The impact of secure transport protocols on phishing efficacy

Zane Ma; Joshua Reynolds; Joseph Dickinson; Kaishen Wang; Taylor Judd; Joseph D. Barnes; Joshua Mason; Michael Bailey

The impact of secure transport protocols on phishing efficacy

Zane Ma, Joshua Reynolds, Joseph Dickinson, Kaishen Wang, Taylor Judd, Joseph D. Barnes, Joshua Mason, Michael Bailey

Research output: Contribution to conference › Paper › peer-review

Abstract

Secure transport protocols have become widespread in recent years, primarily due to growing adoption of HTTPS and SMTP over TLS. Worryingly, prior user studies have shown that users often do not understand the security that is provided by these protocols and may assume protections that do not exist. This study investigates how the security protocol knowledge gap impacts user behavior by performing a phishing experiment on 266 users that A/B tests the effects of HTTP/HTTPS and SMTP/SMTP+TLS on phishing susceptibility. Secure email transport had minimal effect, while HTTPS increased the click-through rate of email phishing links (72.0% HTTPS, 60.0% HTTP) and the credential-entry rate of phishing sites (58.0% HTTPS, 55.6% HTTP). However, our results are merely suggestive and do not rise to the level of statistical significance (p = 0.17 click-through, p = 0.31 credential-entry). To better understand the factors that affect credential-entry, we categorized differences in browser presentation of HTTP/HTTPS and correlated participant susceptibility with browser URL display features. We administered a follow-up survey for phishing victims, which was designed to provide qualitative insights for observed outcomes, but it did not yield meaningful results. Overall, this study is a suggestive look at the behavioral impact of secure transport protocols and can serve as a basis for future larger-scale studies.

Original language	English (US)
State	Published - 2019
Event	12th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2019, co-located with USENIX Security 2019 - Santa Clara, United States Duration: Aug 12 2019 → …

Conference

Conference	12th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2019, co-located with USENIX Security 2019
Country/Territory	United States
City	Santa Clara
Period	8/12/19 → …

ASJC Scopus subject areas

Computer Networks and Communications
Safety, Risk, Reliability and Quality

Library availability

Discover UIUC Full Text

Cite this

@conference{f5ba0a2716ab4f5da9687984d2e21441,

title = "The impact of secure transport protocols on phishing efficacy",

abstract = "Secure transport protocols have become widespread in recent years, primarily due to growing adoption of HTTPS and SMTP over TLS. Worryingly, prior user studies have shown that users often do not understand the security that is provided by these protocols and may assume protections that do not exist. This study investigates how the security protocol knowledge gap impacts user behavior by performing a phishing experiment on 266 users that A/B tests the effects of HTTP/HTTPS and SMTP/SMTP+TLS on phishing susceptibility. Secure email transport had minimal effect, while HTTPS increased the click-through rate of email phishing links (72.0% HTTPS, 60.0% HTTP) and the credential-entry rate of phishing sites (58.0% HTTPS, 55.6% HTTP). However, our results are merely suggestive and do not rise to the level of statistical significance (p = 0.17 click-through, p = 0.31 credential-entry). To better understand the factors that affect credential-entry, we categorized differences in browser presentation of HTTP/HTTPS and correlated participant susceptibility with browser URL display features. We administered a follow-up survey for phishing victims, which was designed to provide qualitative insights for observed outcomes, but it did not yield meaningful results. Overall, this study is a suggestive look at the behavioral impact of secure transport protocols and can serve as a basis for future larger-scale studies.",

author = "Zane Ma and Joshua Reynolds and Joseph Dickinson and Kaishen Wang and Taylor Judd and Barnes, {Joseph D.} and Joshua Mason and Michael Bailey",

note = "Funding Information: The authors thank Eric Frahm, Charles Geigner, and the Technology Services Security team for their feedback and help deploying this study. We wish to also thank our anonymous reviewers who provided helpful comments on earlier drafts of the manuscript. This work was supported in part by the National Science Foundation under contract CNS 1518741, and the State Farm Companies Foundation Doctoral Scholar Program. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not reflect the views of their employers or sponsors. Publisher Copyright: {\textcopyright} 2019 USENIX Association. All rights reserved.; 12th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2019, co-located with USENIX Security 2019 ; Conference date: 12-08-2019",

