Tuesday, July 28, 2009

The Unintended Consequences of SSL ↦

As all systems administrators know all too well, SSL is an exasperatingly picky system. SSL certificates are issued on a per-domain-name basis, they expire and self-signed certificates aren’t considered “valid”. All of these, however, are generally benign problems: such certificates do still provide encrypted communication. And now we see that there are unintended consequences for all of this officiousness:

Internet users have grown immune to security certificate warnings and are more than happy to click past them, according to a new report out of Carnegie Mellon University. Researchers found that users won’t hesitate to engage in this risky browsing behavior, especially since most warnings are for benign things like expired certificates. This behavior leaves them vulnerable to man-in-the-middle attacks, and the report calls for a reform in how warnings are handled in both safe and dangerous situations.

The researchers studied the behaviors of 409 Internet users in order to monitor their reactions to and understanding of various SSL warnings, and found that “far too many participants exhibited dangerous behavior in all warning conditions.” This was despite the fact that many users understood the meaning of the warnings—for example, 50 percent of Firefox 2 users understood what an expired certificate meant, and 71 percent of those users said they actively ignored such a warning (47 percent and 64 percent for Firefox 3 users, respectively).