"If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS

Krombholz, Katharina and Busse, Karoline and Pfeffer, Katharina and Smith, Matthew and von Zezschwitz, Emanuel
(2019) "If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS.
In: S&P 2019.
Conference: SP IEEE Symposium on Security and Privacy

[img]
Preview
 Text
HTTPS_Mental_Models (14).pdf
Download (478kB) | Preview

Abstract

HTTPS is one of the most important protocols used to secure communication and is, fortunately, becoming more pervasive. However, especially the long tail of websites is still not sufficiently secured. HTTPS involves different types of users, e.g., end users who are forced to make security decisions when faced with warnings or administrators who are required to deal with cryptographic fundamentals and complex decisions concerning compatibility. In this work, we present the first qualitative study of both end user and administrator mental models of HTTPS. We interviewed 18 end users and 12 administrators; our findings reveal misconceptions about security benefits and threat models from both groups. We identify protocol components that interfere with secure configurations and usage behavior and reveal differences between administrator and end user mental models. Our results suggest that end user mental models are more conceptual while administrator models are more protocol-based. We also found that end users often confuse encryption with authentication, significantly underestimate the security benefits of HTTPS. They also ignore and distrust security indicators while administrators often do not understand the interplay of functional protocol components. Based on the different mental models, we discuss implications and provide actionable recommendations for future designs of user interfaces and protocols.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Katharina Krombholz (Human-Oriented Security, HOS)
Conference: SP IEEE Symposium on Security and Privacy
Depositing User: Katharina Krombholz
Date Deposited: 11 Jan 2019 13:42
Last Modified: 18 Oct 2020 13:05
Primary Research Area: NRA5: Empirical & Behavioral Security
URI: https://publications.cispa.saarland/id/eprint/2788

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.