Slashdot Mirror
Security Certificate Warnings Don't Work
angry tapir writes "In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users). The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web. They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites."
I blame firefox's big scary error page that comes up every time a page uses a self-signed certificate. I've gotten so good at ignoring that, I probably wouldn't notice if a page said "the certificate doesn't match" instead of "the certificate is self-signed."
Mozilla isn't doing anybody any favors with their heightened paranoia.
A cat can't teach a dog to bark.
But more importantly your average user doesn't have a clue what a security certificate is, so why would they care if there's a warning about it?
I am reasonable computer-savvy but I also don't understand these messages most of the time. I then use the 'I have a Mac, I am invincible' attitude, which is dangerous of course. But I just want to view that website!
-- Cheers!
The problem is that those things are just a nuisance for a lot of things. It just pops up randomly because a developer forgot to test the latest update or didn't install the new certificate on all the frontends. Then you have the 'intermediate' CA's where if the intermediate issuer isn't in the browser CA's or the browser doesn't support intermediates or wildcard certificates it gives you another warning. Or somebody let the certificate expire or didn't get it signed by a well-known CA (usually the less-professional sites that are self-signing). Then if your ISP isn't honest (which apparently 99% of them these days aren't) with their DNS and you go to https://wrongname.com/ it will give you the https version of their ad page on the other domain which of course gives a big warning.
I have seen warnings on important sites like Wells Fargo and Bank of America and there are permanent warnings on some other sites that I use frequently that are either self-signed or expired. I usually verify them and it's not my system that's been hijacked so I am ignoring them largely as well.
Custom electronics and digital signage for your business: www.evcircuits.com
Certs never guarantee who you're talking to, they only provide encrypted communication.
Actually, certificates do guarentee that the person you are talking to is the same as the time the certificate was first issued.
... these warnings can be safely ignored 90% of the time. IIndeed software and web developers bombard users with uncessary messages and errors, such they become a little keen just to click ok and see what happens anyway. Another problem is with wording of the warnings which are too formal-technical and not plain-english-ok-so-what-should-i-do-now.
Just wording it differently like 'If you are accessing what appears to be a trusted website, and you are recieving this warning, you should not visit it as it could be a nasty security risk. Try again later." Rather than "Warning: Security certificate is not valid... [etc etc..]". This makes a huge difference.
WOT is more to the point: "This website is dangerous" and the page is locked out until you navigate away or click on a very clear "Ignore this warning and proceed".
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
First, users don't know what certificates are, or why it matters. That should be pretty obvious.
The situation isn't helped by the fact that the overwhelming majority of invalid certs, in my experience, are just from random sites which you find with a Google search, and those sites for some reason have https instead of http as their search result. You click, and oh shock, the administrator hasn't updated his cert in ages, because nobody cares. After endless warnings about this, even I have stopped caring. It's almost a Pavlovian conditioning to see that warning and say "Yeah, whatever."
It's even worse now. Back in the day, you could dismiss these mostly spurious warnings with one click. These days, Firefox makes you go through an utterly obnoxious process of acknowledging the warning, then manually adding the certificate, then approving it. All because I needed to see some forum where people were discussing some problem I needed to solve. I am so tired of having to go through this that I just sigh and back away from the site and try to find another one that won't make me do this. I am not shocked that users just click whatever it takes to make the warnings go away.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
I have ran into countless situations where a self signed cert is the only cost sensible way to provide a secure HTTPS connection, and it comes across to users like me as something like this:
Oh great this again -- reminds me of UAC -- stupid security measures for site owners / browser makers / site users / who don't want to be caught in the aftermath of a criminal situation -- by appearing to make some people feel safer by telling them they are potentially NOT SAFE... :-)
"You agreed that you may not be safe, and you did it anyways! YOUR FAULT!
Hmmmm well I want to see this page, *NOW* And I know its the page I want to see, it is secure... that is good because I'm logging into this, oh it looks like they didn't go through Verisign etc, big deal. Cheapskates! Oh well..
God I hate being asked stupid questions ACCEPT, YES, OK
(I wish clicking "get me out of here" meant YES OK FINE!!! Let me log into the site already!)
I really think this practice of certs and security theater is just making cheap yet good *secure* sites look bad...
