Thursday, February 08, 2007

why 'safe site' indicators fail

there's been some interest lately in a study on the efficacy of various 'safe site' indicators such as HTTPS and website authentication images... these are indicators that are supposed to help the user determine that it's safe for them to enter their credentials, that it isn't a phishing site, but according to the study those indicators don't work (or rather their absence isn't enough to tell people that a site isn't safe)...

let's look at why... website authentication images (where you select an image to be shown on future visits to prove that the site is the same one you initially visited - essentially a visual shared secret authentication protocol) are a pretty new development, their use (and their significance) has probably not yet reached the mainstream among users... as such slip ups might be forgiven (if you could attribute a near 100% failure rate to mere slip ups)... maybe websites are just too unreliable when it comes to displaying images - perhaps we've come to expect images to be absent on occasion...

HTTPS indicators (that indicates you're visiting a secure site, that your session is encrypted with SSL or TLS) on the other hand have been around for quite some time... they've become about as mainstream in the publics awareness as they're going to get so their complete failure can't be blamed on it's novelty - perhaps they're just too unobtrusive?

the only one that had a significant impact was actually an unsafe site indicator (a warning that came up when visiting a site that wasn't safe)... now, aside from the interesting implications all this may have for why humans seem to more naturally lean towards blacklists, the relative success of these 2 types of indicators (safe or unsafe) brought to mind a little tidbit about human perception i heard some time ago... it seems that we're much better at noticing when something that shouldn't be there is there than we are at noticing when something that should be there isn't...

put another way:
The opposite to this effect is a situation where the brain perceives something that is not actually there. On being presented with an incomplete object, the brain automatically fills in the missing pieces according to our previous memory and experience. There are many examples available of common optical illusions to illustrate this.
this more than adequately explains why the absence of safe site indicators would be ignored by people, and in so doing shows why such human-interpreted safe site indicators aren't (and won't be) effective at warning people away from phishing sites...

(and yes, i realize the implications this has for my manual phishing email detection method - i can only hope that our tendency to pay attention to who sends the emails we receive makes share secret authentication as a way to weed out phish more workable in an email context than it is on the web...)

2 comments:

Eugen said...

That study indicated that Mutual Authentication systems that only use "image verification" techniques are not secure because nothing prevents users from ignoring the fact that the image may not be the one that they have selected initially. However, there are other mutual authentication systems where if the image (image set) is the actual part of the password. Tricerion (www.tricerion.com) is one of those systems where the phisher needs to know which subset (12 images/characters) must be presented, drawn from a large superset. So, the phisher needs to know the password before he is able to display a fake website. Here it is no longer image verification, because you cannot ignore the fact that the keypad that is being presented is missing the characters that you should be entering as your password.

kurt wismer said...

that sort of system was suggested in the comments to my post on security tokens (here) but as i pointed out there, such systems still fail in the face of man in the middle phishing attacks...