TY - CONF
T1 - The impact of secure transport protocols on phishing efficacy
AU - Ma, Zane
AU - Reynolds, Joshua
AU - Dickinson, Joseph
AU - Wang, Kaishen
AU - Judd, Taylor
AU - Barnes, Joseph D.
AU - Mason, Joshua
AU - Bailey, Michael
N1 - Funding Information:
The authors thank Eric Frahm, Charles Geigner, and the Technology Services Security team for their feedback and help deploying this study. We wish to also thank our anonymous reviewers who provided helpful comments on earlier drafts of the manuscript. This work was supported in part by the National Science Foundation under contract CNS 1518741, and the State Farm Companies Foundation Doctoral Scholar Program. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not reflect the views of their employers or sponsors.
PY - 2019
Y1 - 2019
N2 - Secure transport protocols have become widespread in recent years, primarily due to growing adoption of HTTPS and SMTP over TLS. Worryingly, prior user studies have shown that users often do not understand the security that is provided by these protocols and may assume protections that do not exist. This study investigates how the security protocol knowledge gap impacts user behavior by performing a phishing experiment on 266 users that A/B tests the effects of HTTP/HTTPS and SMTP/SMTP+TLS on phishing susceptibility. Secure email transport had minimal effect, while HTTPS increased the click-through rate of email phishing links (72.0% HTTPS, 60.0% HTTP) and the credential-entry rate of phishing sites (58.0% HTTPS, 55.6% HTTP). However, our results are merely suggestive and do not rise to the level of statistical significance (p = 0.17 click-through, p = 0.31 credential-entry). To better understand the factors that affect credential-entry, we categorized differences in browser presentation of HTTP/HTTPS and correlated participant susceptibility with browser URL display features. We administered a follow-up survey for phishing victims, which was designed to provide qualitative insights for observed outcomes, but it did not yield meaningful results. Overall, this study is a suggestive look at the behavioral impact of secure transport protocols and can serve as a basis for future larger-scale studies.
AB - Secure transport protocols have become widespread in recent years, primarily due to growing adoption of HTTPS and SMTP over TLS. Worryingly, prior user studies have shown that users often do not understand the security that is provided by these protocols and may assume protections that do not exist. This study investigates how the security protocol knowledge gap impacts user behavior by performing a phishing experiment on 266 users that A/B tests the effects of HTTP/HTTPS and SMTP/SMTP+TLS on phishing susceptibility. Secure email transport had minimal effect, while HTTPS increased the click-through rate of email phishing links (72.0% HTTPS, 60.0% HTTP) and the credential-entry rate of phishing sites (58.0% HTTPS, 55.6% HTTP). However, our results are merely suggestive and do not rise to the level of statistical significance (p = 0.17 click-through, p = 0.31 credential-entry). To better understand the factors that affect credential-entry, we categorized differences in browser presentation of HTTP/HTTPS and correlated participant susceptibility with browser URL display features. We administered a follow-up survey for phishing victims, which was designed to provide qualitative insights for observed outcomes, but it did not yield meaningful results. Overall, this study is a suggestive look at the behavioral impact of secure transport protocols and can serve as a basis for future larger-scale studies.
UR - http://www.scopus.com/inward/record.url?scp=85084163865&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85084163865&partnerID=8YFLogxK
M3 - Paper
AN - SCOPUS:85084163865
T2 - 12th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2019, co-located with USENIX Security 2019
Y2 - 12 August 2019
ER -