The cynic in me sees this as a way to line the pockets of so called "trusted authorities".
Cant this be done in a NON PROFIT manner???
Either way the users needs what the user needs and no amount of paternalism will save them from the monsters!
Dj fuQ [url="http://djfuq.org"]djfuq urges you to listen to the beats[/url] [url="http://djfuq.org"]http://djfuq.org[
I don't think it's a problem of not "understanding" computers. Rather that the language used in a lot of cases for the certificates is so verbose, that it confuses people. Remember that when you deal with the average member of the population you're dealing with someone who reads and writes somewhere between a grade 7-10 level. That means that their grasp of language is lower, their understanding is lower, and their frustration level is lower.
If you want to get through to people, you make warnings simpler. Make things simpler, people understand them better, and everyone is happy. Those of us who are in, have been in, the IT field(or associated areas), have a grasp of the English language somewhere around grade 12 to early college, or higher. In other words, this stuff is way beyond what most people can understand.
After all, if you told someone on the street you spent an evening going through a kernel recompile for fun they'd look at like you're an idiot with 3 heads. To them you are; to the rest of us, you're just another geek.
Om, nomnomnom...
Verisign is untrustworthy, so why should I care if a certificate is signed or not?
Signed certificates are a complete racket: If you don't pay us then when your users show up they will get a giant warning shown in their face, telling them not to trust you. You wouldn't want that would you? Nope, don't care who you are, what you do, or why. $100 bucks please.
"Legitimate sites will not do this" == lie. Seriously guys, fucking grow up. The number of changes I have had to make to firefox in code (not about:config, code) to disable autocomplete prevention, self-signed certs, etc...it's getting frustrating.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
You could have a big pop up box that says "Clicking here will empty your bank account, steal your car, rape your women and children, and cancel your NASCAR season pass on your TiVo" and John Q Public will still click on it.
Most of the non-techies and a lot of techies are sick of "The Browser/OS who cried wolf".
This. Developers seem convinced that adding more explanation can result in a better educated user. In reality, it just guarantees that fewer people will have read the whole thing. Make informational text as short as possible, but no shorter. IMHO, that's one of the things Apple traditionally nails in their designs that Microsoft flubs. "Save your work?" is a vastly more useful message in a dialog box than something like, "you have clicked a button which is used to close this application. if you close this application without saving changes to your data, it will be lost. You might also want to keep working. Click yes to save your work, no to discard it, or click cancel to continue working."
With Certificate issues, Firefox makes me jump through so many hoops that all my focus is on getting through the hoops, rather than evaluating security. I've never understood how the 'get certificate' button is supposed to make me safer. It seems to just add more steps in an effort to force me to pay attention to the process, but IMO fails to actually provide a security benefit.
Then why don't we fix that and solve or prevent a whole host of other problems by doing so?
There's something seriously pathological about seeing this as a situation to be accommodated rather than a disease state to be remedied.
It is a miracle that curiosity survives formal education. - Einstein
Excuse me? How can I make a user more secure if he is the one that clicks away all my warnings?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Exactly. My bank can spring for a paid certificate
Sure they can! Because those asswipes have a ton of fucking taxpayer money!
You are correct. The cert. method in FF3 sucks big time.
"Page maybe evil! There be dragons, do not go there!"
Better?
It does not change a thing. People do not read that shit. Even if they do, what's lacking is that we do not (and often cannot) offer them an alternative or solution. We don't tell them "instead, do this and you can still accomplish what you wanted to do". So the obvious response is "hmm... it said maybe. Ok, hopefully it won't be that bad".
Because they don't see any alternative. Their choice is only to take the (possible) risk or simply not do what they wanted to do.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This UI falls into the same pool as EULA user interface. It is lawyer-ware. If it actually helps someone not go to a bad site, that is great, but that is not the design goal. The goal is to limit liability and prevent a whole bunch of stupid people for suing the browser maker for damage caused by going to a bad site. This way if it goes to court, the defendant can just say "hey, we showed them a message saying it was a bad site and they clicked it anyway." Phishing filter is similar. It doesn't take a genius to understand that a phishing filter is only useful for people who can read URLs - after all, the filter just says "check this URL and make sure it is OK". But if you can read a URL, you don't need a phishing filter in the first place.