year = "2019",

language = "English (US)",

}

TY - CONF

T1 - The impact of secure transport protocols on phishing efficacy

AU - Ma, Zane

AU - Reynolds, Joshua

AU - Dickinson, Joseph

AU - Wang, Kaishen

AU - Judd, Taylor

AU - Barnes, Joseph D.

AU - Mason, Joshua

AU - Bailey, Michael

N1 - Funding Information: The authors thank Eric Frahm, Charles Geigner, and the Technology Services Security team for their feedback and help deploying this study. We wish to also thank our anonymous reviewers who provided helpful comments on earlier drafts of the manuscript. This work was supported in part by the National Science Foundation under contract CNS 1518741, and the State Farm Companies Foundation Doctoral Scholar Program. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not reflect the views of their employers or sponsors. Publisher Copyright: © 2019 USENIX Association. All rights reserved.

PY - 2019

Y1 - 2019

N2 - Secure transport protocols have become widespread in recent years, primarily due to growing adoption of HTTPS and SMTP over TLS. Worryingly, prior user studies have shown that users often do not understand the security that is provided by these protocols and may assume protections that do not exist. This study investigates how the security protocol knowledge gap impacts user behavior by performing a phishing experiment on 266 users that A/B tests the effects of HTTP/HTTPS and SMTP/SMTP+TLS on phishing susceptibility. Secure email transport had minimal effect, while HTTPS increased the click-through rate of email phishing links (72.0% HTTPS, 60.0% HTTP) and the credential-entry rate of phishing sites (58.0% HTTPS, 55.6% HTTP). However, our results are merely suggestive and do not rise to the level of statistical significance (p = 0.17 click-through, p = 0.31 credential-entry). To better understand the factors that affect credential-entry, we categorized differences in browser presentation of HTTP/HTTPS and correlated participant susceptibility with browser URL display features. We administered a follow-up survey for phishing victims, which was designed to provide qualitative insights for observed outcomes, but it did not yield meaningful results. Overall, this study is a suggestive look at the behavioral impact of secure transport protocols and can serve as a basis for future larger-scale studies.

AB - Secure transport protocols have become widespread in recent years, primarily due to growing adoption of HTTPS and SMTP over TLS. Worryingly, prior user studies have shown that users often do not understand the security that is provided by these protocols and may assume protections that do not exist. This study investigates how the security protocol knowledge gap impacts user behavior by performing a phishing experiment on 266 users that A/B tests the effects of HTTP/HTTPS and SMTP/SMTP+TLS on phishing susceptibility. Secure email transport had minimal effect, while HTTPS increased the click-through rate of email phishing links (72.0% HTTPS, 60.0% HTTP) and the credential-entry rate of phishing sites (58.0% HTTPS, 55.6% HTTP). However, our results are merely suggestive and do not rise to the level of statistical significance (p = 0.17 click-through, p = 0.31 credential-entry). To better understand the factors that affect credential-entry, we categorized differences in browser presentation of HTTP/HTTPS and correlated participant susceptibility with browser URL display features. We administered a follow-up survey for phishing victims, which was designed to provide qualitative insights for observed outcomes, but it did not yield meaningful results. Overall, this study is a suggestive look at the behavioral impact of secure transport protocols and can serve as a basis for future larger-scale studies.

UR - http://www.scopus.com/inward/record.url?scp=85084163865&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85084163865&partnerID=8YFLogxK

M3 - Paper

AN - SCOPUS:85084163865

T2 - 12th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2019, co-located with USENIX Security 2019

Y2 - 12 August 2019

ER -

The impact of secure transport protocols on phishing efficacy

Abstract

Conference

ASJC Scopus subject areas

Library availability

Related links

Fingerprint

Cite this