Don’t Ignore the Warnings

Be honest. Do you really read the warning messages that your browser displays to you? Or do you blindly click the phishing site warnings or the SSL mismatch dialog away? Apparently most users don’t seem to care too much about those warnings and click through them quickly. And I doubt that they have memorized the meaning of the warnings and reflect on the consequences each time.

An interesting study from Google and Berkeley University analyzed 25.4 million warnings from the Google Chrome and Mozilla Firefox browsers. According to their research, on average, 15.1 percent of the users click through the warning for malware-infected sites. Interestingly enough, Mozilla Firefox users on Windows have a click-through rate of only 7.1 percent compared to Google Chrome users on Windows with a 23.5 percent click-through rate, about three times as click-happy.

For phishing site warnings, the average click-through rate is 20.4 percent. In this phishing category, Linux users, with 32.9 percent, click through the warnings a lot more often than the others. Maybe they are more tech-savvy and think that they know what they are doing. The study only analyzed warnings where the user had the option to bypass it. Those are typically shown when there is a chance that it might be a false positive, so it doesn’t necessarily mean that something malicious is going on every time a warning is shown

For SSL warnings, the results are even higher, with an average click-through rate of 73.4 percent for Google Chrome users and 36.7 percent for Firefox users. The researchers are not sure why Chrome users are twice as likely to ignore the SSL warnings. Of course, the SSL warning does not always mean malicious intent. Some people use self-signed certs at home and sometimes servers are just badly configured. So clicking through the warning does not necessarily mean that the warning was ignored, the user may have just made a well educated decision to bypass it.

Nevertheless, the researchers suspect that many people tire of these warning messages and start ignoring them. A phenomenon that we all remember from the early anti-virus solutions in the past was when people got bored of dialog boxes asking if “svchost.exe” was allowed to access the Internet or not. Warnings can be helpful, but they have to be used in the right way.

When ignoring these warnings becomes a habit, people are more likely to fall for malicious websites in the future, for example, the classic man-in-the-middle (MITM) attacks often seen at free hotspots at airports or restaurants. Many people do not realize that some attackers are setting up malicious access points that will serve self-signed certificates for all sites. If the user accepts those certificates, the attacker can eavesdrop on the traffic and might read passwords for online services. Certification pinning, as introduced by Google, can help against such MITM attacks since the user will not get the chance to bypass the warning for major websites. The study showed that around 20 percent of the Chrome SSL warnings cannot be bypassed by the users. A percentage of this may have been from MITM attacks.

Ignoring the malware warning can also be foolish. Symantec’s Internet Security Threat Report (ISTR) showed that 61 percent of the infected websites were hijacked legitimate websites. Therefore, knowing the site does not prove that it is clean, even if you visited it before. It may have been compromised since your last visit and is now serving up malware through exploits.

We recommend reading the browser warnings and taking them seriously. If you have read and understood them, you can of course click through if you know that the website is not a security risk. Just don’t make it a habit of blindly clicking through all those warnings.

Dont ignore 1.png

Figure. Firefox malware site warning