Internet users have grown immune to security certificate warnings and are more than happy to click past them, according to a new report out of Carnegie Mellon University. Researchers found that users won't hesitate to engage in this risky browsing behavior, especially since most warnings are for benign things like expired certificates. This behavior leaves them vulnerable to man-in-the-middle attacks, and the report calls for a reform in how warnings are handled in both safe and dangerous situations.

The researchers studied the behaviors of 409 Internet users in order to monitor their reactions to and understanding of various SSL warnings, and found that "far too many participants exhibited dangerous behavior in all warning conditions." This was despite the fact that many users understood the meaning of the warnings—for example, 50 percent of Firefox 2 users understood what an expired certificate meant, and 71 percent of those users said they actively ignored such a warning (47 percent and 64 percent for Firefox 3 users, respectively).

According to the paper, those who did not understand the expired certificate warnings were more likely to pay attention to them. This can be a problem—the researchers cited a January 2009 study that found at least 44 percent of the top 382,860 SSL-enabled websites had certificates that would trigger warnings. This behavior was slightly reversed, though, when users were presented with a domain mismatch warning (when the domain being displayed to you doesn't match the webpage you're looking at). In this case, those who understood the warning were aware of the risks and were less likely to ignore, whereas those who didn't understand ignored at roughly the same rate as other warnings.

The researchers did a follow-up study of their own with more direct language in the security warnings. They found that users performed better (more securely), but that the numbers were still less than ideal because warnings in general are so prevalent. "Regardless of how compelling or difficult to ignore, users think SSL warnings are of little consequence because they see them at legitimate websites," reads the report. Instead, the researchers recommended that warnings either be ditched altogether in benign scenarios, or take a more aggressive approach to dangerous websites.

"[U]sers' attitudes and beliefs about SSL warnings are likely to undermine their effectiveness. Therefore, the best avenue we have for keeping users safe may be to avoid SSL warnings altogether and really make decisions for users—blocking them from unsafe situations and remaining silent in safe situations."

Further reading: