Browser Security Warnings Appear to be Effective
Recent investigation revealed that users notice internet browser security warnings more than it was thought. The last two months saw about 25 million security notifications from Mozilla Firefox and Google Chrome examined. The research took place from May to June 2013. Its main goal was to analyze the user interaction with by passable browser warnings. Interaction with two types of notifications were examined: “proceed anyway“ provided by Chrome and “understood the risks“ displayed by Firefox.
By using metrics Akhawe and Felt summed up the number of times users encountered phishing, malware or SSL warnings and calculated the click-through rates per user. The researchers came to the conclusion, that users pay do attention to the warnings they are displayed, but 25% of times they ignored the phishing and malware notifications and just clicked through. The browser they were using was not a factor, in this case. The interesting fact is that about 33% of the Firefox users were stopped by SSL warnings while 70% of the Chrome disregarded this notification and entered the website. These findings suggest that Google should rethink their warning concept.
The researchers also stated that there are significant differences between the notifications these browsers provide. For example, Google chrome users need to click only once to leave the security notification, whereas its rival requires clicking three times for the same result. Moreover, the Firefox notification design involves “a policeman“ and it uses the word “untrusted” in the title. The investigators think that these factors may be the cause of different behavior between the users, although there might be another explanation for this situation. Firefox has the capability to store exceptions, and thus automatically avoid upcoming security warnings; these features may result in lower click-through rate as the Chrome browser doesn’t have this capability.
The researchers also stated that there could be an additional scenario for this mismatch. They claim that Google might be providing users with false warnings, thus causing warning “fatigue”. Nevertheless, this situation is unwelcome and requires effective and quick solutions.
Google claims that they will continue testing the SSL warnings in order to fix this situation. The upcoming Chrome versions might also have “exception-remembering” feature, just like their rivals from Mozilla.
Despite the imperfection of Google SSL warnings, the other statistics are very encouraging. It is believed that, in the future, we will have even wider array of browser notifications. All in all, the research proved that security warnings are effective not only in theory but also in practice and the development of them should play even bigger part in the future.