Slashdot Mirror
Security Certificate Warnings Don't Work
angry tapir writes "In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users). The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web. They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites."
This shouldn't come as a surprise, since most people still don't understand how viewing a website can affect their computer.
Do we really need a lab study to tell us this? Even the article admits that we've known for decades now that users will happily accept a broken cert. There was a case where the Mozilla people received a complaint from a security researcher saying their certificate checking was broken because he was connecting to a known trusted website and her certificate wasn't broken, so it must be Mozilla's fault - they concluded that it was man-in-the-middle attack and she later apologized. If a security researcher can't even tell, how are my parents supposed to?
How about this for a solution? Instead of a "Privacy Shield" you have a "Security Shield".. when you press the Security Shield button you enter Lock Down Mode and your web browser will refuse to display pages that are not retrieved via TLS. You could also enable some extra paranoia settings.. turn off plugins, Flash, etc. When you've finished your banking, or whatever, you press the Security Shield button again and now you can go back to Facebook.
How we know is more important than what we know.
The only difference between a self signed certificate and one that is signed by a CA is that someone wrote a check for the CA signed cert. No CA does any verification that the person writing that check is who they say they are, has any rights to that domain, or anything else, they only check to see if they already have a signed certificate. I've personally bought Verisign certificates for other people, without any proof that I'm in any way authorized to do so, let alone proving who I actually am. They mean absolutely nothing.
The only kind of certificate warning is one which indicates that a certificate is not what it's supposed to be. However, since there's still no central way to check a certificate(even a signed one) the only way to do that is to compare it with what you had before, which means the only viable certificate warning is one indicating a certificate has changed.
When browsers panic over things that aren't worth panicking over (most folks will have encountered a perfectly legitimate self signed cert at some point in their time on the web, is it any wonder they just bypass the error.
Certs never guarantee who you're talking to, they only provide encrypted communication.
Ignore certificate warnings if you're not planning to give the site any important information (e.g. a password). Otherwise, don't.
So you don't want to send passwords over an HTTPS connection with a self-signed certificate. I take it you don't want to send passwords over an HTTP connection either, as HTTP is even easier to snoop than self-signed HTTPS. Should everybody who runs a forum or a wiki pay $$$ per year for a CA-signed certificate?
Actually, certificates do guarentee that the person you are talking to is the same as the time the certificate was first issued.
So how do you know that the person to whom you are talking using a given URL is the same person to whom, say, a software reviewer was talking when he downloaded a given release?
If I can go out and get a certificate signed by "FishWithAHammer" for a couple dozen bucks from some CA which happens to have its root certificate in your browser by default (and I can), even CA-signed certificates aren't worth much. Actually, the fact that you think a CA-signed cert is much better than a self-signed one means to me that they are causing more harm than good in the form of false security.
This author takes full ownership and responsibility for the unpopular opinions outlined above.
Absolutely agree!!!! I post photos to Facebook from my Mac using Firefox 3. When I post these photos Firefox tells me that the certificate from Facebook is bad EVERY SINGLE STINKIN' TIME!!!!! So yes yes yes I ignore the messages. What else am I supposed to do?!?! I can't get Facebook to fix their certificates. Am I supposed to just never post photos because Facebook can't figure out their certs?
I get certificate warnings for internal sites, inside the firewall, without having accessed anything external. Yes, our CA people and developers are morons. No, let me state that more clearly. They are offshored, overpaid by a factor of five, patent leather morons. And they all talk too fast, fail to deliver a statement of work, and fail to deliver even what they say they will, in writing, before witnesses. But I digress.
Certificate warnings are relatively pointless, because they point out a technical flaw without distiguishing between bookeeping flaws, expired or poorly minted certificates due to simple incompetence, private certificates that serve the purpose, and actual explotations.
Many of our certificates at work would raise warnings, and do when I indulge in testing, but the sites are application-specific. A browser never needs to access these, and doesn't unless I'm verifying connectivity. Otherwise, the firewalls and application rules kick in and discourage an attacker by either blocking their IP or delaying response and slowing the attack to a crawl.
I get these warnings pretty regularly on public sites, and generally ignore them. But anything I was linked to, or referred, or a URL I am not entirely sure of, I either close the session and start over, or try it on my phone.
So far, my phone has shrugged off some clever but Windows-specific attacks. Always fun to revel in the agony of others.
deleting the extra space after periods so i can stay relevant, yeah.
SSH has it right. Tiny warning the first time you visit a site, big warning if the key changes later. If you improved that with a GPG-like system where you could see whether your friends/bank/certificate authority trust a particular key, you would get rid of 99% of the warnings. Suddenly the warnings would be a once-a-month (or even once-a-year, if you only browse mainstream sites) event, and the users would click no.
As long as warnings happen all the time, people will ignore them. You can't educate your way out of so many false positives.
Finally! A year of moderation! Ready for 2019?
