UKROP, Martin, Lydia KRAUS and Václav MATYÁŠ. Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version). Digital Threats: Research and Practice. New York, NY, USA: Association for Computing Machinery, 2020, vol. 1, No 4, p. 1-29. ISSN 2692-1626. Available from: https://dx.doi.org/10.1145/3419472.
Other formats:   BibTeX LaTeX RIS
Basic information
Original name Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version)
Authors UKROP, Martin (703 Slovakia, guarantor, belonging to the institution), Lydia KRAUS (276 Germany, belonging to the institution) and Václav MATYÁŠ (203 Czech Republic, belonging to the institution).
Edition Digital Threats: Research and Practice, New York, NY, USA, Association for Computing Machinery, 2020, 2692-1626.
Other information
Original language English
Type of outcome Article in a journal
Field of Study 10201 Computer sciences, information science, bioinformatics
Country of publisher United States of America
Confidentiality degree is not subject to a state or trade secret
WWW URL
RIV identification code RIV/00216224:14330/20:00116278
Organization unit Faculty of Informatics
Doi http://dx.doi.org/10.1145/3419472
Keywords in English warning design;documentation;TLS certificate;usable security
Tags best1
Tags International impact, Reviewed
Changed by Changed by: RNDr. Pavel Šmerk, Ph.D., učo 3880. Changed: 9/6/2022 14:57.
Abstract
Flawed TLS certificates are not uncommon on the Internet. While they signal a potential issue, in most cases they have benign causes (e.g., misconfiguration or even deliberate deployment). This adds fuzziness to the decision on whether to trust a connection or not. Little is known about perceptions of flawed certificates by IT professionals, even though their decisions impact high numbers of end users. Moreover, it is unclear how much the content of error messages and documentation influences these perceptions. To shed light on these issues, we observed 75 attendees of an industrial IT conference investigating different certificate validation errors. We also analyzed the influence of reworded error messages and redesigned documentation. We find that people working in IT have very nuanced opinions, with trust decisions being far from binary. The self-signed and the name-constrained certificates seem to be over-trusted (the latter also being poorly understood). We show that even small changes in existing error messages can positively influence resource use, comprehension, and trust assessment. At the end of the article, we summarize lessons learned from conducting usable security studies with IT professionals.
PrintDisplayed: 30/4/2024 11:31