There are actually many pieces of UX that fall into this camp, where the UX makes little sense until you understand the various lawsuits that led to it. For instance, did you ever wonder why the "Pictures" item in the Windows start menu doesn't take you to the photo gallery - which is what something like 95% of users expect?
Unfortunately, over time we can expect this to increase instead of decrease.
Oh come on, a self signed certificate is ten times better than no certificate at all. But in the first case, both FF and IE will go berserk with all kind of ways to prevent you from visiting the site. In the second, totally unsecure scenario, the browser won't say a word ..
So again, I have a working site. I decide to add a layer of encryption - and the browser starts warning my users that it's unsafe. Illogical at least .. and here you are defending this idiocy.You must be working for verisign or thawte ..
Fixing people that read at a 7th grade education? Give me a break! I live in Florida, with a ton of other very intelligent people from all over the world who just want a boat dock behind their house and a pool out their back door. . But there are also TONS of morons who think George W. Bush is an intellectual and the banking crisis was caused by Obama running for office. And it's not just here either I used to live in LA, and my next door neighbor there was so stupid he thought that Obama was proof that Bin Ladin had infiltrated the Senate. How are you gonna teach these bozos anything. They will just want to fight you. Youcalimestupid boy?
I have several sites I use regularly which are permanently on self-signed certificates. Why? Because the cost of getting a real, properly signed certificate is f$&@ing highway robbery. It's one entry in a lookup table, yet it costs more per year than my last car. Sure, BankOfAmerica.com can afford that, but can your small business's intranet? Can a small hobby out of someone's basement?
We're trained every day that legitimate sites self-sign. And that the warnings can safely be ignored. This isn't a failure of people's intelligence, this is a symptom of the signers pricing their "security" into irrelevance.
Make it negligably cheap and it will be important again. Keep it out stupidly luxury priced, and everybody knows what a crock the system is.
The ______ Agenda
Here's a neato business plan. Buy a bunch of certs. Sell them to other people. http://www.google.com/search?q=anonymous+ssl+cert
Of course, if all it takes is an email from the domain you just registered for your phishing site, how is it that you won't get the email? I once bought bought cheap cert from godaddy for a site I ran (legit site) -- I never got a phone call. What's an email prove -- nothing except I can fill in some forms on a webhost admin console to set up an email. It doesn't say a thing about who I am.
What changed under Obama? Nothing Good
So now instead of crying wolf very often you want to scream very loudly in their face, in an inescapable manner. You have not solved the problem that the "failed certificate" problem occurs too often, neither have you solved the problem of making the user understand why a failed cert MIGHT be important in some case (when a trusted conn is really necessary like to do bank ops).
Instead you just screan loudlier while hold them by the shoulder. That will not help, it will only do two things 1) search for a web browser which do not scream at them 2) ignore even more the cert warning by going take a coffee and click it away anyway when they come back.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
There are basically two reasons to use SSL:
1. connection encryption (i.e. nobody else can read the transmission);
2. site authentication (i.e. you can be certain that this page is actually your bank's website).
See, here's the problem. Many a time I need to put up encryption, but have no need whatsoever for authentication (sending data like passwords or whatever, but not that critical to be a target of somebody setting up a bigus copy). Firefox says "whatever", and proceeds to complain about 2. above not being satisfied. And complain loud!
Something's wrong in this image. I think there should be 2 classes of SSL certs - "encryption-only" and "full-mode", or whatever they'd be called. the "encryption-only" cert could allow you to use SSL without warnings; the "full-mode" cert wouldn't. The icon or other graphical method of identifying "trusted sites" could even be completely different for both modes.
CA's take a long time to get revoked. Check google for Comodo as an exmple of a lazy CA.
"and taking almost a month to revoke the certificate has to change. The excuse that everyone else does it, so we do it too else we lose business, is weak at best. "
But the whole point is that people do not really understand certificates. There are big warnings, but people are kept in the dark what they should do. Also people are clueless what the small lock actually means. The fact is that if there is a certificate you should be able to idntifiy the people behind it. That does not help you if those people are international scammers in a country where the police does not care. (Maybe because there are bigger problems in that country , like speeding violations)
A company which is running their own CA for internal use should have the means to install that CA on each workstation -- thus, no warning, and as a bonus, no possibility of MITMs inside their network.
