Jump to Content
Adrienne Porter Felt

Adrienne Porter Felt

Adrienne Porter Felt is a security and privacy researcher at Google. Her current focus is on building usable security for Chrome.
Authored Publications
Google Publications
Other Publications
Sort By
  • Title
  • Title, descending
  • Year
  • Year, descending
    Preview abstract Users must understand the identity of the website that they are visiting in order to make trust decisions. Web browsers indicate website identity via URLs and HTTPS certificates, but users must understand and act on these indicators for them to be effective. In this paper, we explore how browser identity indicators affect user behavior and understanding. First, we present a large-scale field experiment measuring the effects of the HTTPS Extended Validation (EV) certificate UI on user behavior. Our experiment is many orders of magnitude larger than any prior study of EV indicators, and it is the first to examine the EV indicator in a naturalistic scenario. We find that most metrics of user behavior are unaffected by its removal, providing evidence that the EV indicator adds little value in its current form. Second, we conduct three experimental design surveys to understand how users perceive UI variations in identity indicators for login pages, looking at EV UI in Chrome and Safari and URL formatting designs in Chrome. In 14 iterations on browsers' EV and URL formats, no intervention significantly impacted users' understanding of the security or identity of login pages. Informed by our experimental results, we provide recommendations to build more effective website identity mechanisms. View details
    Fixing HTTPS Misconfigurations at Scale: An Experiment with Security Notifications
    Eric Zeng
    Frank Li
    The 2019 Workshop on the Economics of Information Security (2019) (to appear)
    Preview abstract HTTPS is vital to protecting the security and privacy of users on the Internet. As the cryptographic algorithms and standards underlying HTTPS evolve to meet emerging threats, website owners are responsible for updating and maintaining their HTTPS configurations. In practice, millions of hosts have misconfigured and insecure configurations. In addition to presenting security and privacy risks, misconfigurations can harm user experience on the web, when browsers show warnings for deprecated and outdated protocols. We investigate whether sending direct notifications to the owners of misconfigured sites can motivate them to fix or improve HTTPS misconfigurations, such as outdated ciphersuites or certificates that will expire soon. We conducted a multivariate randomized controlled experiment testing multiple variations of message content through two different notification channels. We find that security notifications alone have a moderate impact on remediation outcomes, similar to or less than notifications for other types of security vulnerabilities. We discuss how notifications can be used in conjunction with other incentives and outreach campaigns, and identify future directions for improving the security of the HTTPS ecosystem. View details
    Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate
    Ryan Sleevi
    Rijad Muminović
    Devon O'Brien
    Eran Messeri
    Brendan McMillion
    Proceedings of the IEEE Symposium on Security & Privacy (2019) (to appear)
    Preview abstract Certificate Transparency (CT) is an emerging system for enabling the rapid discovery of malicious or misissued certificates. Initially standardized in 2013, CT is now finally beginning to see widespread support. Although CT provides desirable security benefits, web browsers cannot begin requiring all websites to support CT at once, due to the risk of breaking large numbers of websites. We discuss challenges for deployment, analyze the adoption of CT on the web, and measure the error rates experienced by users of the Google Chrome web browser. We find that CT has so far been widely adopted with minimal breakage and warnings. Security researchers often struggle with the tradeoff between security and user frustration: rolling out new security requirements often causes breakage. We view CT as a case study for deploying ecosystem-wide change while trying to minimize end user impact. We discuss the design properties of CT that made its success possible, as well as draw lessons from its risks and pitfalls that could be avoided in future large-scale security deployments. View details
    Web Feature Deprecation: A Case Study for Chrome
    Ariana Mirian
    Geoffrey M. Voelker
    Nik Bhagat
    Stefan Savage
    International Conference on Software Engineering (ICSE) SEIP track (2019) (to appear)
