The Impact of Secure Transport Protocols on Phishing Efficacy

Authors: 

Zane Ma, Joshua Reynolds, Joseph Dickinson, Kaishen Wang, Taylor Judd, Joseph D. Barnes, Joshua Mason, and Michael Bailey, University of Illinois at Urbana-Champaign

Long Extended Work Paper

Abstract: 

Secure transport protocols have become widespread in recent years, primarily due to growing adoption of HTTPS and SMTP over TLS. Worryingly, prior user studies have shown that users often do not understand the security that is provided by these protocols and may assume protections that do not exist. This study investigates how the security protocol knowledge gap impacts user behavior by performing a phishing experiment on 266 users that A/B tests the effects of HTTP/HTTPS and SMTP/SMTP+TLS on phishing susceptibility. Secure email transport had minimal effect, while HTTPS increased the click-through rate of email phishing links (72.0% HTTPS, 60.0% HTTP) and the credential-entry rate of phishing sites (58.0% HTTPS, 55.6% HTTP). However, our results are merely suggestive and do not rise to the level of statistical significance (p = 0.17 click-through, p = 0.31 credential-entry). To better understand the factors that affect credential-entry, we categorized differences in browser presentation of HTTP/HTTPS and correlated participant susceptibility with browser URL display features. We administered a follow-up survey for phishing victims, which was designed to provide qualitative insights for observed outcomes, but it did not yield meaningful results. Overall, this study is a suggestive look at the behavioral impact of secure transport protocols and can serve as a basis for future larger-scale studies.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {238244,
author = {Zane Ma and Joshua Reynolds and Joseph Dickinson and Kaishen Wang and Taylor Judd and Joseph D. Barnes and Joshua Mason and Michael Bailey},
title = {The Impact of Secure Transport Protocols on Phishing Efficacy},
booktitle = {12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19)},
year = {2019},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/cset19/presentation/ma},
publisher = {USENIX Association},
month = aug
}