Security Certificate Warnings Don't Work

angry tapir writes "In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users). The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web. They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites."

Re:I would probably do the same thing

[oGMo]

authentication (which very few sites need

When I log into $FORUM, how do I make sure that I am giving my password to $FORUM and not to someone who has intercepted my Internet connection?

You don't. Unless you call up $FORUM_OWNER at a verified number (not off the domain)---which means you first have to investigate and verify who the owner is---and get them to verify their certificate fingerprint. You do that every time you log in somewhere? I didn't think so.

The PKI "authorities" do no checking. Anyone with a few hundred bucks can get a "valid" cert, so if you're relying on that ...

banks and so on

Every time you shop online, you deal with banks.

No, you deal with merchants. Merchants deal with a chain of other people, who may or may not be banks. Credit card companies are not, but your card may be managed through one.

Re:'People' don't understand computers

[xenocide2]

Firefox makes users jump through hoops for a reason. Once upon a time, webmasters were terrible at keeping websites up to date, and browsers didn't work very hard to make it apparent. If the website is built and operated correctly, users never see a damn thing.

The first hoop is the most important: the page looks like an error, because it is. The proper thing to do is contact the webmaster, or call your helpdesk, and get the cert fixed. Don't continue. The wrong thing to do here is all the rest of the crap where you "pay attention" but intentionally make a stupid decision and "continue anyway." That process does actually give much more information than previous incarnations. If it's self-signed, or expired, or invalid, it'll say so. Not that it matters, because you as a user have no control over whether the certificate is valid or not. These messages should be intended for power users and developers, since they're the only people who might be able to escalate or *fix it*.

The problem as I see it is that web people seem okay with the idea of allowing bad certs. Helpdesk might have previously told users "just click continue anyways, and go on your way." So yea, error dialogs were much easier for users when they could click once and permanently ignore security warnings caused by incompetent IT.

Re:Maybe Firefox will Chill Out now

[dgatwood]

Standard certs do nothing to establish identity. They merely establish that the site is not being spoofed. Thus, the purpose of the whois email verification is not to prevent illegitimate sites from getting certs. The purpose of the whois email verification is to ensure that I can't get a cert for www.bankofamerica.com, hack an ISP's DNS server to redirect their traffic to my site, and pose as Bank of America. For those purposes, it is sufficient to merely require that the domain owners confirm via email that the request was authorized.

If you want to confirm that a domain owner is in any way anything approaching a legitimate business, that's what an EV cert is for. Only an EV cert establishes identity in any way.

Re:Maybe Firefox will Chill Out now

[Cyberax]

Right now, the only suitable infrastructure for such delegation is DNS. And it's horribly insecure for such things.

Fortunately, it'll become possible with DNSSEC. Indeed, there are groups working on certificate delegation via DNS.

http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F10467%2F33214%2F01565268.pdf%3Farnumber%3D1565268&authDecision=-203