    Preview abstract Deprecation is a necessary function for the health and innovation of the web ecosystem. However, web feature deprecation is an understudied topic. While Chrome has a protocol for web feature deprecation, much of this process is based on a mix of few metrics and intuition. In this paper, we analyze web feature deprecations, in an attempt to improve this process. First, we produce a taxonomy of reasons why developers want to deprecate web features. We then provide a set of guidelines for deciding when it is safe to deprecate a web feature and a methodology for approaching the question of whether to deprecate a web feature. Finally, we provide a tool that helps determine whether a web feature meets these guidelines for deprecation. We also discuss the challenges faced during this process. View details
    HTTPS Adoption in the Longtail
    Ariana Mirian
    Stefan Savage
    Geoffrey M. Voelker
    Google and UC San Diego (2018)
    Preview abstract HTTPS is widely acknowledged as a pillar of modern web security. However, while much attention focuses on the value delivered by protocol improvements, the benefit of these advances is gated by the breadth of their adoption. Thus, while the majority of web pages visited benefit from the confidentiality and integrity guarantees of HTTPS, this is contradictorily due to a minority of popular sites currently supporting the protocol. In this paper written in April 2018, we explore factors of HTTPS adoption on web sites more broadly. We analyze attributes of the Alexa top one million sites in August 2017 and categorize them into popular and “longtail” sites, in an effort to identify points of leverage which offer promise for driving further adoption of HTTPS. We find that hosting provider use and cost are factors that correlate with HTTPS deployment, while other promising indicators—such as site age, site freshness, and server software choice—provide ambiguous signals and are unlikely to offer useful points of influence. View details
    Preview abstract Web browser warnings should help protect people from malware, phishing, and network attacks. Adhering to warnings keeps people safer online. Recent improvements in warning design have raised adherence rates, but they could still be higher. And prior work suggests many people still do not understand them. Thus, two challenges remain: increasing both comprehension and adherence rates. To dig deeper into user decision making and comprehension of warnings, we performed an experience sampling study of web browser security warnings, which involved surveying over 6,000 Chrome and Firefox users in situ to gather reasons for adhering or not to real warnings. We find these reasons are many and vary with context. Contrary to older prior work, we do not find a single dominant failure in modern warning design---like habituation---that prevents effective decisions. We conclude that further improvements to warnings will require solving a range of smaller contextual misunderstandings. View details
    Where the Wild Warnings Are: Root Causes of Chrome Certificate Errors
    Sascha Fahl
    Radhika Bhargava
    Bhanu Dev
    Matt Braithwaite
    Ryan Sleevi
    Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (2017)
    Preview abstract HTTPS error warnings are supposed to alert browser users to network attacks. Unfortunately, a wide range of non-attack circumstances trigger hundreds of millions of spurious browser warnings per month. Spurious warnings frustrate users, hinder the widespread adoption of HTTPS, and undermine trust in browser warnings. We investigate the root causes of HTTPS error warnings in the field, with the goal of resolving benign errors. We study a sample of over 300 million errors that Google Chrome users encountered in the course of normal browsing. After manually reviewing more than 2,000 error reports, we developed automated rules to classify the top causes of HTTPS error warnings. We are able to automatically diagnose the root causes of two-thirds of error reports. To our surprise, we find that more than half of errors are caused by client-side or network issues instead of server misconfigurations. Based on these findings, we implemented more actionable warnings and other browser changes to address client-side error causes. We further propose solutions for other classes of root causes. View details
    Measuring HTTPS adoption on the web
    Richard Barnes
    April King
    Chris Palmer
    Chris Bentzel
    USENIX Security (2017)
    Preview abstract HTTPS ensures that the Web has a base level of privacy and integrity. Security engineers, researchers, and browser vendors have long worked to spread HTTPS to as much of the Web as possible via outreach efforts, developer tools, and browser changes. How much progress have we made toward this goal of widespread HTTPS adoption? We gather metrics to benchmark the status and progress of HTTPS adoption on the Web in 2017. To evaluate HTTPS adoption from a user perspective, we collect large-scale, aggregate user metrics from two major browsers (Google Chrome and Mozilla Firefox). To measure HTTPS adoption from a Web developer perspective, we survey server support for HTTPS among top and long-tail websites. We draw on these metrics to gain insight into the current state of the HTTPS ecosystem. View details
