Will You Trust This TLS Certificate? Perceptions of People
Working in IT (Extended Version)

J 2020

Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version)

UKROP, Martin, Lydia KRAUS a Václav MATYÁŠ

Základní údaje

Originální název

Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version)

Autoři

UKROP, Martin (703 Slovensko, garant, domácí), Lydia KRAUS (276 Německo, domácí) a Václav MATYÁŠ (203 Česká republika, domácí)

Vydání

Digital Threats: Research and Practice, New York, NY, USA, Association for Computing Machinery, 2020, 2692-1626

Další údaje

Jazyk

angličtina

Typ výsledku

Článek v odborném periodiku

Obor

10201 Computer sciences, information science, bioinformatics

Stát vydavatele

Spojené státy

Utajení

není předmětem státního či obchodního tajemství

Odkazy

URL

Kód RIV

RIV/00216224:14330/20:00116278

Organizační jednotka

Fakulta informatiky

DOI

http://dx.doi.org/10.1145/3419472

Klíčová slova anglicky

warning design;documentation;TLS certificate;usable security

Štítky

best1

Příznaky

Mezinárodní význam, Recenzováno

Změněno: 9. 6. 2022 14:57, RNDr. Pavel Šmerk, Ph.D.

Anotace

V originále

Flawed TLS certificates are not uncommon on the Internet. While they signal a potential issue, in most cases they have benign causes (e.g., misconfiguration or even deliberate deployment). This adds fuzziness to the decision on whether to trust a connection or not. Little is known about perceptions of flawed certificates by IT professionals, even though their decisions impact high numbers of end users. Moreover, it is unclear how much the content of error messages and documentation influences these perceptions. To shed light on these issues, we observed 75 attendees of an industrial IT conference investigating different certificate validation errors. We also analyzed the influence of reworded error messages and redesigned documentation. We find that people working in IT have very nuanced opinions, with trust decisions being far from binary. The self-signed and the name-constrained certificates seem to be over-trusted (the latter also being poorly understood). We show that even small changes in existing error messages can positively influence resource use, comprehension, and trust assessment. At the end of the article, we summarize lessons learned from conducting usable security studies with IT professionals.

Citovat

UKROP, Martin, Lydia KRAUS a Václav MATYÁŠ. Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version). Digital Threats: Research and Practice. New York, NY, USA: Association for Computing Machinery, 2020, roč. 1, č. 4, s. 1-29. ISSN 2692-1626. Dostupné z: https://dx.doi.org/10.1145/3419472.

@article{1675616,
   author = {Ukrop, Martin and Kraus, Lydia and Matyáš, Václav},
   article_location = {New York, NY, USA},
   article_number = {4},
   doi = {http://dx.doi.org/10.1145/3419472},
   keywords = {warning design;documentation;TLS certificate;usable security},
   language = {eng},
   issn = {2692-1626},
   journal = {Digital Threats: Research and Practice},
   title = {Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version)},
   url = {https://dl.acm.org/doi/10.1145/3419472},
   volume = {1},
   year = {2020}
}

TY  - JOUR
ID  - 1675616
AU  - Ukrop, Martin - Kraus, Lydia - Matyáš, Václav
PY  - 2020
TI  - Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version)
JF  - Digital Threats: Research and Practice
VL  - 1
IS  - 4
SP  - 1-29
EP  - 1-29
PB  - Association for Computing Machinery
SN  - 26921626
KW  - warning design;documentation;TLS certificate;usable security
UR  - https://dl.acm.org/doi/10.1145/3419472
L2  - https://dl.acm.org/doi/10.1145/3419472
N2  - Flawed TLS certificates are not uncommon on the Internet. While they signal a potential issue, in most cases they have benign causes (e.g., misconfiguration or even deliberate deployment). This adds fuzziness to the decision on whether to trust a connection or not. Little is known about perceptions of flawed certificates by IT professionals, even though their decisions impact high numbers of end users. Moreover, it is unclear how much the content of error messages and documentation influences these perceptions. To shed light on these issues, we observed 75 attendees of an industrial IT conference investigating different certificate validation errors. We also analyzed the influence of reworded error messages and redesigned documentation. We find that people working in IT have very nuanced opinions, with trust decisions being far from binary. The self-signed and the name-constrained certificates seem to be over-trusted (the latter also being poorly understood). We show that even small changes in existing error messages can positively influence resource use, comprehension, and trust assessment. At the end of the article, we summarize lessons learned from conducting usable security studies with IT professionals.
ER  -

UKROP, Martin, Lydia KRAUS a Václav MATYÁŠ. Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version). \textit{Digital Threats: Research and Practice}. New York, NY, USA: Association for Computing Machinery, 2020, roč.~1, č.~4, s.~1-29. ISSN~2692-1626. Dostupné z: https://dx.doi.org/10.1145/3419472.

Podrobný výpis o publikaci