Security warnings displayed by Web browsers are far more effective at deterring risky Internet behavior than was previously believed, according to a new study.
The study looked at how users reacted to warnings displayed by Mozilla’s Firefox and Google’s Chrome browsers, which warn of phishing attempts, malware attacks and invalid SSL (Secure Sockets Layer) certificates.
It was widely thought that most users ignored the warnings, based on several studies released between 2002 and 2009. However, in the past four years, browser warnings have been redesigned, but the effect of the new designs on users had not been studied.
For example, toolbars that warned of possible phishing attacks have been replaced with full-page warnings that may have influenced people’s behavior, the researchers who conducted the study wrote.
More than 25 million warning impressions displayed by Chrome and Firefox in May and June were analyzed. The data was collected from telemetry programs used by Mozilla and Google, which collect what the researchers term ‘pseudonymous’ data from the browsers of consenting users.
In the case of both browsers, less than 25 percent of users opted to bypass malware and phishing warnings, and only a third of users cruised through the SSL warnings displayed by Firefox.
“This demonstrates that security warnings can be effective in practice; security experts and system architects should not dismiss the goal of communicating security information to end users,” according to the paper, which was submitted to the Usenix Annual Technical Conference 2013 in San Jose, California, late last month.
The analysis uncovered other interesting details. It appears that more technical users bypassed security warnings more often. The researchers considered technical users as those who used Linux and pre-release browsers.
“Technically advanced users might feel more confident in the security of their computers, be more curious about blocked websites or feel patronized by warnings,” the paper said.
Despite the positive influence of the warnings, the researchers found users clicked through more than 70 percent of Google’s SSL warnings. By contrast, Firefox users clicked through them just 33 percent of the time.
There are a few thoughts why Chrome’s SSL click-through rate is higher. Users can bypass Chrome’s warning with a single click, whereas Firefox requires three clicks. Firefox displays a more stern warning, showing an image of a policeman and using the word “untrusted” to describe the site.
There may also be other mitigating factors, the researchers said. Nevertheless, Chrome’s high SSL click-through rate “is undesirable,” they wrote. “Our positive findings for the other warnings demonstrate that this warning has the potential for improvement.”
The study was written by Devdatta Akhawe of the University of California, Berkeley, and Adrienne Porter Felt, a research scientist at Google.