UKROP, Martin, Lydia KRAUS, Václav MATYÁŠ and Heider Ahmad Mutleq WAHSHEH. Will You Trust This TLS Certificate? Perceptions of People Working in IT. Online. In Proceedings of the 35rd Annual Computer Security Applications Conference. New York, NY, USA: Association for Computing Machinery, 2019, p. 718-731. ISBN 978-1-4503-7628-0. Available from: https://dx.doi.org/10.1145/3359789.3359800.
Other formats:   BibTeX LaTeX RIS
Basic information
Original name Will You Trust This TLS Certificate? Perceptions of People Working in IT
Authors UKROP, Martin (703 Slovakia, guarantor, belonging to the institution), Lydia KRAUS (276 Germany, belonging to the institution), Václav MATYÁŠ (203 Czech Republic, belonging to the institution) and Heider Ahmad Mutleq WAHSHEH (400 Jordan).
Edition New York, NY, USA, Proceedings of the 35rd Annual Computer Security Applications Conference, p. 718-731, 14 pp. 2019.
Publisher Association for Computing Machinery
Other information
Original language English
Type of outcome Proceedings paper
Field of Study 10201 Computer sciences, information science, bioinformatics
Country of publisher United States of America
Confidentiality degree is not subject to a state or trade secret
Publication form electronic version available online
WWW URL Will You Trust This TLS Certificate? Perceptions of People Working in IT
RIV identification code RIV/00216224:14330/19:00111065
Organization unit Faculty of Informatics
ISBN 978-1-4503-7628-0
Doi http://dx.doi.org/10.1145/3359789.3359800
UT WoS 000540643900055
Keywords in English warning design;documentation;TLS certificate;usable security
Tags best5, core_A, firank_A
Tags International impact, Reviewed
Changed by Changed by: RNDr. Martin Ukrop, Ph.D., učo 374297. Changed: 15/4/2021 09:24.
Abstract
Flawed TLS certificates are not uncommon on the Internet. While they signal a potential issue, in most cases they have benign causes (e.g., misconfiguration or even deliberate deployment). This adds fuzziness to the decision on whether to trust a connection or not. Little is known about perceptions of flawed certificates by IT professionals, even though their decisions impact high numbers of end users. Moreover, it is unclear how much does the content of error messages and documentation influence these perceptions. To shed light on these issues, we observed 75 attendees of an industrial IT conference investigating, different certificate validation errors. Furthermore, we focused on the influence of re-worded error messages and redesigned documentation. We find that people working in IT have very nuanced opinions regarding the tested certificate flaws with trust decisions being far from binary. The self-signed and the name constrained certificates seem to be over-trusted (the latter also being poorly understood). We show that even small changes in existing error messages and documentation can positively influence resource use, comprehension, and trust assessment. Our conclusions can be directly used in practice by adopting the re-worded error messages and documentation.
Links
MUNI/A/1040/2018, interní kód MUName: Zapojení studentů Fakulty informatiky do mezinárodní vědecké komunity 19 (Acronym: SKOMU)
Investor: Masaryk University, Category A
PrintDisplayed: 11/5/2024 19:13