Emily Stark
Research Areas
Authored Publications
Sort By
Preview abstract
We performed a large-scale online survey (n=1,880) to study the padlock icon, an established security indicator in web browsers that denotes connection security through HTTPS. In this paper, we evaluate users' understanding of the padlock icon, and how removing or replacing it might influence their expectations and decisions. We found that the majority of respondents (89%) had misconceptions about the padlock's meaning. While only a minority (23%-44%) referred to the padlock icon at all when asked to evaluate trustworthiness, these padlock-aware users reported that they would be deterred from a hypothetical shopping transaction when the padlock icon was absent. These users were reassured after seeing secondary UI surfaces (i.e., Chrome Page Info) where more verbose information about connection security was present.
We conclude that the padlock icon, displayed by browsers in the address bar, is still misunderstood by many users. The padlock icon guarantees connection security, but is often perceived to indicate the general privacy, security, and trustworthiness of a website. We argue that communicating connection security precisely and clearly is likely to be more effective through secondary UI, where there is more surface area for content. We hope that this paper boosts the discussion about the benefits and drawbacks of showing passive security indicators in the browser UI.
View details
SoK: SCT Auditing in Certificate Transparency
Sarah Meiklejohn
Devon O'Brien
Kevin Wei Li Yeo
Proceedings on Privacy Enhancing Technologies Symposium (2022), pp. 336-353
Preview abstract
The Web public key infrastructure is essential to providing secure communication on the Internet today, and certificate authorities play a crucial role in this ecosystem by issuing certificates. These authorities may misissue certificates or suffer misuse attacks, however, which has given rise to the Certificate Transparency (CT) project. The goal of CT is to store all issued certificates in public logs, which can then be checked for the presence of potentially misissued certificates. Thus, the requirement that a given certificate is indeed in one (or several) of these logs lies at the core of CT. In its current deployment, however, most individual clients do not check that the certificates they see are in logs, as requesting a proof of inclusion directly reveals the certificate and thus creates the clear potential for a violation of that client’s privacy. In this paper, we explore the techniques that have been proposed for privacy-preserving auditing of certificate inclusion, focusing on their effectiveness, efficiency, and suitability in a near-term deployment. In doing so, we also explore the parallels with related problems involving browser clients. Guided by a set of constraints that we develop, we ultimately observe several key limitations in many proposals, ranging from their privacy provisions to the fact that they focus on the interaction between a client and a log but leave open the question of how a client could privately report any certificates that are missing.
View details
Measuring Identity Confusion with Uniform Resource Locators
Joshua Reynolds
Deepak Kumar
Zane Ma
Rohan Subramanian
Meishan Wu
Martin Shelton
Joshua Mason
Michael Bailey
CHI 2020 (2020)
Preview abstract
Despite many successes in combating web identity theft and website impersonation, websites with fraudulent identities continue to harm Internet users. Only the fully qualified domain name in the URL gives users the unfalsifiable identity information they need to make a trust decision. Unfortunately, URLs are complex and users must decide whether to follow them from within browsers, messaging applications, email clients, text message clients, and more. While users are confident in their ability to learn website identity from URLs, we show they are vulnerable to various identity obfuscation techniques—successfully identifying an average of 58% of URLs in our sample set. Incorrect user heuristics and strategies include scanning for familiar names, trusting all https links, and trusting the word “secure”. Based on these findings, we provide recommendations to better bridge the gap between raw URL strings and users.
