Connect with us

Hi, what are you looking for?


Network Security

New Chrome SSL Warning Improved Adherence Rates: Google

A team of researchers at Google have been trying to come up with a new design for Secure Sockets Layer (SSL) warnings that can convince users not to ignore such alerts.

A team of researchers at Google have been trying to come up with a new design for Secure Sockets Layer (SSL) warnings that can convince users not to ignore such alerts.

SSL is designed to protect users against eavesdropping and data theft. SSL warnings are displayed by Web browsers when users are about to access a website that might pose a risk (i.e. server authentication failed, encryption is too weak).

Unfortunately, many users ignore the alerts, which is why Google researchers have been trying to create a more efficient SSL warning. Up until the launch of Chrome 37, when a redesigned alert was introduced, users adhered to only 37% of SSL warnings. Once the new design was rolled out, adherence rates increased by nearly 30%, researchers said.

Google determined that low adherence rates were caused by the design of the warning after seeing that Firefox users adhered to almost 70% of SSL warnings. Furthermore, the adherence rates for Chrome increased by a few percentage points during a brief period in which Google used a version of the Firefox warning.

Google’s security team has attempted to create an SSL warning that is simple, non-technical, brief, specific, and with an opinionated design (a visual design technique that promotes the safe choice as the preferred option).

One of the goals was to design a comprehensive SSL warning that would convey the source of the threat, the risks to the user’s data, and information that helps internauts determine if they are dealing with a false positive.

Experts removed all technical terms from the primary text of the new warning. For tech savvy users, an “Advanced” button was added. They also kept the warning as brief as possible because people often prefer not to read long texts. This reduces comprehensiveness, but the researchers figured it’s better to convey some of the topic rather than none of it.

Advertisement. Scroll to continue reading.

Despite all the changes, no major improvements were seen in comprehension rates.

The second goal was to improve adherence rates through opinionated design. Google’s security team achieved this by making the “Back to safety” button stand out, and by hiding the link to proceed in the “Advanced” section. These changes increased adherence rates from 31% to 58% in a controlled field experiment, and from 37% to 62% in the field.

Chrome SSL warning

However, researchers are concerned that some users might not notice the “Advanced” button and if they don’t find a way to click through the warning, they might simply switch browsers to proceed.

“Unfortunately, comprehension rates remain lower than desired for all of the SSL warning texts that we tested,” researchers wrote in their paper. “This is disappointing, as we view comprehension as more important than adherence. We attempted to follow best practices for both adherence and comprehension, and we were surprised that this strategy yielded success for adherence but not comprehension. We attribute the low comprehension rates to the difficulty of creating an SSL warning that is simultaneously brief, non-technical, simple, and specific”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...