Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
public:papers:acsac2019 [2019-12-13 00:50] – [Selected conclusions] xukrop | public:papers:acsac2019 [2019-12-13 00:54] – [Will You Trust This TLS Certificate? Perceptions of People Working in IT [ACSAC 2019]] xukrop | ||
---|---|---|---|
Line 21: | Line 21: | ||
<button type=" | <button type=" | ||
\_ | \_ | ||
- | <popover trigger=" | + | /*<popover trigger=" |
- | <button icon=" | + | <button icon=" |
- | </ | + | /*</ |
\_ | \_ | ||
<button collapse=" | <button collapse=" | ||
Line 50: | Line 50: | ||
===== Selected conclusions ===== | ===== Selected conclusions ===== | ||
- | * We investigated perceived trust in five certificate cases: hostname mismatch, self-signed, | + | |
- | * When validating certificates, | + | * When validating certificates, |
- | * In case of expired certificates, | + | * In case of expired certificates, |
- | * The certificate subject plays a role: Flaws were less likely to be tolerated for big, established companies (Microsoft was mentioned as an example). | + | * The certificate subject plays a role: Flaws were less likely to be tolerated for big, established companies (Microsoft was mentioned as an example). |
- | * We found some certificate cases as over-trusted. | + | * We found some certificate cases as over-trusted. |
- | * 21% of the participants considered the self-signed certificate as __" | + | * 21% of the participants considered the self-signed certificate as __" |
- | * Similarly, 20% of the participants considered the name constrained certificate as __" | + | * Similarly, 20% of the participants considered the name constrained certificate as __" |
- | * We had half of the participants interact with real OpenSSL error messages and the other half with our re-designed error messages and documentation. Here is the comparison: | + | * We had half of the participants interact with real OpenSSL error messages and the other half with our re-designed error messages and documentation. Here is the comparison: |
- | * The self-signed case was considered significantly less trustworthy with our error message (which we consider a success). | + | * The self-signed case was considered significantly less trustworthy with our error message (which we consider a success). |
- | * The name constrained case was also perceived as less trusted and required less time and less online browsing to undestand. | + | * The name constrained case was also perceived as less trusted and required less time and less online browsing to undestand. |
- | * The other attributes were comparable – thus, we see our documentation in these cases as better than the existing one. | + | * The other attributes were comparable – thus, we see our documentation in these cases as better than the existing one. |
- | * In the redesigned error messages, we included a link to the documentation. To our surprise, 71% of the participants clicked this link. This suggests a nice opportunity of directing the developers to a usable place recommended by the library designers. | + | * In the redesigned error messages, we included a link to the documentation. To our surprise, 71% of the participants clicked this link. This suggests a nice opportunity of directing the developers to a usable place recommended by the library designers. |
- | * As a follow-up work, we started gathering X.509 certificate validation errors and documentation from multiple libraries to consolidate the documentation on a single place. | + | * As a follow-up work, we started gathering X.509 certificate validation errors and documentation from multiple libraries to consolidate the documentation on a single place. |
<button type=" | <button type=" |