If you spend any amount of time on the web, you have definitely seen some security warnings. The question is, 'what do you do when you see one?'  Do you automatically click 'yes' to proceed?  If so, researchers from Carnegie Mellon University say that you are not alone.

In "Crying Wolf: An Empirical Study of SSL Warning Effectiveness", researchers at Carnegie Mellon University decided to find out what users do when they are confronted with a warning message like the one above.  So, they planned out a study and showed a sample of 400 people various warning messages to see how they react.  Results were stunning:

90% of the participants who used either Firefox 2 or Internet Explorer 7 to access a major (unnamed) bank's online banking site ignored the security warning. The researchers concluded that users seem to think that SSL certificate errors are of little consequence because they see them on so many legitimate sites.  As Sunshine, Egelman, Almuhimedi, Atri, and Cranor said, "users have a completely backward understanding of the risk of man-in-the-middle attacks and assume that they are less likely to occur at trusted websites like those belonging to bank."  A statement like this has tremendous implications for security researchers/providers!

The researchers cited one very important limitation to their study.  The study was sanctioned by Carnegie Mellon University.  This would automatically fill the sample with more trust than they would usually have.  Would a university of Carnegie Mellon's stature put their participants at serious risk?

Finally, those of you who use SmartSwipe likely know that we provide one extra warning to our customers.  If you have SmartSwipe installed, our software will display the following error if you navigate to a page with certificate problems: