Abstract by Matthew Holt
After HTTPS: Indicating Risk on Deceptive Websites
Browser security indicators show warnings when sites load without HTTPS, but more malicious sites are using HTTPS to appear legitimate in browsers and deceive users. We explore a new approach to browser indicators that overcomes several limitations of existing indicators. We first develop a high-level risk assessment framework to identify risky interactions and evaluate the utility of this approach through a survey. We next evaluate potential designs for a new risk indicator to communicate risk rather than security. Finally, we conduct a within-subjects user study to compare the risk indicator to existing security indicators by observing participant behavior and collecting feedback. Our results show that participants prefer risk indicators over current security indicators and suggest that risk indicators help make users more confident in judging their risk. In addition, users take somewhat fewer risks in the presence of risk indicators, making this a promising direction for research and implementation into web browsers.