I've lost count of the genuine websites run by respectable organisations that used an "invalid" certificate - either because the certificate was for www.someone.com instead of yyy.someone.com, or because it expired last week, or something like that. In most cases they're not a site I need too much security for. So I shrug and add an exception. Unless it's ebay or paypal or my bank, I don't really care about encryption OR authentication for the site.
Get a free certificate, then. http://www.startssl.com/ generates basic certificates at no charge. It works in most major browsers, and IE support is expected in the near future. Now that startssl exists, there's really no excuse for self-signed certs even inside a corporate firewall, much less for a real public website.
Free, schmee, that is not the problem at all. Why in hell should I trust someone ELSE to verify my ownership of a domain name on MY internal network? The real problem is everything using their own damn CA lists, making it impossible for us to easily publish internal CA certs. Subversion has one, Windows has one, OS X has one, Gnome probably has one, Firefox has one, Java has one, SSH does NOT have one, etc, etc, etc.
Why aren't CA's delegated just like DNS is? I own all of foobar.net, so grant me an intermediate CA responsible for only *.foobar.net and let me verify & issue certs for my own fraking domain names (internal or NOT!). It is much easier to chain an intermediate cert to the server than add a new internal CA to the clients. Obviously, distributing trust to the rightful owners cuts the CA roots out of their silly trust monopolies.
The determination of who owns a domain name TWICE, for registration & certification is a straight up failure. Own the domain, you should own the CA authority, stop owning it, your cert chain is revoked.
Sorry buddy, but you are full of it.... I went through the process of getting a cert for a domain at Thawte. It was snail-mail, they called and all sorts of hassle. The documentation needed included a copy of the corporate registration (presumably then verified by Thawte) :-D
In the end my company could prove that the domain was legit. Actually only the url-trees that I provided were included in the cert. (mycompany.com/url1 would return a valid cert whereas mycompany.com/url2 would return a non-valid response)
I cannot see that they have slacked off on that...
But maybe you are referring to thawte.haxxor.net not thawte.com
So true!
Anytime you try to combine two goals in one design you are sure to make a bad decision. SSL is no exception. Both authentication and encryption are valuable. Why make the later depend on the former ??? This is just a blatant beginner's design mistake, there is no excuse for this. I am still waiting for somebody trying to explain me how this was a good idea in the first place.
The only players who gain anything from that are the certificate monopolies.
And the funniest thing is that nobody seems to be trying to fix the problem. The closest thing that resembles a fix for this mistake are the self-signed certificates, but none of the major browser accept them for what they are (I want encryption, I don't care for authentication), and instead insist in scaring everybody off. Sad sad sad!
et les Shadoks pompaient...
The big problem that keeps most users from understanding the warnings (thereby making the warnings useful), is that the warnings are only shown when https is used. This leads to the ridiculous and misleading situation where..
..browsers like Firefox 3 (probably the worst of the bunch, in this regard) makes the user think that an uncertified identity is unusually vulnerable to eavesdropping, when in fact it's vastly more secure than 99.9% of their web usage. They see the message and think something exceptional and more worrisome than usual has happened.
And this implication is utterly false. An identity being certified by someone the user trusts, is the actual exceptional situation (at least right now, until serious efforts are ever made to secure the web). Not being sure who you are talking to (thus, you might be getting MitMed), is the "normal" situation.
Firefox 3 makes the classical mistake of trying to enumerate the bad things that can happen (as though a typical user understands what those bad things are); block or display a warning when it doesn't know who is on the other end (and then it totally flubs up even this mistake, by only doing it sometimes), instead of pointing out when things are going right (the unusual case where you actually know whose webserver you are talking to, and know that you're not being eavesdropped).
I think the core reason that browser people keep getting this wrong (and evolve toward getting things wronger in the case of Firefox), is that they think the protocol displayed in the URL bar, is an important part of the UI. They think that when "https" is in the URL bar, then the requirements have changed and the browser should behave differently than when "http" is displayed. Joe Sixpack doesn't even know what SSL is, though, much less understand how it works. As long as we pretend that Joe Sixpack understands key exchange and identity certification, the browsers are going to have horrible UIs.
https is something the user enters (either directly, or by clicking a link). It cannot ever signal the user agent's evaluation of the situation's security. The padlock/keyhole/whatever icon is for that, as is a color added the URL bar or an icon to the left of it, or a look-at-this-cert popup (whatever--the point is, it's information provided by the browser, not the user). Use of SSL doesn't mean you need MitM protection. Whatever the user is doing (e.g. entering bank account access credentials, as opposed to, say, reading Twitter) dictates whether or not they need to see the padlock icon.
What really ironic is the Firefox 3 does do the right thing just left of the URL bar. When the user wants to know how safe things are, the FF3 actually team gave them a pretty good UI for that. But the obtrusive cert warning that happens when (and only when!?!) using SSL, is totally stupid. It's like part of the FF team had a clue, and part didn't, so they compromised on something half-assed.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.