Security Certificate Warnings Don't Work

angry tapir writes "In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users). The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web. They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites."

I would probably do the same thing

[piojo]

I blame firefox's big scary error page that comes up every time a page uses a self-signed certificate. I've gotten so good at ignoring that, I probably wouldn't notice if a page said "the certificate doesn't match" instead of "the certificate is self-signed."

Mozilla isn't doing anybody any favors with their heightened paranoia.

Re:I would probably do the same thing

[cas2000]

mozilla didn't start this, their ancestor Netscape did. they're the ones who tried to bootstrap and cash-in on a PKI market by creating a bogus scarcity (browser recognised Certificate Authorities) on an infinite supply (Certificates), and deliberately blurred the distinction between encryption (which is all that many or even most sites need, and for which self-signed certs are good enough) and authentication (which very few sites need, banks and so on for which the ONLY real solution is certs signed by government agencies with responsibility for banks in each country, not some private company).

every mainstream browser since then has continued the trend.

Re:I would probably do the same thing

[realmolo]

Uh, self-signed certificates shouldn't be trusted. Not on a public website.

On an intranet, they're acceptable, but you should be adding your own server as a CA on every client machines, so that people don't get the warning. Even then, hell, pay and get a certificate from one of the big CAs and be done with it. Saves hassle, and it's cheap.

That big scary page that Firefox shows you is EXACTLY what every browser should show you. Self-signed certificates are NOT OKAY for production/public use. Encryption is more or less worthless without proof-of-identity. Now, if you want to argue about how the the big CAs don't require much in the way of proof anymore, I'll agree with you.

Re:I would probably do the same thing

[Burdell]

Encryption is useless if you don't know who is at the other end. SSL and TLS are designed to stop man-in-the-middle attacks, and you cannot do that without trusted authentication.

Re:I would probably do the same thing

[NFN_NLN]

I work on a lab intranet. Almost every switch and ILOM uses an https GUI for management. I 100% don't care about man in the middle attacks, but I do care about the 4 clicks (now 2 with a little tweaking) that Firefox makes me jump through every time I open up a new console to do work. It's ridiculous and the 'chicken little' scenario just desensitizes users.

Re:'People' don't understand computers

But more importantly your average user doesn't have a clue what a security certificate is, so why would they care if there's a warning about it?

If it wouldn't pop up everywhere it shouldn't

[guruevi]

The problem is that those things are just a nuisance for a lot of things. It just pops up randomly because a developer forgot to test the latest update or didn't install the new certificate on all the frontends. Then you have the 'intermediate' CA's where if the intermediate issuer isn't in the browser CA's or the browser doesn't support intermediates or wildcard certificates it gives you another warning. Or somebody let the certificate expire or didn't get it signed by a well-known CA (usually the less-professional sites that are self-signing). Then if your ISP isn't honest (which apparently 99% of them these days aren't) with their DNS and you go to https://wrongname.com/ it will give you the https version of their ad page on the other domain which of course gives a big warning.

I have seen warnings on important sites like Wells Fargo and Bank of America and there are permanent warnings on some other sites that I use frequently that are either self-signed or expired. I usually verify them and it's not my system that's been hijacked so I am ignoring them largely as well.

Big surprise!

[rantingkitten]

First, users don't know what certificates are, or why it matters. That should be pretty obvious.

The situation isn't helped by the fact that the overwhelming majority of invalid certs, in my experience, are just from random sites which you find with a Google search, and those sites for some reason have https instead of http as their search result. You click, and oh shock, the administrator hasn't updated his cert in ages, because nobody cares. After endless warnings about this, even I have stopped caring. It's almost a Pavlovian conditioning to see that warning and say "Yeah, whatever."

It's even worse now. Back in the day, you could dismiss these mostly spurious warnings with one click. These days, Firefox makes you go through an utterly obnoxious process of acknowledging the warning, then manually adding the certificate, then approving it. All because I needed to see some forum where people were discussing some problem I needed to solve. I am so tired of having to go through this that I just sigh and back away from the site and try to find another one that won't make me do this. I am not shocked that users just click whatever it takes to make the warnings go away.

Re:'People' don't understand computers

[Mashiki]

I don't think it's a problem of not "understanding" computers. Rather that the language used in a lot of cases for the certificates is so verbose, that it confuses people. Remember that when you deal with the average member of the population you're dealing with someone who reads and writes somewhere between a grade 7-10 level. That means that their grasp of language is lower, their understanding is lower, and their frustration level is lower.

If you want to get through to people, you make warnings simpler. Make things simpler, people understand them better, and everyone is happy. Those of us who are in, have been in, the IT field(or associated areas), have a grasp of the English language somewhere around grade 12 to early college, or higher. In other words, this stuff is way beyond what most people can understand.

After all, if you told someone on the street you spent an evening going through a kernel recompile for fun they'd look at like you're an idiot with 3 heads. To them you are; to the rest of us, you're just another geek.

With untrustworthy CA's, who cares?

[tbradshaw]

Verisign is untrustworthy, so why should I care if a certificate is signed or not?

Signed certificates are a complete racket: If you don't pay us then when your users show up they will get a giant warning shown in their face, telling them not to trust you. You wouldn't want that would you? Nope, don't care who you are, what you do, or why. $100 bucks please.

