Lots of good comments on my post about informed choices and real security, it would be nice to see some good open source solutions out there. And I’m glad I didn’t bump into david on the street that day, he has more good ideas about the issues of phishing and SSL certs.
To follow up a bit more I spent a little time examining this crazy dialog. I’m not trying to pick on firefox, but it’s an excellent example of where things can go wrong. And in a lot of places they go right, we definitely aren’t at this point.
I couldn’t find a site right away that brings up this issue even though I feel like it happens somewhat often. So I grabbed a screenshot I found and changed the URL, but here’s how the dialog would look if you just found an issue with www.URL.com.
Because I’m like the Lorax who speaks for the users I’ve translated the options available in the dialog so they can be read from the point of view of someone who doesn’t understand the underlying technology. I also added what is a little bit of reality as well.
Unable to verify the identity of www.url.com as a trusted site
The website you’re looking at is not configured correctly. This error is not your fault.
Possible reasons for this error
We used this dialog for a couple awkward reasons, but this error has nothing to do with anything you did
- A. Your browser does not recognize the Certificate Authority…
Something could be wrong with the browser software. Odds are you can’t fix this. It might be nice if the browser software could check for an update right now or allow you do make it check.
- B. The site’s certificate is incomplete due to a server misconfiguration
The web site maintainer has made an all too common mistake. There’s really, really, pretty much nothing you can do about this error. Thanks for reading it!
- C. You are connected to a site pretending to be www.url.com …
Something evil could be going on! Someone might be trying to trick you! Though odds are this isn’t true, it’s likely that guilt or the legal department required us to put this dialog up just for this case.
Please notify the site’s webmaster about this problem
Contact the person who runs the web site. You know who that person is, right? You know how to contact them? It might be nice to offer a mailto email@example.com address? Maybe not.
Before accepting this certificate, you should examine the site’s certificate carefully…
Here is a foreign language you never studied in your life, please read it’s message carefully and pick out any grammar errors. Severe grammar errors could indicate a problem, simple grammar errors could just mean it’s a simple mistake. Remember, read carefully!! Fun Fun Fun!
Accept this certificate… [in a number of different ways with different consequences]
After carefully examining and understanding the certificate you should choose the correct option to proceed safely.
If you’re having trouble with what to do click here. Oh, gotcha! This help is about the dialog, it has no advice for the site itself!
Don’t go to the site you wanted to go to
Go to the site you wanted to go to, but risk losing your soul!
And with all that dialog you still haven’t seen the site itself because the browser blocks the loading, however the blocking is probably for security sake and might be hard to work around. One might find a way to use services like Snap which offer screen captures of sites for free at least then you’d know what you are about to look at.
So the real issue here is that this dialog doesn’t help most people to advance, it is merely an idiot light in car speak. We could say The terrorist threat of this web site is at Yellow, do you wish to proceed? and it would be about as helpful. To protect people from phishing you need a more complete solution, and phishing is a serious problem. Warnings about errors in a site configuration could just be done as subtle warnings such that people interested can take notice while others are able to continue without the dialog litter.
Other Fun Dialogs and Stuff
Alex Faaborg has some good slides from his Web 2.0 Expo Presentation where I got these other screenshots of interesting dialogs that provide choices, but maybe not in the way we want. The POSTDATA dialog is a tough one to fix and I don’t think I have any real ways to improve that, but boy does it suck.