Security in Practice – Security-Usability Chasm
Computer systems security area has received increased attention from both academics and in industry. However, recent work indicates that substantial security gaps emerge when systems are deployed, even with the use of state-of-the-art security protocols. Our findings suggest that wide-spread security problems exist even when protocols such as SSL and SSH are deployed because systems today do not give security warnings properly or make it trivial for users to bypass them. Even when these protocols are deployed correctly, systems often leave themselves vulnerable to social-engineering attacks as an artifact of their design. In one of our studies, we examined the web sites of 706 financial institutions and found over 90% of them to have made poor design choices when it comes to security, even though all deployed SSL for communicating passwords and doing transactions. In another study, we examined the usage of SSH within our own department and found that most users would be susceptible to a man-in-the-middle attack. Based on our studies, we postulate that some of the most interesting challenges for security researchers and practitioners lie at the intersection of security theory, their application to practice, and user behavior. We point out some of those challenges and hope that the research community can help address them.
Unable to display preview. Download preview PDF.
- 1.Rescorla, E.: SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, Reading (2000)Google Scholar
- 2.Ylonen, T., Lonvick, C.: The secure shell (SSH) protocol architecture, RFC 4251, IETF draft (January 2006)Google Scholar
- 3.Clippingale, B., Prakash, A.: Usability vulnerabilities in SSH: When good users go bad. Unpublished manuscript. Contact author(s) for a copy (September 2007)Google Scholar
- 4.Prakash, A., Falk, L.: Web security analysis of financial institutions. Technical Report CSE-TR-534-07, Department of EECS, University of Michigan (2007)Google Scholar
- 5.Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In: IEEE Symposium on Security and Privacy (2007)Google Scholar
- 6.Whitten, A., Tygar, J.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: Proc. of the 8th Usenix Security Symposium (1999)Google Scholar
- 8.Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proc. of The 2nd Usenix Workshop on Electronic Commerce, Revised April, 2007 (November 1996)Google Scholar
- 9.McDaniel, P.: On context in authorization policy. In: SACMAT. Proc. of the 8th ACM Symposium on Access Control Models and Technologies, pp. 80–89 (June 2003)Google Scholar