Re:'People' don't understand computers

[forkazoo]

I don't think it's a problem of not "understanding" computers. Rather that the language used in a lot of cases for the certificates is so verbose, that it confuses people. Remember that when you deal with the average member of the population you're dealing with someone who reads and writes somewhere between a grade 7-10 level. That means that their grasp of language is lower, their understanding is lower, and their frustration level is lower.

This. Developers seem convinced that adding more explanation can result in a better educated user. In reality, it just guarantees that fewer people will have read the whole thing. Make informational text as short as possible, but no shorter. IMHO, that's one of the things Apple traditionally nails in their designs that Microsoft flubs. "Save your work?" is a vastly more useful message in a dialog box than something like, "you have clicked a button which is used to close this application. if you close this application without saving changes to your data, it will be lost. You might also want to keep working. Click yes to save your work, no to discard it, or click cancel to continue working."

With Certificate issues, Firefox makes me jump through so many hoops that all my focus is on getting through the hoops, rather than evaluating security. I've never understood how the 'get certificate' button is supposed to make me safer. It seems to just add more steps in an effort to force me to pay attention to the process, but IMO fails to actually provide a security benefit.

Re:Not many people have the money...

[Rockoon]

If you do have a CA-signed cert, the connection still isnt secure. Thats the real problem.

Anyone willing to screw lots of people, each out of thousands of dollars, is also willing to game the CA system with stolen credit cards.

It is all about trust. If you can't trust the signing authority, how can you trust the signer?

Re:'People' don't understand computers

[causality]

Remember that when you deal with the average member of the population you're dealing with someone who reads and writes somewhere between a grade 7-10 level.

Then why don't we fix that and solve or prevent a whole host of other problems by doing so?

There's something seriously pathological about seeing this as a situation to be accommodated rather than a disease state to be remedied.

Re:'People' don't understand computers

[Opportunist]

Excuse me? How can I make a user more secure if he is the one that clicks away all my warnings?

Re:'People' don't understand computers

[sosume]

Oh come on, a self signed certificate is ten times better than no certificate at all. But in the first case, both FF and IE will go berserk with all kind of ways to prevent you from visiting the site. In the second, totally unsecure scenario, the browser won't say a word ..

So again, I have a working site. I decide to add a layer of encryption - and the browser starts warning my users that it's unsafe. Illogical at least .. and here you are defending this idiocy.You must be working for verisign or thawte ..

Bad idea

[aepervius]

So now instead of crying wolf very often you want to scream very loudly in their face, in an inescapable manner. You have not solved the problem that the "failed certificate" problem occurs too often, neither have you solved the problem of making the user understand why a failed cert MIGHT be important in some case (when a trusted conn is really necessary like to do bank ops).

Instead you just screan loudlier while hold them by the shoulder. That will not help, it will only do two things 1) search for a web browser which do not scream at them 2) ignore even more the cert warning by going take a coffee and click it away anyway when they come back.

The reasons for SSL

[rysiek]

There are basically two reasons to use SSL:
1. connection encryption (i.e. nobody else can read the transmission);
2. site authentication (i.e. you can be certain that this page is actually your bank's website).

See, here's the problem. Many a time I need to put up encryption, but have no need whatsoever for authentication (sending data like passwords or whatever, but not that critical to be a target of somebody setting up a bigus copy). Firefox says "whatever", and proceeds to complain about 2. above not being satisfied. And complain loud!

Something's wrong in this image. I think there should be 2 classes of SSL certs - "encryption-only" and "full-mode", or whatever they'd be called. the "encryption-only" cert could allow you to use SSL without warnings; the "full-mode" cert wouldn't. The icon or other graphical method of identifying "trusted sites" could even be completely different for both modes.

Re:Maybe Firefox will Chill Out now

[SanityInAnarchy]

A company which is running their own CA for internal use should have the means to install that CA on each workstation -- thus, no warning, and as a bonus, no possibility of MITMs inside their network.

sosume isn't a bank

[danaris]

"Hi, I'm sosume. I say I'm sosume, and that's all that matters. Please enjoy the random stuff I have to say, and log in with an otherwise pointless username and password if you want to leave comments."

See how it changes when it's just some random dude's website?

Obviously, there's no way for Firefox to tell the difference between a bank's website and some random dude's blog, but it seems to me there must be a middle ground between a tiny little notification saying, "Hey, you should worry about this website!" and an error page saying, "I didn't load this website because of a serious security error! Proceed at your own peril!".

Dan Aris

Re:'People' don't understand computers

[gestalt_n_pepper]

Quote from my human factors instructor of many years ago:

"Any system that depends on the user doing the right thing has already failed."

There should be no warnings. Nothing to click. You simply don't let them see the page and you tell them why. Assume they will work around it and protect them as much as you can anyway.

Most programmers at this point ask, "And should I wipe for them too?"

The correct answer is, "Yes, but ask what brand of paper they prefer and make sure there's an alternative if they forget." Sorry, but THAT'S YOUR JOB AS A PROGRAMMER.

Programs are for PEOPLE, not computers. Computers don't matter. At all. They exist ONLY for PEOPLE. Your job is to take care of the PEOPLE's issues like *they* matter. The computer is secondary, or tertiary.