“Phishing attack ahead” is similar to the stark, clear warnings delivered by road signs - and web users will soon benefit from this sort of plain-speaking alert, thanks to an upcoming change to Google Chrome security warnings.
Google’s Safe Browsing service is testing new malware warnings delivered as part of Google Chrome security - far simpler, and blunter than previous alerts.
According to ZDNet’s report, previously users about to stumble on a phishing website would be warned, “Reported phishing website ahead, Google Chrome has blocked access to [url]. The website has been reported as a phishing website.”
The new warning will be, “Attackers on [url] might try to trick you to steal your information, for instance, passwords, messages or credit cards.”
Google Chrome security overhaul
The new Google Chrome security warnings come on a simple red page – and the previous cartoon of a burglar attempting to reach out and access a computer keyboard has gone – according to Tech World’s report.
Similar changes are being tested with Safe Browsing’s malware warnings, which now warn, bluntly, “The site ahead contains malware.”
The option to avoid the potentially infected page after a Google Chrome security warning is now a clear “back to safety,” according to Tech World.
Commenters on the official Google post have praised the clarity of the new Google Chrome security warnings - and the fact that the language makes clear that the attack has not happened yet.
Warning fatigue
The change comes in the wake of a Berkeley research paper, commissioned by Google, which found that users ignored many browser warnings.
Browser security warnings do work to protect users from phishing and malware sites - but “warning fatigue” means important alerts over site security can be completely ignored.
Users of Google’s Chrome ignored SSL warnings (relating to a secure protocol used for passwords, internet transactions, and banking) 70.2% of the time, a study of 25 million real-life warnings found. Overall, a study using metrics Firefox and Chrome found that the effectiveness of warnings varies widely from warning to warning and from browser to browser.
“Google Chrome’s SSL warning had a click-through rate of 70.2%. Such a high click-through rate is undesirable: either users are not heeding valid warnings, or the browser is annoying users with invalid warnings and possibly causing warning fatigue,” said the U.C. Berkeley researchers. The study, Alice in Warningland, was part-funded by Google.
“During our field study, users continued through a tenth of Mozilla Firefox’s malware and phishing warnings, a quarter of Google Chrome’s malware and phishing warnings, and a third of Mozilla Firefox’s SSL warnings,” the researchers said.
The researchers analysed the size, type and frequency of warning messages and found that users tended to click rapidly through warnings about “untrusted issuers” and name and date errors - both common warnings, and ignored by nearly half of users.
The researchers say that “warning fatigue” has significant impact - “users click through more-frequent errors more quickly,” they say.
The researchers concluded that previous studies - showing that browser warnings simply did not work - relied on outdated data, harvested in a period between 2002 and 2009 when browsers were rapidly evolving. In particular, the large phishing warnings now delivered by modern browsers were much more effective than previous, more discreet warnings.