Browser warnings appear to be an effective way to warn users about potentially malicious activity, but if designed and displayed improperly, they could result in warning fatigue, according to a new study.
Warning messages that caution browser users about potential dangers appear to be working, limiting access to known phishing sites, attack websites and other nefarious Web pages where malware and attack code have been detected. But the study, "Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness," cautions that warnings only go so far.
The study, conducted by Devdatta Akhawe of the University of California, Berkeley, and Adrienne Porter Felt, a research scientist with Google, recommends that designers of security warnings should limit the number of alerts that users encounter. The two researchers, who will present their findings at USENIX's Security Symposium next month in Washington, D.C. said users can reach a certain threshold that makes alert messages relatively ineffective.
"Designers of new warning mechanisms should always perform an analysis of the number of times the system is projected to raise a warning, and security practitioners should consider the effects that warning architectures have on warning fatigue," the researchers said.
Browser warnings can be effective, the study found. An analysis of 25 million warning impressions displayed by Google Chrome and Mozilla Firefox in May and June found that malware and phishing warnings were bypassed less than 25 percent of the time. Only a third of users opted to click through warnings that a Web page was not secure.
The study found room for improvement for Google Chrome developers. The browser's red SSL warning page, which warns users that a certificate is invalid, making a site potentially untrustworthy and risky, was clicked through 70.2 percent of the time, the study found. By contrast, users clicked through 33 percent of Mozilla Firefox's SSL warnings.
SSL creates a secure connection between the browser and the underlying Web servers behind the website. The browser validates the server's identity using the SSL certificate. Mozilla Firefox's SSL warning requires more clicks to bypass, the study found. Google Chrome users click through a single warning button to proceed.
Mozilla developers also took steps to not show a warning again if a user re-encounters the same certificate for a website that previously generated an alert in the browser. "Chrome presents the warning every time and does not remember the user's past choice," the study found.
The study placed part of the blame on false positives caused by server misconfiguration issues. It said false positives are undesirable and urged developers to find ways to avoid annoying users with invalid warnings. In addition, the study found that explanatory links, such as "more information or "learn more," were rarely clicked on, the researchers said.
PUBLISHED JULY 16, 2013