Mar 16 2015

Google Improves Chrome’s SSL Warnings

Confusing technical jargon and poor design are two of the problems addressed by the search company’s recent redesign.

“There is a problem with this site’s security certificate.”

All web surfers come across this message from their browser sooner or later — and very few understand what it really means, let alone heed it. Google is hoping to change that, as explained in a January study the company conducted with the University of Pennsylvania, titled Improving SSL Warnings: Comprehension and Adherence.

What is an SSL warning, exactly? To start with, Secure Sockets Layer is a cryptographic protocol for network traffic that is typically used to secure the communications between servers and clients.

To facilitate smooth, secure exchanges of data, both the web browser on your device and the server you’re visiting need to agree on how to encrypt your traffic — the protocol. This agreement is confirmed if the server possesses a digital certificate that the browser supports. If there’s a problem, such as an expired certificate, the browser issues a warning to the user, who can choose to continue on or stop interactions with this server.

The security concern here is a man-in-the-middle attack, wherein an attacker is able to eavesdrop on client-server communications, monitoring and altering (or even injecting) messages in the data. This malicious behavior can be sidestepped when the data transmissions are secured by SSL. But if this protocol is not actively encrypting the traffic, it’s open to being intercepted and spoofed. All sorts of compromising information can then be pulled from these communications, which can lead to broader security compromises down the road.

The problem Google wants to address is that users often disregard SSL warnings, a practice that was confirmed in several studies. The percentages across browsers varied, but in one example cited, only 30 percent of Google’s Chrome users adhered to its SSL warnings. The study states that one reason for the failure of these warnings is that “SSL is a nuanced, technical topic that touches on other technical topics like network connections and authentication. Although people might understand that SSL relates to or provides security, they might not understand how.”

A second issue, which touches on the discrepancies between the failure rates of SSL warnings across browsers, is the design of the warning itself. In one study, differences in warning design accounted for a third to a half of the differences in behavior between browsers. Following the best practices outlined in earlier studies of SSL warnings, Google designed a new warning for its Chrome browser, focused on being informative and nontechnical, with a clear course of action.

While the report suggests that Google’s warning redesign has not solved the problem, it did improve outcomes in a field experiment, from a 37 percent adherence rate up to a 62 percent adherence rate.