Many Web Users Ignore Security Alerts

A study commissioned by Venafi finds that almost half of U.S. Internet users ignore security and encryption alerts put up by their Web browsers.

A new study commissioned by encryption management company Venafi and conducted by NSØN opinion Research looked at more than 1,000 respondents experience with online security certificates, encryption, and the warnings implemented by browser developers to point to possible problems with expired, mismatched, or untrusted certificates. The survey finds that 91 percent of respondents have seen a browser security alert, with fully 86 percent reporting seeing them at least every few months. Furthermore, while almost half of U.S. Internet users surveyed say they abandon a site once they see a security alert, nearly an equal number ignore the alert and proceed to conduct business on the site, potentially putting their personal and financial information at risk.

“Although companies are deploying more encryption to protect consumers, they simply are not doing an adequate job of maintaining it,” said Trell Rohovit, Venafi’s president and CEO, in a release. “This mismanagement causes confusion, and according to our study, is a significant stumbling block for users of on-line services and a costly problem for organizations who rely heavily on the Web to efficiently deliver services to their customers.”

Web site security alerts are displayed by modern Web browsers when a site’s encryption certificate is expired, is not trusted by a browser (e.g, comes from an unrecognized source), or does not match the location of the site. Mismatches and untrusted certificates can be caused by “phishers” or others trying to impersonate a site—particularly in the case of sites purporting to be bands, brokerages, or other financial institutions.

When asked why security alerts appear, 34 percent of survey respondents said they have no idea why the alerts come up, while 24 percent said they believed it was a problem with the site, and 40 percent said it was because someone was trying to compromise their personal data.

Nearly 70 percent of respondents said they have received at least one phishing attempt, which tried to direct them to a Web site that looked authentic in order to obtain their personal or financial information. However, 46 percent of respondents said they assess the integrity of a Web site by going to it regularly and knowing what it looks like.

The survey also found the telecommunications companies had the fewest expired certificates, while technology companies accounted for the highest number of expired certificates.

And here’s an irony: Venafi will supply anyone with a free copy of the complete study, in exchange for filling out a form with personal information and details about your organization’s encryption management process. And while the company does offer a privacy policy…gosh, the transaction isn’t encrypted.