    Preview abstract When someone decides to ignore an HTTPS error warning, how long should the browser remember that decision? If they return to the website in five minutes, an hour, a day, or a week, should the browser show them the warning again or respect their previous decision? There is no clear industry consensus, with eight major browsers exhibiting four different HTTPS error exception storage policies. Ideally, a browser would not ask someone about the same warning over and over again. If a user believes the warning is a false alarm, repeated warnings undermine the browser’s trustworthiness without providing a security benefit. However, some people might change their mind, and we do not want one security mistake to become permanent. We evaluated six storage policies with a large-scale, multimonth field experiment. We found substantial differences between the policies and selected the policy with the most desirable characteristics. Google Chrome 45 adopted our proposal, and it has proved successful since deployed. Subsequently, we ran Mechanical Turk and GCS surveys to learn about user expectations for warnings. Respondents generally lacked knowledge about Chrome’s new storage policy, but we remain satisfied with our proposal due to the behavioral benefits we have observed in the field. View details
    Preview abstract We propose a new set of browser security indicators, based on user research and an understanding of the design challenges faced by browsers. To motivate the need for new security indicators, we critique existing browser security indicators and survey 1,329 people about Google Chrome's indicators. We then evaluate forty icons and seven complementary strings by surveying thousands of respondents about their perceptions of the candidates. Ultimately, we select and propose three indicators. Our proposed indicators have been adopted by Google Chrome, and we hope to motivate others to update their security indicators as well. View details
    Improving SSL Warnings: Comprehension and Adherence
    Somas Thyagaraja
    Alan Bettes
    Helen Harris
    Jeff Grimes
    Proceedings of the Conference on Human Factors and Computing Systems, ACM (2015)
    Preview abstract Browsers warn users when the privacy of an SSL/TLS connection might be at risk. An ideal SSL warning would empower users to make informed decisions and, failing that, guide confused users to safety. Unfortunately, users struggle to understand and often disregard real SSL warnings. We report on the task of designing a new SSL warning, with the goal of improving comprehension and adherence. We designed a new SSL warning based on recommendations from warning literature and tested our proposal with microsurveys and a field experiment. We ultimately failed at our goal of a well-understood warning. However, nearly 30% more total users chose to remain safe after seeing our warning. We attribute this success to opinionated design, which promotes safety with visual cues. Subsequently, our proposal was released as the new Google Chrome SSL warning. We raise questions about warning comprehension advice and recommend that other warning designers use opinionated design. View details
    Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning
    Hazim Almuhimedi
    Proceedings of the Symposium On Usable Privacy and Security: SOUPS '14, USENIX (2014)
    Preview abstract Several web browsers, including Google Chrome and Mozilla Firefox, use malware warnings to stop people from visiting infectious websites. However, users can choose to click through (i.e., ignore) these malware warnings. In Google Chrome, users click through a fifth of malware warnings on average. We investigate factors that may contribute to why people ignore such warnings. First, we examine field data to see how browsing history affects click-through rates. We find that users consistently heed warnings about websites that they have not visited before. However, users respond unpredictably to warnings about websites that they have previously visited. On some days, users ignore more than half of warnings about websites they've visited in the past. Next, we present results of an online, survey-based experiment that we ran to gain more insight into the effects of reputation on warning adherence. Participants said that they trusted high-reputation websites more than the warnings; however, their responses suggest that a notable minority of people could be swayed by providing more information. We provide recommendations for warning designers and pose open questions about the design of malware warnings. View details
    Experimenting At Scale With Google Chrome's SSL Warning
    Hazim Almuhimedi
    ACM CHI Conference on Human Factors in Computing Systems (2014)
