Despite much recent progress in the area of user-centric design of secure systems, user error continues to cause a large number of security vulnerabilities in current systems. Both user education and technology can help to improve this situation.

At CyLab at Carnegie Mellon University, our goal is to improve security in all aspects of society. First, we developed educational programs to train students in security. Second, CyLab researchers also engage in several efforts to design systems that continue to remain secure despite human errors, as well as develop technologies that provide improved situational awareness to the user.

Using the Secure Socket Layer (SSL) / Transport Layer Security (TLS) protocols for secure https Web connections as a case study, we will first describe how education has helped improve Web security, followed by a description of the Perspectives project, which provides additional information for users to make better security decisions. To provide some background for our discussion, we briefly revisit some SSL/TLS security-relevant fundamentals.

SSL/TLS is a protocol to provide communication secrecy and authenticity, and is invoked whenever we access an https-based Web page. Although SSL/TLS is a well-designed protocol, it still needs to face the complexities and realities of our computing environment, which result in numerous opportunities for user error and the following vulnerabilities.

Probably the most fundamental threat