Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Certificate Warnings Don't Work

Posted by timothy on from the for-the-same-reason-most-people-ignore-etruscan dept.

angry tapir writes "In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users). The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web. They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites."

11 of 432 comments (clear)

  1. 'People' don't understand computers by doishmere · · Score: 5, Interesting

    This shouldn't come as a surprise, since most people still don't understand how viewing a website can affect their computer.

    1. Re:'People' don't understand computers by TinBromide · · Score: 5, Funny

      some day, in the far off future of October 1st, 1993, 'people' will understand computers and all of this tomfoolery will cease to be a problem. The internet will revert to civilized discourse for the propagation of knowledge and ideas.

      *Checks watch* Any day now...

      --
      Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
    2. Re:'People' don't understand computers by forkazoo · · Score: 5, Insightful

      I don't think it's a problem of not "understanding" computers. Rather that the language used in a lot of cases for the certificates is so verbose, that it confuses people. Remember that when you deal with the average member of the population you're dealing with someone who reads and writes somewhere between a grade 7-10 level. That means that their grasp of language is lower, their understanding is lower, and their frustration level is lower.

      This. Developers seem convinced that adding more explanation can result in a better educated user. In reality, it just guarantees that fewer people will have read the whole thing. Make informational text as short as possible, but no shorter. IMHO, that's one of the things Apple traditionally nails in their designs that Microsoft flubs. "Save your work?" is a vastly more useful message in a dialog box than something like, "you have clicked a button which is used to close this application. if you close this application without saving changes to your data, it will be lost. You might also want to keep working. Click yes to save your work, no to discard it, or click cancel to continue working."

      With Certificate issues, Firefox makes me jump through so many hoops that all my focus is on getting through the hoops, rather than evaluating security. I've never understood how the 'get certificate' button is supposed to make me safer. It seems to just add more steps in an effort to force me to pay attention to the process, but IMO fails to actually provide a security benefit.

    3. Re:'People' don't understand computers by gestalt_n_pepper · · Score: 5, Insightful

      Quote from my human factors instructor of many years ago:

      "Any system that depends on the user doing the right thing has already failed."

      There should be no warnings. Nothing to click. You simply don't let them see the page and you tell them why. Assume they will work around it and protect them as much as you can anyway.

      Most programmers at this point ask, "And should I wipe for them too?"

      The correct answer is, "Yes, but ask what brand of paper they prefer and make sure there's an alternative if they forget." Sorry, but THAT'S YOUR JOB AS A PROGRAMMER.

      Programs are for PEOPLE, not computers. Computers don't matter. At all. They exist ONLY for PEOPLE. Your job is to take care of the PEOPLE's issues like *they* matter. The computer is secondary, or tertiary.

      --
      Please do not read this sig. Thank you.
  2. No shit by QuantumG · · Score: 5, Interesting

    Do we really need a lab study to tell us this? Even the article admits that we've known for decades now that users will happily accept a broken cert. There was a case where the Mozilla people received a complaint from a security researcher saying their certificate checking was broken because he was connecting to a known trusted website and her certificate wasn't broken, so it must be Mozilla's fault - they concluded that it was man-in-the-middle attack and she later apologized. If a security researcher can't even tell, how are my parents supposed to?

    How about this for a solution? Instead of a "Privacy Shield" you have a "Security Shield".. when you press the Security Shield button you enter Lock Down Mode and your web browser will refuse to display pages that are not retrieved via TLS. You could also enable some extra paranoia settings.. turn off plugins, Flash, etc. When you've finished your banking, or whatever, you press the Security Shield button again and now you can go back to Facebook.

    --
    How we know is more important than what we know.
  3. That's because security warnings are stupid. by Eskarel · · Score: 5, Interesting

    The only difference between a self signed certificate and one that is signed by a CA is that someone wrote a check for the CA signed cert. No CA does any verification that the person writing that check is who they say they are, has any rights to that domain, or anything else, they only check to see if they already have a signed certificate. I've personally bought Verisign certificates for other people, without any proof that I'm in any way authorized to do so, let alone proving who I actually am. They mean absolutely nothing.

    The only kind of certificate warning is one which indicates that a certificate is not what it's supposed to be. However, since there's still no central way to check a certificate(even a signed one) the only way to do that is to compare it with what you had before, which means the only viable certificate warning is one indicating a certificate has changed.

