Recent discussions about research on bank website design flaws (see Analyzing Websites for User-Visible Security Design Flaws) have brought up a few important points about web security. The research conducted by Dr. Prakash, Laura Falk, and myself addresses problems that preclude secure usage of bank websites by expert users. It does not consider how to design websites in such a way that they are secure for non-expert users. In the recent study, we looked at bank websites that have login boxes on insecure pages. However, if a hacker has access to the network link, he or she could just direct customers to a page that doesn’t use SSL at all. How many people will notice the difference? This article looks at the severity of usability problems in secure web transactions, and what could be done in web browsers to fix them.

Given that a bank website does everything correctly, how hard is it for an attacker to manipulate a page and trick someone into entering a password insecurely? The first and most obvious line of attack is to replace an SSL page with an unencrytped version. A man-in-the-middle attacker would return http://www.bankofamerica.com, for example, instead of https://www.bankofamerica.com. How many users would be tricked by such an attack? For the answer to this question, we turn to research by Schecter et al. (see The Emperor’s New Security Indicators). The authors found in their study that out of 57 participants who were asked to log into a bank website, some using their real accounts, not a single person noticed the lack of an SSL indicator and refused to log in. They further tested the effectiveness of the explicit warning message that IE 7 now shows when there is a problem verifying a server certificate. This is the type of message that would be displayed if a man-in-the-middle were tampering with an SSL connection. Surprisingly, 53% of people still logged in, 8 of whom were using their real account name and password!

Security usability research leads us to the conclusion that people will click on anything in spite of explicit warnings to do otherwise. If most people won’t even notice that they are at an insecure site or disregard certificate warnings, then how can there be any real security? The answer to this dilemma lies in web browser design. To get an idea of how progress is being made, let us look at the new certificate warning mechanism in Firefox 3. Instead of giving the user the option of continuing to a site with an invalid certificate, Firefox completely blocks the connection with a “Secure Connection Failed” message. It is possible to add an invalid certificate to an exception list, but doing so takes four clicks and is not straightforward. As far as I am aware, no follow-up study similar to that of Schecter et al. has been published on this new mechanism. However, making it difficult to behave insecurely probably reduces the success rate of SSL man-in-the-middle attacks significantly.

New browser design may aide in preventing users from visiting sites with faulty SSL certificates, but how can it help prevent users from entering information on insecure pages? If an attacker redirects the user to an insecure URL for a site that is normally secure, such as http://www.bankofamerica.com, then how can the browser warn users that their login information is not safe? As we saw above, SSL indicators are not meaningful to the vast majority of the public. Right now, there is no solution to this problem. What browsers could do, however, is provide a mechanism for servers to specify that all connections to their domain should be secure. So, the first time someone visits http://www.bankofamerica.com, the server could tell the web browser “This is a secure-only site.” Then, the web browser would block all non-SSL connections to that domain, just like it blocks connections with invalid certificates. This way, it would be very difficult for the user to ever have a connection with Bank of America’s website that was not secure and using the correct certificate. Of course, this would not stop phishing attacks that show similar content on a completely different domain, but it would be a step in the right direction for secure online banking.

This entry was posted on Monday, July 28th, 2008 at 1:25 pm and is filed under Usability, Browsers, Articles. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.