Explore
For Enterprise
Join for Free
Log In

Arts and Humanities
Business
Computer Science
Data Science
Information Technology
Health
Math and Logic
Personal Development
Physical Science and Engineering
Social Sciences
Language Learning
Degrees
Certificates

Explore all of Coursera

Browse
Search
For Enterprise
Log In
Join for Free

Case Study: SSL Warnings - example user

Loading...

Usable Security

University of Maryland, College Park

4.5 (1,520 ratings) | 37K Students Enrolled

Course 1 of 5 in the Cybersecurity Specialization

This course focuses on how to design and build secure systems with a human-centric focus. We will look at basic principles of human-computer interaction, and apply these insights to the design of secure systems with the goal of developing security measures that respect human performance and their goals within a system.

Skills You'll Learn

Cybersecurity, Usability, Privacy, User Interface

Reviews

4.5 (1,520 ratings)

5 stars
997 ratings
4 stars
393 ratings
3 stars
78 ratings
2 stars
23 ratings
1 star
29 ratings

MM

Sep 22, 2017

I am really happy to join this perfect course . i want to continue in this course and i will every time of my life to learn many things . specially from the Coursera community thank you very much.

KM

Jul 15, 2018

It gave me a broader scope in terms of developing a process or a system. It taught me that designing usability and security must come during the early stages of design instead of an after thought.

From the lesson

Week 2

Design: design methodology, prototyping, cybersecurity case study

Intro to Design12:08

Design Methodologies15:32

Case Study: SSL Warnings - example user7:34

Case Study: SSL Warnings - paper discussion15:20

Interview: SSL Warnings4:49

Taught By

Jennifer Golbeck
Director

Transcript

[SOUND].

In this video, we're going to look at an example of usability for the average user.

And in particular, we're going to focus on Firefox's Untrusted Connection Error.

This is an important security error that happens when Firefox tries to connect to

a website that has an invalid security certificate.

But the error is pretty technical and may not be accessible to the average person.

So I've brought in a computer savvy user who's not a computer scientist and

I'm going to have him go through the process of receiving that error.

And he's going to tell us what he thinks it means and what he should do.

All right, so sitting at the desk here we

have our computer savvy non-computer scientist who's going to

go through a process of getting a common security error on the browser.

And we're going to see what he has to say about it.

So computer savvy non-computer scientist, I want you to go Twitter.com, and

it'll probably auto-complete.

So just go in the bar at the top and do Twitter.com.

>> Okay.

>> And hit Enter.

All right.

So I want you to read what's on the screen and then tell me what you think it means.

>> This connection is untrusted.

Want me to read the whole thing?

>> You read whatever you would read if you encountered this in

your normal browsing life.

>> All right.

You've asked Firefox to connect securely to Twitter.com but

we can't confirm that your connection is secure.

>> What do you think that means?

>> That means, they don't know, they,

Firefox doesn't know whether the connection to Twitter is secure.

Then it says, normally sites will present trusted identification to

prove that you're going to the right place.

However, this site's identity can't be verified.

So, Firefox can't be veri, can't verify that it's Twitter, actually Twitter.

>> So what do you think the risks are if you see an error like this?

>> Well, it could be a spoof site or

it could be taking me to somewhere that is not actually Twitter.

>> So what would you do if you got this error?

>> In real life, I would ignore it.

>> And so, what, like in real, so pretend we're in real life.

What would you actually do here, on this screen?

>> I don't know.

Try to click on whatever button they give me.

And then try to type the whole thing into Google.

aha, so it says, I understand the risks.

>> If you're reading, read out loud for us.

>> It says, if you understand what's going on,

and I have a vague notion, I may be wrong.

>> Wait before you continue,

what is your vague notion about what's actually going wrong?

>> That there's a, a disconnect between Firefox and

Twitter and Firefox can't verify that it's going to Twitter.

But it looked like the Twitter addressed it to me.

And it was, you know, I found it also through Google so I, I,

I think it's Twitter.

And so then it says, if you understand what's going on,

you could tell Firefox to start trusting this site's identification.

But even if you trust the site,

this error could mean that someone is tampering with your connection.

>> Do you know what that means when it

says someone is tampering with the connection?

>> I have a vague concept that it means someone might be, have

gained access to my computer or you know, is, I don't know.

Siphoning off information between what Firefox is doing and

what Twitter is doing.

>> Okay.

>> But, it's only Twitter, it's not my bank.

So I'm not sure there's that much harm in this case, but

I don't understand it that well.

>> Would you do this, I understand the risks, saying if it were your bank?

>> Probably not.

Or my credit card.

>> Yeah. >> Statement?

Probably not.

>> Okay.

>> So I can add an exception.

Maybe.

>> If you're reading, read out loud.

>> It says, you are about to override how Firefox identifies this site.

Then it says legitimate banks, stores and

other public sites will not ask you to do this.

And it says, the certificate says, is this site attempts to identify itself with

invalid information, it's outdated information.

The certificate is not currently valid,

it is impossible to verify whether this identity was reported as stolen or lost.

>> Now do you worry about that or not?

>> Yeah, I'm worried about it.

And it seems like Firefox is going to some effort, I think it's Firefox to-

>> Yeah.

>> Not let me do this.

So I'll just not do it.

I'll cancel.

>> Okay.

>> Get me out of here.

Okay.

But I'm still not sure what happened?

>> Thank you computer savvy non-computer scientist for

helping us process this error message.

>> I'm happy to help.

>> So what are some lessons we can take away from watching this video?

First, the user knows that something bad is happening,

but he's not really sure what.

He's able to read back some of the possible errors that the screen is

telling him, but he doesn't really know what those mean or how they would work.

The user also has good general strategies.

For example, he said he'd worry more about sites with sensitive information like

his bank or his credit card, but with Twitter, he's not too worried.

That's a great strategy.

But if he were, for example, to be facing a man in the middle attack where someone

would hijack his password and potentially his email address that he uses to log in.

If that password's repeated,

he actually could make a lot of his accounts vulnerable.

So his strategies are good,

but because he doesn't understand what the possible security risks are,

and they're not communicated to him by this error in a way he can understand,

he may make himself vulnerable if he were to go around this error.

And finally, the error message that Firefox shows relies on a lot of

information that the average user doesn't understand.

The example user we have here is actually quite computer savvy, but

he didn't understand a lot of the technical terms and jargon.

He doesn't understand what security certificates are.

How they work.

When they expire.

What that means.

And how they can be spoofed,

or inaccurate credentials can be sent to allow an attack.

So, the Firefox does a very good job of discouraging people from continuing on,

when they encounter this error message.

They're not doing a very good job of explaining what could be happening.

So a question for you to think about in to having the discussion is,

how could we improve this?

If we wanted to have an error message that appears when there's an invalid

security certificate.

What could we do to make it so a really average user could sort of

understand what's going on there, and make good decisions?

It's not a bad idea to really discourage them from taking a risky action,

but it's even better if we can educate them on what's happening.

So, think about how we can improve that error message

Explore our Catalog

Join for free and get personalized recommendations, updates and offers.

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online.

© 2019 Coursera Inc. All rights reserved.

Download on the App Store

Get it on Google Play

Coursera
About
Leadership
Careers
Catalog
Certificates
MasterTrack™ Certificates
Degrees
For Enterprise
For Government

Community
Learners
Partners
Developers
Beta Testers
Translators

Connect
Blog
Facebook
LinkedIn
Twitter
Instagram
YouTube
Tech Blog

More
Terms
Privacy
Help
Accessibility
Press
Contact
Directory
Affiliates