Anne Hennig
ABSTRACT
Websites are an essential part of today’s business activities. Content Management Systems (CMS) are known for the fact that even laypersons can create good-looking websites with simple means and without huge costs. But if websites are not maintained regularly, they are prone to vulnerabilities. Such vulnerabilities can be abused, e.g., for third party redirects. Informing website owner about this type of attack is challenging. To gain more information about how website owners are informed about vulnerabilities on their websites, we invited 156 website owners to participate in an online survey. We asked those who had fixed the third party redirect before we could inform them, how they became aware of the attack. The participants could choose to answer the questionnaire via a link to an online platform, or to send their answers back to us via e-mail. Only 11 people answered our questionnaire, and only four people were already aware of the attack before our invitation e-mail. Based on these four answers, we assumed that we can confirm previous research with respect to the design of a vulnerability notification. Nevertheless, it would be interesting to see if – with a bigger sample – we can also confirm our findings that a) online surveys, even if they can only be accessed by clicking an unknown link, are preferred over responding via e-mail, b) the number of responses can be increased by sending out several reminder, and c) a sender attributed with higher authority increases the response rate. Furthermore, we suggest that future research on vulnerability notifications questions the use of the term trustworthiness, and examines whether recipients distinguish between credibility and trustworthiness of notifications when remediating attacks.
- Davide Canali, Davide Balzarotti, and Aurélien Francillon. 2013. The role of web hosting providers in detecting compromised websites. (2013), 177–188.Google Scholar
- Cosmin A. Conţu, Eduard C. Popovici, Octavian Fratu, and Mădălina G. Berceanu. 2016. Security issues in most popular content management systems. COMM 2016 (2016), 277–280.Google ScholarDigital Library
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J Alex Halderman. 2014. The Matter of Heartbleed. IMC ’14 (2014), 475–488.Google Scholar
- B. J. Fogg and Hsiang Tseng. 1999. The elements of computer credibility. CHI ’99 (1999), 80–87.Google Scholar
- Anne Hennig, Heike Dietmann, Franz Lehr, Miriam Mutter, Melanie Volkamer, and Peter Mayer. 2022. “Your Cookie Disclaimer is Not in Line with the Ideas of the GDPR. Why?”. HAISA 2022 658 (2022), 218–227.Google ScholarCross Ref
- Anne Hennig, Fabian Neusser, Aleksandra Alicja Pawelek, Dominik Herrmann, and Peter Mayer. 2022. Standing out among the daily spam: How to catch website owners’ attention by means of vulnerability notifications. CHI ’22 (2022), 1–8.Google Scholar
- Sucuri Inc.2023. 2022 Website Threat Research Report. https://sucuri.net/wp-content/uploads/2023/04/Sucuri_2022-Website-Threat-Research-Report.pdfGoogle Scholar
- Ranjita Pai Kasturi, Jonathan Fuller, Yiting Sun, Omar Chabklo, Andres Rodriguez, Jeman Park, and Brendan Saltaformaggio. 2022. Mistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces. USENIX Security 22 (2022), 161–178.Google Scholar
- Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz. 2014. Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. USENIX Security 14 (2014), 111–125.Google Scholar
- Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. 2016. You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications. USENIX Security 16 (2016).Google Scholar
- Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, and Vern Paxson. 2016. Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension. WWW ’16 (2016).Google ScholarDigital Library
- Max Maass, Marc-Pascal Clement, and Matthias Hollick. 2021. Snail Mail Beats Email Any Day: On Effective Operator Security Notifications in the Internet. ARES 2021 (2021), 1–13.Google Scholar
- Max Maass, Alina Stöver, Henning Pridöhl, Sebastian Bretthauer, Dominik Herrmann, Matthias Hollick, and Indra Spiecker. 2021. Effective notification campaigns on the web: A matter of Trust, Framing, and Support. USENIX Security 21 (2021), 2489–2506.Google Scholar
- Max Maaß, Henning Pridöhl, Dominik Herrmann, and Matthias Hollick. 2021. Best Practices for Notification Studies for Security and Privacy Issues on the Internet. ARES 2021 (2021), 1–10.Google Scholar
- Aakanksha Mirdha, Apurva Jain, and Kunal Shah. 2014. Comparative analysis of open source content management systems. ICCI 2014 (2014), 1–4.Google ScholarCross Ref
- Marina Pasquali. 2023. E-commerce worldwide - statistics & facts. https://www.statista.com/topics/871/online-shopping/Google Scholar
- Tse-Hua Shih and Xitao Fan. 2008. Comparing Response Rates from Web and Mail Surveys: A Meta-Analysis. Field Methods 20, 3 (2008), 249–271. https://doi.org/10.1177/1525822x08317085Google ScholarCross Ref
- Ben Stock, Giancarlo Pellegrino, Frank Li, Michael Backes, and Christian Rossow. 2018. Didn’t You Hear Me? - Towards More Successful Web Vulnerability Notifications. NDSS ’18 (2018), 1 – 15.Google Scholar
- Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. USENIX Security 16 (2016), 1015–1032.Google Scholar
- StopBadware and Commtouch. 2012. Compromised Websites: An Owner’s Perspective. (2012), 1 – 15. https://www.stopbadware.org/files/compromised-websites-an-owners-perspective.pdfGoogle Scholar
- W3Techs Web Technology. 2023. Usage statistics of content management systems. https://w3techs.com/technologies/overview/content_managementGoogle Scholar
- Marie Vasek and Tyler Moore. 2012. Do Malware Reports Expedite Cleanup? An Experimental Study. CSET ’12 (2012), 1 – 8.Google Scholar
- Eric Zeng, Frank Li, Emily Stark, Adrienne Porter Felt, and Parisa Tabriz. 2019. Fixing HTTPS Misconfigurations at Scale: An Experiment with Security Notifications. WEIS 2019 (2019), 1 – 19.Google Scholar
- F. O. Çetin, C. Hernandez Ganan, M. T. Korczynski, and M. J. G. van Eeten. 2017. Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning. (2017), 1–23.Google Scholar
- Orçun Çetin, Lisette Altena, Carlos Gañán, and Michel van Eeten. 2018. Let Me Out! Evaluating the Effectiveness of Quarantining Compromised Users in Walled Gardens. SOUPS 2018 (2018).Google Scholar
- Orçun Çetin, Carlos Gañán, Lisette Altena, Samaneh Tajalizadehkhoob, and Michel van Eeten. 2019. Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Network. EuroS&P 2019 (2019), 326–339.Google Scholar
- Orçun Çetin, Mohammad Hanif Jhaveri, Carlos Gañán, Michel van Eeten, and Tyler Moore. 2016. Understanding the role of sender reputation in abuse reporting and cleanup. Journal of Cybersecurity 2, 1 (2016), 83–98.Google ScholarCross Ref
Index Terms
- Vision: What the hack is going on? A first look at how website owners became aware that their website was hacked
Recommendations
Standing out among the daily spam: How to catch website owners’ attention by means of vulnerability notifications
CHI EA '22: Extended Abstracts of the 2022 CHI Conference on Human Factors in Computing SystemsRunning a business without having a website is nearly impossible nowadays. Most business owners use content managements systems to manage their websites. Yet, those can pose security risks and provide vulnerabilities for manipulations. With ...
A Survey Website Designed for the Older People – A Case Study of Happy Life Survey
Cross-Cultural Design. Methods, Tools, and UsersAbstractThe aging problem in Greater China Region is becoming increasingly serious, and the main users of computers have expanded from the young to the elderly. However, most of the interface designs on the market are designed to fulfill the needs of ...
Comments