Adrienne Porter Felt
Adrienne Porter Felt is a security and privacy researcher at Google. Her current focus is on building usable security for Chrome.
Authored Publications
Sort By
Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate
Ryan Sleevi
Rijad Muminović
Devon O'Brien
Eran Messeri
Brendan McMillion
Proceedings of the IEEE Symposium on Security & Privacy(2019) (to appear)
Preview abstract
Certificate Transparency (CT) is an emerging system for enabling the rapid discovery of malicious or misissued certificates. Initially standardized in 2013, CT is now finally beginning to see widespread support. Although CT provides desirable security benefits, web browsers cannot begin requiring all websites to support CT at once, due to the risk of breaking large numbers of websites. We discuss challenges for deployment, analyze the adoption of CT on the web, and measure the error rates experienced by users of the Google Chrome web browser. We find that CT has so far been widely adopted with minimal breakage and warnings.
Security researchers often struggle with the tradeoff between security and user frustration: rolling out new security requirements often causes breakage. We view CT as a case study for deploying ecosystem-wide change while trying to minimize end user impact. We discuss the design properties of CT that made its success possible, as well as draw lessons from its risks and pitfalls that could be avoided in future large-scale security deployments.
View details
The Web's Identity Crisis: Understanding the Effectiveness of Website Identity Indicators
Christopher Thompson
Martin Shelton
Max Walker
Emily Schechter
Proceedings of the 28th USENIX Security Symposium(2019)
Preview abstract
Users must understand the identity of the website that they are visiting in order to make trust decisions. Web browsers indicate website identity via URLs and HTTPS certificates, but users must understand and act on these indicators for them to be effective. In this paper, we explore how browser identity indicators affect user behavior and understanding. First, we present a large-scale field experiment measuring the effects of the HTTPS Extended Validation (EV) certificate UI on user behavior. Our experiment is many orders of magnitude larger than any prior study of EV indicators, and it is the first to examine the EV indicator in a naturalistic scenario. We find that most metrics of user behavior are unaffected by its removal, providing evidence that the EV indicator adds little value in its current form. Second, we conduct three experimental design surveys to understand how users perceive UI variations in identity indicators for login pages, looking at EV UI in Chrome and Safari and URL formatting designs in Chrome. In 14 iterations on browsers' EV and URL formats, no intervention significantly impacted users' understanding of the security or identity of login pages. Informed by our experimental results, we provide recommendations to build more effective website identity mechanisms.
View details
Fixing HTTPS Misconfigurations at Scale: An Experiment with Security Notifications
Eric Zeng
Frank Li
The 2019 Workshop on the Economics of Information Security(2019) (to appear)
Preview abstract
HTTPS is vital to protecting the security and privacy of users on the Internet. As the cryptographic algorithms and standards underlying HTTPS evolve to meet emerging threats, website owners are responsible for updating and maintaining their HTTPS configurations. In practice, millions of hosts have misconfigured and insecure configurations. In addition to presenting security and privacy risks, misconfigurations can harm user experience on the web, when browsers show warnings for deprecated and outdated protocols.
We investigate whether sending direct notifications to the owners of misconfigured sites can motivate them to fix or improve HTTPS misconfigurations, such as outdated ciphersuites or certificates that will expire soon. We conducted a multivariate randomized controlled experiment testing multiple variations of message content through two different notification channels. We find that security notifications alone have a moderate impact on remediation outcomes, similar to or less than notifications for other types of security vulnerabilities. We discuss how notifications can be used in conjunction with other incentives and outreach campaigns, and identify future directions for improving the security of the HTTPS ecosystem.
View details
Web Feature Deprecation: A Case Study for Chrome
Ariana Mirian
Geoffrey M. Voelker
Nik Bhagat
Stefan Savage
International Conference on Software Engineering (ICSE) SEIP track(2019) (to appear)
Preview abstract
Deprecation is a necessary function for the health and innovation of the web ecosystem. However, web feature deprecation is an understudied topic. While Chrome has a protocol for web feature deprecation, much of this process is based on a mix of few metrics and intuition. In this paper, we analyze web feature deprecations, in an attempt to improve this process. First, we produce a taxonomy of reasons why developers want to deprecate web features. We then provide a set of guidelines for deciding when it is safe to deprecate a web feature and a methodology for approaching the question of whether to deprecate a web feature. Finally, we provide a tool that helps determine whether a web feature meets these guidelines for deprecation. We also discuss the challenges faced during this process.