    Preview abstract Web browsers shown HTTPS authentication warnings (i.e., SSL warnings) when the integrity and confidentiality of users' interactions with websites are at risk. Our goal in this work is to decrease the number of users who click through the Google Chrome SSL warning. Prior research showed that the Mozilla Firefox SSL warning has a much lower click-through rate (CTR) than Chrome. We investigate several factors that could be responsible: the use of imagery, extra steps before the user can proceed, and style choices. To test these factors, we ran six experimental SSL warnings in Google Chrome 29 and measured 130,754 impressions. View details
    Preview abstract We empirically assess whether browser security warnings are as ineffective as suggested by popular opinion and previous literature. We used Mozilla Firefox and Google Chrome's in-browser telemetry to observe over 25 million warning impressions in situ. During our field study, users continued through a tenth of Mozilla Firefox's malware and phishing warnings, a quarter of Google Chrome's malware and phishing warnings, and a third of Mozilla Firefox's SSL warnings. This demonstrates that security warnings can be effective in practice; security experts and system architects should not dismiss the goal of communicating security information to end users. We also find that user behavior varies across warnings. In contrast to the other warnings, users continued through 70.2% of Google Chrome's SSL warnings. This indicates that the user experience of a warning can have a significant impact on user behavior. Based on our findings, we make recommendations for warning designers and researchers. View details
    Object views: Fine-grained sharing in browsers
    Leo Meyerovich
    Mark S. Miller
    Proceedings of the International Conference on World Wide Web, World Wide Web Consortium (2010)
    Preview abstract Browsers do not currently support the secure sharing of JavaScript objects between principals. We present this problem as the need for object views, which are consistent and controllable versions of objects. Multiple views can be made for the same object and customized for the recipients. We implement object views with a JavaScript library that wraps shared objects and interposes on all access attempts. Developers can control the fine-grained behavior of objects with an aspect system that accepts programmatic policies. The security challenge is to fully mediate access to objects shared through a view and prevent privilege escalation. To facilitate simple document sharing, we build a policy system for declaratively defining policies for document object views. Notably, our document policy system makes it possible to hide elements without breaking document structure invariants. We discuss how object views can be deployed in two settings: same-origin sharing with rewriting-based JavaScript isolation systems like Google Caja, and inter-origin sharing between browser frames over a message-passing channel. View details
    Protecting Browsers from Extension Vulnerabilities
    Adam Barth
    Prateek Saxena
    Aaron Boodman
    Network and Distributed System Security Symposium (2010)
    Preview abstract Browser extensions are remarkably popular, with one in three Firefox users running at least one extension. Although well-intentioned, extension developers are often not security experts and write buggy code that can be exploited by malicious web site operators. In the Firefox extension system, these exploits are dangerous because extensions run with the user's full privileges and can read and write arbitrary files and launch new processes. In this paper, we analyze 25 popular Firefox extensions and find that 88% of these extensions need less than the full set of available privileges. Additionally, we find that 76% of these extensions use unnecessarily powerful APIs, making it difficult to reduce their privileges. We propose a new browser extension system that improves security by using least privilege, privilege separation, and strong isolation. Our system limits the misdeeds an attacker can perform through an extension vulnerability. Our design has been adopted as the Google Chrome extension system. View details
    An Evaluation of the Google Chrome Extension Security Architecture
    Nicholas Carlini
    David Wagner
    USENIX Security Symposium, USENIX (2012)
    Android Permissions: User Attention, Comprehension, and Behavior
    Elizabeth Ha
    Serge Egelman
    Ariel Haney
    Erika Chin
    David Wagner
    Symposium on Usable Privacy and Security (2012)
    I've Got 99 Problems, But Vibration Ain't One: A Survey of Smartphone Users' Concerns
    Serge Egelman
    David Wagner
    Workshop on Security and Privacy in Mobile Devices, ACM (2012)
    How To Ask For Permission
    Serge Egelman
    Matthew Finifter
    Devdatta Akhawe
    David Wagner
    Workshop on Hot Topics in Security, USENIX (2012)