Informed choices and real security

David makes an excellent point about choices in a user interface. What David assumes in his post is that I think people shouldn’t be able to make informed choices in their Desktop interface. Well that’s not true, what’s missing my my previous post is that I don’t want to take away peoples ability to make informed choices, however I do want to stop the computer from forcing people into making uninformed guesses.

People who understand SSL and Certificates need to be notified if a site is incorrectly using them so they can choose to discontinue using that site if the situation merits that. Most of the time the issue with these is just a misconfiguration, and for someone who understands those technologies it’s not hard to spot. However most people don’t understand those technologies.

The decision is more complicated than this, but when building a web browser there are a couple paths the creators could take related to handling certificates.

Deny people from browsing to sites that don’t have correctly signed certificates, no choices (security for all)
Ignore certificates completely (no security for anyone)
Ask every person using the web browser to examine bad certificates for validity (security for few)
Or a New Solution (security for most)

My assumption is that most people don’t understand SSL and Certificates. I think that’s a pretty solid assumption so lets put a number on it, like 90% of people don’t understand the technology; seems a fair number. The assumption of the web browser is that if the certificate is bad ask the user if it’s ok to continue. That means the creators of the web browser have to hope for only a 10% chance of getting the right answer from the user. Those are really bad odds.

There are lots of other people talking about usability and security and several papers like Are Usability and Security Two Opposite Directions in Computer Systems? [pdf] and Usability of Security: A Case Study [pdf] on the topic. My Summary: If you want most people who use your software to have a secure experience you can’t ignore their inability to make certain choices about security. This doesn’t mean taking away the choice from them or from you, this means providing methods for them to be informed enough to make a decent choice. Those methods might also save a person in the know some extra time.

Just as an idea point for a new solution. Digg and other sites like it usually have a very low number of key people who push out most of the news that really gets dugg high. You might speculate that it’s a similar ratio to the number of people who understand SSL and Certificates and if a site is safe or not. So if people in the know about safety of a site could “Digg” it such that others would be informed that a “High number of people believe this to be safe” they could make some kind of informed decision about continuing to use the site.

And remember! Safety is no accident

About this entry

You’re currently reading “Informed choices and real security,” an entry on Bryan Clark

Published:: 05.01.07 / 5pm

Category:: Design, Security

Recent Comments

Ninja: Having killed the messagepane before, reinitializ...

Frank: Could anyone direct me to a nightly Lightening me...

Louise: Can the Address Book and Composition as tab make ...

Ben: Excellent, thanks for the quick replies (to all c...

ovidiu: The close tab on inbox should only disappear when...

Bryan Clark: @Dereak: yeah, we're making room in the prefs for...

Laurens Holst: Well, just keep in mind that tabs aren’t very g...

Louise: Btw. I would really like to see all windows opene...

Louise: It looks sweet :) I hope the tabs will behave ...

Ben: Looks like an interesting change, and likely to b...

About

My name is Bryan Clark, I’m a User Experience Designer working with Mozilla Messaging on Thunderbird; currently living in the Vancouver, BC area. I have interests in design, economics, architecture, and beer. Previous to my work with Mozilla I was one of a select few Interaction Designers at Red Hat, working on their Desktop Team, OLPC, GNOME, Online Desktop and many other projects.

This blog focuses mainly on my work driving design in an open source context.

nate May 1, 2007

People already have that.
http://toolbar.netcraft.com/ is one example. There are a number of others, including, I think, Ie7 with a ranking system or maybe it’s heuristic check of the website in question. A few variations.

Also your making the assumption that people that are willing to click ‘this website is safe’ are the same sort of people that understand certs and are actually trustworthy. This is probably not a safe assumption.

bma May 1, 2007

Of course, if many people mark a site as being trustworthy and it then suddenly becomes untrustworthy, then even though the broken certificate warns you that the site is dodgy, there’ll still be thousands of people who claimed that the site is trustworthy.There’s also the possibility of fraudulent voting, as Nate mentions.

Joe Buck May 1, 2007

In the case of SSL certificates, it is extremely common to get complaints either because it appears that the name on the certificate differs from the site, or the certificate is self-signed. Either way, 99.9% of the time this is no big deal, and making the browser or other app refuse to talk to the site is a very bad idea. Tell the user once, at most, then shut up and connect.

Johan May 1, 2007

“That means the creators of the web browser have to hope for only a 10% chance of getting the right answer from the user.”

It does not mean that. Those who don’t understand will make a random choice, which, assuming a binary decision, puts the total probability of getting the right answer at 55%.

I’m somewhat skeptical of SSL certificates as an indication of the safety of a site, anyway. In many cases, the presence of a valid certificate simply means that the site owner has been willing to give a few bucks to Thawte or whoever, nothing more.

Stephen Smoogen May 1, 2007

The assumption of the web browser is that if the certificate is bad ask the user if it’s ok to continue. That means the creators of the web browser have to hope for only a 10% chance of getting the right answer from the user. Those are really bad odds.

Actually the creators of the web browser are probably thinking to themselves… shit if we dont put up some sort of warning we could get sued. And this doesnt have to be the lawyers of the company.. I remember a similar warning was proposed by developers at another browser company because they were worried about possible liability.

Another problem though is that developers are very rarely UI or behavioral specialists. And for the vast majority of developers.. their brains do not work in ways that are useful for usable UI design.

They will put in something that means useful information for themselves.. because normally the first audience they write for are people like them.. when a product becomes mainstream a different set of people are using the product who have no idea what all that text meant. But trying to program for that set is incredibly hard, because a lot of the time, they dont’ know what they want until they get it (and they will put up with bad stuff because they its better than crap stuff they had before.)

So how to fix the problem? I don’t know. My brain doesnt do well with GUI’s in the first place.. so the original warning screen was perfect for me. However, I do realize that something has to work for the rest of the world.

Bryan Clark May 2, 2007

@nate: Thanks for the link! That’s the kind of thing that we could be doing for free software. It would be naive to build a system that simple trusted everyone’s evaluations of the site, you’d probably need some kind of reputation of users ranking sites built into it. And that’s where the innovation is needed most!

@bma: exactly, you can’t just have a this site is and always is safe. You’d probably need a real time listing, maybe using trends to examine if people are begining to mark the site unsafe.

@joe: And that’s part of the problem with stopping people to ask if they want to visit the site. Informing someone that there is an issue with the certificate doesn’t mean to you have to interrupt them and ask them to evaluate it’s validity.

@johan: Well actually in practice most people are just going to click OK no matter what. The person’s intention was to visit the web page so using an ugly dialog as a speed bump doesn’t actually do anything. And like you say the worst part is that most of the time it’s just a stupid site error and not something evil going on.

@stephen: Yeah, that’s usually the reason behind these things. If they just let you go straight there and something bad happened the browser creators might face some fault. I have a post I’ll put up soon examining the current certificate dialog. Mostly my suggestion is to stop using dialogs as speed bumps and just subtly inform people of the issue. To protect themselves from legal issues and to protect their users from phishing browser creators should look towards a better system of rating sites similar to the things nate shared.

Bryan Clark › The Untrusted Certificate Dialog May 2, 2007

[...] of good comments on my post about informed choices and real security, it would be nice to see some good open source solutions out there. And I’m glad I [...]

jpr blog » Blog Archive » Security Usability May 2, 2007

[...] Bryan, another good paper [...]

Bryan Clark

Informed choices and real security

About this entry

9 Comments

Post a Comment »

Comment Guidelines

Categories

Monthly Archives

Recent Comments

About

Recently