View details
HTTPS Adoption in the Longtail
Ariana Mirian
Christopher Thompson
Stefan Savage
Geoffrey M. Voelker
Google and UC San Diego(2018)
Preview abstract
HTTPS is widely acknowledged as a pillar of modern web security. However, while much attention focuses on the value delivered by protocol improvements, the benefit of these advances is gated by the breadth of their adoption. Thus, while the majority of web pages visited benefit from the confidentiality and integrity guarantees of HTTPS, this is contradictorily due to a minority of popular sites currently supporting the protocol. In this paper written in April 2018, we explore factors of HTTPS adoption on web sites more broadly. We analyze attributes of the Alexa top one million sites in August 2017 and categorize them into popular and “longtail” sites, in an effort to identify points of leverage which offer promise for driving further adoption of HTTPS. We find that hosting provider use and cost are factors that correlate with HTTPS deployment, while other promising indicators—such as site age, site freshness, and server software choice—provide ambiguous signals and are unlikely to offer useful points of influence.
View details
Preview abstract
Web browser warnings should help protect people from malware, phishing, and network attacks. Adhering to warnings keeps people safer online. Recent improvements in warning design have raised adherence rates, but they could still be higher. And prior work suggests many people still do not understand them. Thus, two challenges remain: increasing both comprehension and adherence rates. To dig deeper into user decision making and comprehension of warnings, we performed an experience sampling study of web browser security warnings, which involved surveying over 6,000 Chrome and Firefox users in situ to gather reasons for adhering or not to real warnings. We find these reasons are many and vary with context. Contrary to older prior work, we do not find a single dominant failure in modern warning design---like habituation---that prevents effective decisions. We conclude that further improvements to warnings will require solving a range of smaller contextual misunderstandings.
View details
Where the Wild Warnings Are: Root Causes of Chrome Certificate Errors
Sascha Fahl
Radhika Bhargava
Bhanu Dev
Matt Braithwaite
Ryan Sleevi
Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security(2017)
Preview abstract
HTTPS error warnings are supposed to alert browser users to network attacks. Unfortunately, a wide range of non-attack circumstances trigger hundreds of millions of spurious browser warnings per month. Spurious warnings frustrate users, hinder the widespread adoption of HTTPS, and undermine trust in browser warnings. We investigate the root causes of HTTPS error warnings in the field, with the goal of resolving benign errors.
We study a sample of over 300 million errors that Google Chrome users encountered in the course of normal browsing. After manually reviewing more than 2,000 error reports, we developed automated rules to classify the top causes of HTTPS error warnings. We are able to automatically diagnose the root causes of two-thirds of error reports. To our surprise, we find that more than half of errors are caused by client-side or network issues instead of server misconfigurations. Based on these findings, we implemented more actionable warnings and other browser changes to address client-side error causes. We further propose solutions for other classes of root causes.
View details
Measuring HTTPS adoption on the web
Richard Barnes
April King
Chris Palmer
Chris Bentzel
USENIX Security(2017)
Preview abstract
HTTPS ensures that the Web has a base level of privacy and integrity. Security engineers, researchers, and browser vendors have long worked to spread HTTPS to as much of the Web as possible via outreach efforts, developer tools, and browser changes. How much progress have we made toward this goal of widespread HTTPS adoption? We gather metrics to benchmark the status and progress of HTTPS adoption on the Web in 2017. To evaluate HTTPS adoption from a user perspective, we collect large-scale, aggregate user metrics from two major browsers (Google Chrome and Mozilla Firefox). To measure HTTPS adoption from a Web developer perspective, we survey server support for HTTPS among top and long-tail websites. We draw on these metrics to gain insight into the current state of the HTTPS ecosystem.
View details
Preview abstract
When someone decides to ignore an HTTPS error warning,
how long should the browser remember that decision? If
they return to the website in five minutes, an hour, a day,
or a week, should the browser show them the warning again
or respect their previous decision? There is no clear industry
consensus, with eight major browsers exhibiting four different
HTTPS error exception storage policies.
Ideally, a browser would not ask someone about the same
warning over and over again. If a user believes the warning
is a false alarm, repeated warnings undermine the browser’s
trustworthiness without providing a security benefit. However,
some people might change their mind, and we do not
want one security mistake to become permanent.
We evaluated six storage policies with a large-scale, multimonth
field experiment. We found substantial differences
between the policies and selected the policy with the most
desirable characteristics. Google Chrome 45 adopted our
proposal, and it has proved successful since deployed. Subsequently,
we ran Mechanical Turk and GCS surveys to learn
about user expectations for warnings. Respondents generally
lacked knowledge about Chrome’s new storage policy,
but we remain satisfied with our proposal due to the behavioral
benefits we have observed in the field.
View details
Rethinking Connection Security Indicators
Helen Harris
Max Walker
Chris Thompson
Elisabeth Morant
SOUPS(2016)
Preview abstract
We propose a new set of browser security indicators, based on user research and an understanding of the design challenges faced by browsers. To motivate the need for new security indicators, we critique existing browser security indicators and survey 1,329 people about Google Chrome's indicators. We then evaluate forty icons and seven complementary strings by surveying thousands of respondents about their perceptions of the candidates. Ultimately, we select and propose three indicators. Our proposed indicators have been adopted by Google Chrome, and we hope to motivate others to update their security indicators as well.
View details