    When browsers panic over things that aren't worth panicking over (most folks will have encountered a perfectly legitimate self signed cert at some point in their time on the web, is it any wonder they just bypass the error.

    Certs never guarantee who you're talking to, they only provide encrypted communication.

  4. Big surprise! by rantingkitten · · Score: 5, Insightful

    First, users don't know what certificates are, or why it matters. That should be pretty obvious.

    The situation isn't helped by the fact that the overwhelming majority of invalid certs, in my experience, are just from random sites which you find with a Google search, and those sites for some reason have https instead of http as their search result. You click, and oh shock, the administrator hasn't updated his cert in ages, because nobody cares. After endless warnings about this, even I have stopped caring. It's almost a Pavlovian conditioning to see that warning and say "Yeah, whatever."

    It's even worse now. Back in the day, you could dismiss these mostly spurious warnings with one click. These days, Firefox makes you go through an utterly obnoxious process of acknowledging the warning, then manually adding the certificate, then approving it. All because I needed to see some forum where people were discussing some problem I needed to solve. I am so tired of having to go through this that I just sigh and back away from the site and try to find another one that won't make me do this. I am not shocked that users just click whatever it takes to make the warnings go away.

    --
    mirrorshades radio -- darkwave, industrial, futurepop, ebm.
  5. Re:I would probably do the same thing by cas2000 · · Score: 5, Insightful

    mozilla didn't start this, their ancestor Netscape did. they're the ones who tried to bootstrap and cash-in on a PKI market by creating a bogus scarcity (browser recognised Certificate Authorities) on an infinite supply (Certificates), and deliberately blurred the distinction between encryption (which is all that many or even most sites need, and for which self-signed certs are good enough) and authentication (which very few sites need, banks and so on for which the ONLY real solution is certs signed by government agencies with responsibility for banks in each country, not some private company).

    every mainstream browser since then has continued the trend.

  6. With untrustworthy CA's, who cares? by tbradshaw · · Score: 5, Insightful

    Verisign is untrustworthy, so why should I care if a certificate is signed or not?

    Signed certificates are a complete racket: If you don't pay us then when your users show up they will get a giant warning shown in their face, telling them not to trust you. You wouldn't want that would you? Nope, don't care who you are, what you do, or why. $100 bucks please.

  7. Re:Maybe Firefox will Chill Out now by ToasterMonkey · · Score: 5, Interesting

    Get a free certificate, then. http://www.startssl.com/ generates basic certificates at no charge. It works in most major browsers, and IE support is expected in the near future. Now that startssl exists, there's really no excuse for self-signed certs even inside a corporate firewall, much less for a real public website.

    Free, schmee, that is not the problem at all. Why in hell should I trust someone ELSE to verify my ownership of a domain name on MY internal network? The real problem is everything using their own damn CA lists, making it impossible for us to easily publish internal CA certs. Subversion has one, Windows has one, OS X has one, Gnome probably has one, Firefox has one, Java has one, SSH does NOT have one, etc, etc, etc.

    Why aren't CA's delegated just like DNS is? I own all of foobar.net, so grant me an intermediate CA responsible for only *.foobar.net and let me verify & issue certs for my own fraking domain names (internal or NOT!). It is much easier to chain an intermediate cert to the server than add a new internal CA to the clients. Obviously, distributing trust to the rightful owners cuts the CA roots out of their silly trust monopolies.

    The determination of who owns a domain name TWICE, for registration & certification is a straight up failure. Own the domain, you should own the CA authority, stop owning it, your cert chain is revoked.

  8. The reasons for SSL by rysiek · · Score: 5, Insightful

    There are basically two reasons to use SSL:
    1. connection encryption (i.e. nobody else can read the transmission);
    2. site authentication (i.e. you can be certain that this page is actually your bank's website).

    See, here's the problem. Many a time I need to put up encryption, but have no need whatsoever for authentication (sending data like passwords or whatever, but not that critical to be a target of somebody setting up a bigus copy). Firefox says "whatever", and proceeds to complain about 2. above not being satisfied. And complain loud!

    Something's wrong in this image. I think there should be 2 classes of SSL certs - "encryption-only" and "full-mode", or whatever they'd be called. the "encryption-only" cert could allow you to use SSL without warnings; the "full-mode" cert wouldn't. The icon or other graphical method of identifying "trusted sites" could even be completely different for both modes.