View details
The Web's Identity Crisis: Understanding the Effectiveness of Website Identity Indicators
Martin Shelton
Max Walker
Emily Schechter
Proceedings of the 28th USENIX Security Symposium (2019)
Preview abstract
Users must understand the identity of the website that they are visiting in order to make trust decisions. Web browsers indicate website identity via URLs and HTTPS certificates, but users must understand and act on these indicators for them to be effective. In this paper, we explore how browser identity indicators affect user behavior and understanding. First, we present a large-scale field experiment measuring the effects of the HTTPS Extended Validation (EV) certificate UI on user behavior. Our experiment is many orders of magnitude larger than any prior study of EV indicators, and it is the first to examine the EV indicator in a naturalistic scenario. We find that most metrics of user behavior are unaffected by its removal, providing evidence that the EV indicator adds little value in its current form. Second, we conduct three experimental design surveys to understand how users perceive UI variations in identity indicators for login pages, looking at EV UI in Chrome and Safari and URL formatting designs in Chrome. In 14 iterations on browsers' EV and URL formats, no intervention significantly impacted users' understanding of the security or identity of login pages. Informed by our experimental results, we provide recommendations to build more effective website identity mechanisms.
View details
Fixing HTTPS Misconfigurations at Scale: An Experiment with Security Notifications
Eric Zeng
Frank Li
The 2019 Workshop on the Economics of Information Security (2019) (to appear)
Preview abstract
HTTPS is vital to protecting the security and privacy of users on the Internet. As the cryptographic algorithms and standards underlying HTTPS evolve to meet emerging threats, website owners are responsible for updating and maintaining their HTTPS configurations. In practice, millions of hosts have misconfigured and insecure configurations. In addition to presenting security and privacy risks, misconfigurations can harm user experience on the web, when browsers show warnings for deprecated and outdated protocols.
We investigate whether sending direct notifications to the owners of misconfigured sites can motivate them to fix or improve HTTPS misconfigurations, such as outdated ciphersuites or certificates that will expire soon. We conducted a multivariate randomized controlled experiment testing multiple variations of message content through two different notification channels. We find that security notifications alone have a moderate impact on remediation outcomes, similar to or less than notifications for other types of security vulnerabilities. We discuss how notifications can be used in conjunction with other incentives and outreach campaigns, and identify future directions for improving the security of the HTTPS ecosystem.
View details
Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate
Ryan Sleevi
Rijad Muminović
Devon O'Brien
Eran Messeri
Brendan McMillion
Proceedings of the IEEE Symposium on Security & Privacy (2019) (to appear)
Preview abstract
Certificate Transparency (CT) is an emerging system for enabling the rapid discovery of malicious or misissued certificates. Initially standardized in 2013, CT is now finally beginning to see widespread support. Although CT provides desirable security benefits, web browsers cannot begin requiring all websites to support CT at once, due to the risk of breaking large numbers of websites. We discuss challenges for deployment, analyze the adoption of CT on the web, and measure the error rates experienced by users of the Google Chrome web browser. We find that CT has so far been widely adopted with minimal breakage and warnings.
Security researchers often struggle with the tradeoff between security and user frustration: rolling out new security requirements often causes breakage. We view CT as a case study for deploying ecosystem-wide change while trying to minimize end user impact. We discuss the design properties of CT that made its success possible, as well as draw lessons from its risks and pitfalls that could be avoided in future large-scale security deployments.
View details
Where the Wild Warnings Are: Root Causes of Chrome Certificate Errors
Sascha Fahl
Radhika Bhargava
Bhanu Dev
Matt Braithwaite
Ryan Sleevi
Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (2017)
Preview abstract
HTTPS error warnings are supposed to alert browser users to network attacks. Unfortunately, a wide range of non-attack circumstances trigger hundreds of millions of spurious browser warnings per month. Spurious warnings frustrate users, hinder the widespread adoption of HTTPS, and undermine trust in browser warnings. We investigate the root causes of HTTPS error warnings in the field, with the goal of resolving benign errors.
We study a sample of over 300 million errors that Google Chrome users encountered in the course of normal browsing. After manually reviewing more than 2,000 error reports, we developed automated rules to classify the top causes of HTTPS error warnings. We are able to automatically diagnose the root causes of two-thirds of error reports. To our surprise, we find that more than half of errors are caused by client-side or network issues instead of server misconfigurations. Based on these findings, we implemented more actionable warnings and other browser changes to address client-side error causes. We further propose solutions for other classes of root causes.
View details