What causes false positive HTTPS warnings, and what can we do about them? Spurious warnings frustrate users, hinder the widespread adoption of HTTPS, and undermine trust in browser warnings. We investigate the root causes of HTTPS error warnings in the field, with the goal of resolving benign errors. We study a sample of over 300 million errors that Google Chrome users encountered in the course of normal browsing. Based on our findings, we implemented more actionable warnings and other browser changes.
How well do browser security indicators work? We surveyed 1,329 people and decided that it was time to update Chrome's browser security indicators. We proposed and tested a new set of browser security indicators, based on user research and an understanding of the challenges faced by browsers. These new indicators launched in Chrome 53.
Why is usable security hard, and what should we do about it?
How can we make SSL warnings more effective? We designed a new SSL warning based on recommendations from warning literature and tested our proposal with micro-surveys and a field experiment. We ultimately failed at our goal of a well-understood warning, but nearly 30% more total users chose to remain safe after seeing our warning. We attribute this success to opinionated design, which promotes safety with visual cues. Subsequently, our proposal was released as the new Google Chrome SSL warning.
Asking for superpowers: Chrome's Permission Model
Chrome Developer Summit 2014
How well do browser security warnings actually work in the field? We used Mozilla Firefox and Google Chrome’s in-browser telemetry to observe over 25 million warning impressions in situ. We find that user behavior varies across warning types and browsers, with some warnings proving effective and others quite ineffective. Notably, users continued through 70.2% of Google Chrome's SSL warnings, highlighting that as an area for future improvement.
Is the Android permission system effective at warning users about security or privacy risks? Do people pay attention to, understand, or act on permission information during installation? We performed two usability studies: an Internet survey of 308 Android users, and a laboratory study wherein we interviewed and observed 25 Android users. Study participants displayed low attention and comprehension rates, but a notable minority of users demonstrated both awareness of permission warnings and reasonable rates of comprehension.
Do Android developers follow least privilege with their permission requests? We built Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We applied Stowaway to a set of 940 applications and find that about one-third are overprivileged.