this study is to analyze which SSL warning error conditions are important to present to users (if any). In this study we will survey end-users, security experts and organizations that routinely present SSL warnings (e.g., many universities use self-signed certs) to develop a set of recommendations on how to present SSL warnings.
Timeline
- ||
Test Timeline
Task
Due Date
Lead
IRB approval at CMU
DATE
Serge
IRB approval at Columbia and Harvard?
DATE
Maritza/Rachna
Lo-fi prototype and survey material
DATE
Serge
Survey deployed
DATE
Serge
Data Analysis
DATE
Serge, Rachna, Marita
Paper Draft
DATE
Serge
Final paper ||Nov1||All ||