Don't thank God, thank a doctor!
The warnings of SSL certs rely on something, that doesn't exist: a sense of distinguishing security on the users part.
As the cited study shows, that sense does not exist, in fact blatant decisions contrary to the initial design goal (of SSL errors etc.) get made consciously! Therefore we can reasonably assume the entire system to be broken in both design and application, because other than your geek crowd the vast majority of users don't know, and worse, don't care about SSL errors.
The dangers are invisible: The same resistance you get on other security issues ("You gotta encrypt your email." "Umm...why?) you also get here: If the benefit of applying your mental, time and other resources is not big enough to have a specific/perceptible gain in security and safety, it is mostly not worth bothering with. No amount of re-writing error messages (while in itself not a bad thing at all) will change that! What would make a difference is to sniff a few million unprotected login's and post them somewhere publicly. Ditto for e-mails (the bodies please), chats etc.pp.. Make the risk perceptible and you will make the negation of the risk perceptible and worthwhile.
It is not a computer nor a PEBKAC problem, it's PEBLEARE (Problem Exists between Left Ear and Right Ear). This is not a 'fault' or even stupidity...quite the opposite: We filter our bombardment of information to what's needed the most...actually a very smart and efficient prioritizing of our daily activities. So unless you make e-risks real enough until every mother tells her kids: "Make sure to encrypt your electronic communications!" as they now say "Make sure to look to left and right before crossing the street!" security measures as currently implemented with SSL are largely irrelevant.
"Hi, I'm sosume. I say I'm sosume, and that's all that matters. Please enjoy the random stuff I have to say, and log in with an otherwise pointless username and password if you want to leave comments."
See how it changes when it's just some random dude's website?
Obviously, there's no way for Firefox to tell the difference between a bank's website and some random dude's blog, but it seems to me there must be a middle ground between a tiny little notification saying, "Hey, you should worry about this website!" and an error page saying, "I didn't load this website because of a serious security error! Proceed at your own peril!".
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
Oh come on, a self signed certificate is ten times better than no certificate at all.
Actually, no. The "security" of your unsigned encryption is worthless, since you are susceptible to a man in the middle attack. Without a signed certificate, the man-in-the-middle can substitute his own key, and so be able to listen in.
If it is sufficiently important to require encryption, then it is sufficiently important that you must be able to know who you are talking to.
[FUCK BETA]
Sometimes all you're after is an encrypted connection. Self signed certs. do that just fine. Firefox should only warn if a certificate for that *changes* not the first time you go to it. This scheme works just fine for ssh for example.
The way firefox is, you might as well use plaintext.. in fact you *have to* otherwise half your users will complain that they can't access your site. Or pay arm+leg to verisign, who'll refuse you the cert anyway unless you're a registered company (been there.. done that..).
This is stupidity of the highest order - instead of the increased use of encryption browsers like firefox are discouraging its use.
Standard certs do nothing to establish identity. They merely establish that the site is not being spoofed. Thus, the purpose of the whois email verification is not to prevent illegitimate sites from getting certs. The purpose of the whois email verification is to ensure that I can't get a cert for www.bankofamerica.com, hack an ISP's DNS server to redirect their traffic to my site, and pose as Bank of America. For those purposes, it is sufficient to merely require that the domain owners confirm via email that the request was authorized.
..right.. but how does the email get delivered? if the bad guy has hacked the right dns server he can tailor the MX record as well and get the "confirm you want a certificate" email delivered to himself...
Quote from my human factors instructor of many years ago:
"Any system that depends on the user doing the right thing has already failed."
There should be no warnings. Nothing to click. You simply don't let them see the page and you tell them why. Assume they will work around it and protect them as much as you can anyway.
Most programmers at this point ask, "And should I wipe for them too?"
The correct answer is, "Yes, but ask what brand of paper they prefer and make sure there's an alternative if they forget." Sorry, but THAT'S YOUR JOB AS A PROGRAMMER.
Programs are for PEOPLE, not computers. Computers don't matter. At all. They exist ONLY for PEOPLE. Your job is to take care of the PEOPLE's issues like *they* matter. The computer is secondary, or tertiary.
Please do not read this sig. Thank you.