Security Experts:

New Chrome SSL Warning Improved Adherence Rates: Google

A team of researchers at Google have been trying to come up with a new design for Secure Sockets Layer (SSL) warnings that can convince users not to ignore such alerts.

SSL is designed to protect users against eavesdropping and data theft. SSL warnings are displayed by Web browsers when users are about to access a website that might pose a risk (i.e. server authentication failed, encryption is too weak).

Unfortunately, many users ignore the alerts, which is why Google researchers have been trying to create a more efficient SSL warning. Up until the launch of Chrome 37, when a redesigned alert was introduced, users adhered to only 37% of SSL warnings. Once the new design was rolled out, adherence rates increased by nearly 30%, researchers said.

Google determined that low adherence rates were caused by the design of the warning after seeing that Firefox users adhered to almost 70% of SSL warnings. Furthermore, the adherence rates for Chrome increased by a few percentage points during a brief period in which Google used a version of the Firefox warning.

Google’s security team has attempted to create an SSL warning that is simple, non-technical, brief, specific, and with an opinionated design (a visual design technique that promotes the safe choice as the preferred option).

One of the goals was to design a comprehensive SSL warning that would convey the source of the threat, the risks to the user’s data, and information that helps internauts determine if they are dealing with a false positive.

Experts removed all technical terms from the primary text of the new warning. For tech savvy users, an “Advanced” button was added. They also kept the warning as brief as possible because people often prefer not to read long texts. This reduces comprehensiveness, but the researchers figured it’s better to convey some of the topic rather than none of it.

Despite all the changes, no major improvements were seen in comprehension rates.

The second goal was to improve adherence rates through opinionated design. Google’s security team achieved this by making the “Back to safety” button stand out, and by hiding the link to proceed in the “Advanced” section. These changes increased adherence rates from 31% to 58% in a controlled field experiment, and from 37% to 62% in the field.

Chrome SSL warning

However, researchers are concerned that some users might not notice the “Advanced” button and if they don’t find a way to click through the warning, they might simply switch browsers to proceed.

“Unfortunately, comprehension rates remain lower than desired for all of the SSL warning texts that we tested,” researchers wrote in their paper. “This is disappointing, as we view comprehension as more important than adherence. We attempted to follow best practices for both adherence and comprehension, and we were surprised that this strategy yielded success for adherence but not comprehension. We attribute the low comprehension rates to the difficulty of creating an SSL warning that is simultaneously brief, non-technical, simple, and specific”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.