Explore the challenges and solutions for improving SSL warnings in web browsers in this 52-minute conference talk from OWASP AppSec California 2015. Delve into Adrienne Porter Felt's insights as a Google Chrome security engineer on making HTTPS more effective and user-friendly. Learn about techniques for automatically identifying and resolving false positive warnings, redesigning SSL warnings for better user comprehension, and the importance of opinionated design in security interfaces. Discover strategies for traffic shaping, explaining threats to users, and creating clear, attractive security choices. Gain valuable knowledge on balancing security with usability to enhance online privacy protection and user experience in modern web browsers.
Making SSL Warnings Work - Improving Security and User Experience
Overview
Syllabus
Improving SSL warnings Adrienne Porter Felt Chrome security team
How can browsers stop crying wolf?
Traffic shaping
define, identify
How do we explain this to users?
Threat source: the attacker is on the network, not a malicious website
False positives: be more concerned about errors on well-regarded sites
Your connection is not private. Attackers might be trying to steal your information from www.irs.gov (for example, passwords, messages, or credit cards).
Clear instruction Attractive preferred choice Unattractive other choice
Opinionated design works where text fails
TODO LIST • Warn only when under attack • Users understand warnings e Users follow warning advice
Taught by
OWASP Foundation
