CISPA
Browse
cispa_all_2788.pdf (467.29 kB)

"If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS

Download (467.29 kB)
conference contribution
posted on 2023-11-29, 18:09 authored by Katharina KrombholzKatharina Krombholz, Karoline Busse, Katharina Pfeffer, Matthew Smith, Emanuel von Zezschwitz
HTTPS is one of the most important protocols used to secure communication and is, fortunately, becoming more pervasive. However, especially the long tail of websites is still not sufficiently secured. HTTPS involves different types of users, e.g., end users who are forced to make security decisions when faced with warnings or administrators who are required to deal with cryptographic fundamentals and complex decisions concerning compatibility. In this work, we present the first qualitative study of both end user and administrator mental models of HTTPS. We interviewed 18 end users and 12 administrators; our findings reveal misconceptions about security benefits and threat models from both groups. We identify protocol components that interfere with secure configurations and usage behavior and reveal differences between administrator and end user mental models. Our results suggest that end user mental models are more conceptual while administrator models are more protocol-based. We also found that end users often confuse encryption with authentication, significantly underestimate the security benefits of HTTPS. They also ignore and distrust security indicators while administrators often do not understand the interplay of functional protocol components. Based on the different mental models, we discuss implications and provide actionable recommendations for future designs of user interfaces and protocols.

History

Preferred Citation

Katharina Krombholz, Karoline Busse, Katharina Pfeffer, Matthew Smith and Zezschwitz von. "If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS. In: IEEE Symposium on Security and Privacy (S&P). 2019.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date

2019-01-11

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_2788, title = ""If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS", author = "Krombholz, Katharina and Busse, Karoline and Pfeffer, Katharina and Smith, Matthew and von Zezschwitz, Emanuel", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2019", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC