HTTPS is one of the most important protocols used
to secure communication and is, fortunately, becoming more
pervasive. However, especially the long tail of websites is still not
sufficiently secured. HTTPS involves different types of users, e.g.,
end users who are forced to make security decisions when faced
with warnings or administrators who are required to deal with
cryptographic fundamentals and complex decisions concerning
compatibility.
In this work, we present the first qualitative study of both
end user and administrator mental models of HTTPS. We interviewed 18 end users and 12 administrators; our findings reveal
misconceptions about security benefits and threat models from
both groups. We identify protocol components that interfere with
secure configurations and usage behavior and reveal differences
between administrator and end user mental models.
Our results suggest that end user mental models are more
conceptual while administrator models are more protocol-based.
We also found that end users often confuse encryption with
authentication, significantly underestimate the security benefits
of HTTPS. They also ignore and distrust security indicators
while administrators often do not understand the interplay of
functional protocol components. Based on the different mental
models, we discuss implications and provide actionable recommendations for future designs of user interfaces and protocols.
History
Preferred Citation
Katharina Krombholz, Karoline Busse, Katharina Pfeffer, Matthew Smith and Zezschwitz von. "If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS. In: IEEE Symposium on Security and Privacy (S&P). 2019.
Primary Research Area
Empirical and Behavioral Security
Name of Conference
IEEE Symposium on Security and Privacy (S&P)
Legacy Posted Date
2019-01-11
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_2788,
title = ""If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS",
author = "Krombholz, Katharina and Busse, Karoline and Pfeffer, Katharina and Smith, Matthew and von Zezschwitz, Emanuel",
booktitle="{IEEE Symposium on Security and Privacy (S&P)}",
year="2019",
}