Security certificate warnings don't work, researchers say

Every Web surfer has seen them. Those "invalid certificate" warnings you sometimes get when you're trying to visit a secure Web site.

They say things like "There is a problem with this Web site's security certificate." If you're like most people, you may feel vaguely uneasy, and - according to a new paper from researchers at Carnegie Mellon University - there's a good chance you'll ignore the warning and click through anyway.

In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users).

"Everyone knew that there was a problem with these warnings," said Joshua Sunshine, a Carnegie Mellon graduate student and one of the paper's co-authors. "Our study showed dramatically how big the problem was."

That's not great news. Often the warnings pop up because of a technical problem on the Web site, but they can also mean that the Web surfer is being redirected somehow to a fake Web site. URLs for secure Web sites begin with "https."

The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web.

They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites.

"That's sort of a backwards understanding of what these messages mean," Sunshine said. "The message is validating that you're visiting the site you think you're visiting, not that the site is trustworthy."

If a banking Web site shows a message that its security certificate is invalid, that's a very bad sign, security experts say. It could mean the Web surfer is being subjected to a so-called man-in-the-middle attack. In this type of attack, the criminal inserts himself between the Web surfer and the site he's visiting, in the hopes of stealing information.

Security experts have long known that these security warnings are ineffective, said Jeremiah Grossman, chief technology officer with Web security consultancy White Hat Security. That's because users "really don't know what the security risks mean," he said via instant message. "So they take the gamble."

In the Firefox 3 browser, Mozilla tried to use simpler language and better warnings for bad certificates. And the browser makes it harder to ignore a bad certificate warning. In the Carnegie Mellon lab, Firefox 3 users were the least likely to click through after being shown a warning.

The researchers experimented with several redesigned security warnings they'd written themselves, which appeared to be even more effective. They plan to report their findings Aug. 14th at the Usenix Security Symposium in Montreal.

Still, Sunshine believes that better warnings will help only so much. Instead of warnings, browsers should use systems that can analyze the error messages. "If those systems decide this is likely to be an attack, they should just block the user altogether," he said.

Even when visiting important Web sites like banks, "people are still dramatically ignoring the warnings," he said.

Microsoft may have known about critical IE bug for months

The vulnerability that sent Microsoft scrambling yesterday and is being used by hackers now to attack Internet Explorer (IE) users may have been reported 18 months ago or more.

In the security advisory it issued yesterday, Microsoft credited a pair of researchers - Ryan Smith and Alex Wheeler - with reporting the bug. Smith and Wheeler once worked together at IBM's ISS X-Force, although Wheeler now is at Texas-based 3Com's TippingPoint DVLabs.

Wheeler confirmed that he and Smith uncovered the vulnerability, but he gave most of the credit to Smith. Wheeler declined, however, to say when the bug was reported to Microsoft. "I don't feel comfortable talking about that," he said, citing a non-disclosure agreement related to the vulnerability that he signed at the time. Instead, he steered questions to his former employer, ISS X-Force.

"But we worked on it prior to my time with TippingPoint," Wheeler acknowledged. Wheeler, who is the manager of DVLabs, started at TippingPoint in January 2008.

The CVE (Common Vulnerabilities and Exposures) number for the vulnerability - CVE-2008-0015 - points to a possible early 2008 reporting date. According to the database, the CVE number was reserved on Dec. 13, 2007.

ISS X-Force was not immediately able today to confirm a reporting date for the vulnerability, but the security firm did note in its own advisory, also published Monday, that hackers have been exploiting the bug since at least June 9, 2009, nearly a month ago.

In fact, X-Force listed two separate vulnerabilities in its advisory, saying that the flawed Microsoft Video Controller ActiveX Library, or the "msvidctl.dll" file, not only contained the buffer overflow bug attributed to Smith and Wheeler, but also harbored a memory corruption vulnerability discovered by X-Force researcher Robert Freeman.

Microsoft did not respond to questions about when it was informed of the vulnerability, and if it was in late 2007 or 2008, why it had not patched the problem.

No matter when it was reported, the bug is serious, Wheeler said today. "This particular vulnerability is relatively easy to exploit in a reliable way, if that makes sense," he said. "Although it does require setting up malicious hosting servers to serve the exploit ... you have to go to a [malicious] Web page to be compromised."

Attack code hasn't been posted widely, Wheeler added, but it won't be hard for other hackers to duplicate what's already in the wild. "It will be relatively simple to do that," he said, "compared to what they have to choose from at the moment."

Yesterday, Microsoft not only confirmed ongoing attacks against IE6 and IE7 users running Windows XP, but also offered an automated tool that sets 45 different "kill bits" in the ActiveX control, effectively disabling it and rendering attacks moot.

But Wheeler suggested another option: switch browsers. "Unless they're specially configured, other browsers will face substantially lower risk," said Wheeler. Browsers such as Mozilla's Firefox, Google's Chrome and Apple's Safari don't rely on ActiveX technology to drive add-ons, as does IE.

"Any client-side vulnerability is serious," said Wheeler, "but of the range, this one is in the more serious range."

Microsoft has promised to patch Windows and/or IE, but has not committed to a delivery date. Its next regularly-scheduled security updates will be released a week from today, on July 14.