Maass, Max ; Clement, Marc-Pascal ; Hollick, Matthias (2022)
Snail Mail Beats Email Any Day: On Effective Operator Security Notifications in the Internet.
ARES 2021: The 16th International Conference on Availability, Reliability and Security. Vienna, Austria (17.08.2021-20.08.2021)
doi: 10.26083/tuprints-00021794
Konferenzveröffentlichung, Zweitveröffentlichung, Postprint
 | Es ist eine neuere Version dieses Eintrags verfügbar. |
Kurzbeschreibung (Abstract)
In the era of large-scale internet scanning, misconfigured websites are a frequent cause of data leaks and security incidents. Previous research has investigated sending automated email notifications to operators of insecure or compromised websites, but has often met with limited success due to challenges in address data quality, spam filtering, and operator distrust and disinterest. While several studies have investigated the design and phrasing of notification emails in a bid to increase their effectiveness, the use of other contact channels has remained almost completely unexplored due to the required effort and cost. In this paper, we investigate two methods to increase notification success: the use of letters as an alternative delivery medium, and the description of attack scenarios to incentivize remediation. We evaluate these factors as part of a notification campaign utilizing manually-collected address information from 1359 German website operators and focusing on unintentional information leaks from web servers. We find that manually collected addresses lead to large increases in delivery rates compared to previous work, and letters were markedly more effective than emails, increasing remediation rates by up to 25 percentage points. Counterintuitively, providing detailed descriptions of possible attacks can actually decrease remediation rates, highlighting the need for more research into how notifications are perceived by recipients.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2022 |
| Autor(en): | Maass, Max ; Clement, Marc-Pascal ; Hollick, Matthias |
| Art des Eintrags: | Zweitveröffentlichung |
| Titel: | Snail Mail Beats Email Any Day: On Effective Operator Security Notifications in the Internet |
| Sprache: | Englisch |
| Publikationsjahr: | 2022 |
| Ort: | Darmstadt |
| Publikationsdatum der Erstveröffentlichung: | 2021 |
| Verlag: | Association for Computing Machinery |
| Buchtitel: | The 16th International Conference on Availability, Reliability and Security |
| Kollation: | 13 Seiten |
| Veranstaltungstitel: | ARES 2021: The 16th International Conference on Availability, Reliability and Security |
| Veranstaltungsort: | Vienna, Austria |
| Veranstaltungsdatum: | 17.08.2021-20.08.2021 |
| DOI: | 10.26083/tuprints-00021794 |
| URL / URN: | https://tuprints.ulb.tu-darmstadt.de/21794 |
| Zugehörige Links: | |
| Herkunft: | Zweitveröffentlichungsservice |
| Kurzbeschreibung (Abstract): | In the era of large-scale internet scanning, misconfigured websites are a frequent cause of data leaks and security incidents. Previous research has investigated sending automated email notifications to operators of insecure or compromised websites, but has often met with limited success due to challenges in address data quality, spam filtering, and operator distrust and disinterest. While several studies have investigated the design and phrasing of notification emails in a bid to increase their effectiveness, the use of other contact channels has remained almost completely unexplored due to the required effort and cost. In this paper, we investigate two methods to increase notification success: the use of letters as an alternative delivery medium, and the description of attack scenarios to incentivize remediation. We evaluate these factors as part of a notification campaign utilizing manually-collected address information from 1359 German website operators and focusing on unintentional information leaks from web servers. We find that manually collected addresses lead to large increases in delivery rates compared to previous work, and letters were markedly more effective than emails, increasing remediation rates by up to 25 percentage points. Counterintuitively, providing detailed descriptions of possible attacks can actually decrease remediation rates, highlighting the need for more research into how notifications are perceived by recipients. |
| Freie Schlagworte: | information leakage, web security, notification study |
| Status: | Postprint |
| URN: | urn:nbn:de:tuda-tuprints-217946 |
| Sachgruppe der Dewey Dezimalklassifikatin (DDC): | 000 Allgemeines, Informatik, Informationswissenschaft > 004 Informatik |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Sichere Mobile Netze |
| Hinterlegungsdatum: | 29 Jul 2022 13:12 |
| Letzte Änderung: | 02 Aug 2022 07:18 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
Verfügbare Versionen dieses Eintrags
- Snail Mail Beats Email Any Day: On Effective Operator Security Notifications in the Internet. (deposited 29 Jul 2022 13:12) [Gegenwärtig angezeigt]
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum