Security Certificate Warnings Don't Work 432
angry tapir writes "In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users). The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web. They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites."
'People' don't understand computers (Score:5, Interesting)
No shit (Score:5, Interesting)
Do we really need a lab study to tell us this? Even the article admits that we've known for decades now that users will happily accept a broken cert. There was a case where the Mozilla people received a complaint from a security researcher saying their certificate checking was broken because he was connecting to a known trusted website and her certificate wasn't broken, so it must be Mozilla's fault - they concluded that it was man-in-the-middle attack and she later apologized. If a security researcher can't even tell, how are my parents supposed to?
How about this for a solution? Instead of a "Privacy Shield" you have a "Security Shield".. when you press the Security Shield button you enter Lock Down Mode and your web browser will refuse to display pages that are not retrieved via TLS. You could also enable some extra paranoia settings.. turn off plugins, Flash, etc. When you've finished your banking, or whatever, you press the Security Shield button again and now you can go back to Facebook.
That's because security warnings are stupid. (Score:5, Interesting)
The only difference between a self signed certificate and one that is signed by a CA is that someone wrote a check for the CA signed cert. No CA does any verification that the person writing that check is who they say they are, has any rights to that domain, or anything else, they only check to see if they already have a signed certificate. I've personally bought Verisign certificates for other people, without any proof that I'm in any way authorized to do so, let alone proving who I actually am. They mean absolutely nothing.
The only kind of certificate warning is one which indicates that a certificate is not what it's supposed to be. However, since there's still no central way to check a certificate(even a signed one) the only way to do that is to compare it with what you had before, which means the only viable certificate warning is one indicating a certificate has changed.
When browsers panic over things that aren't worth panicking over (most folks will have encountered a perfectly legitimate self signed cert at some point in their time on the web, is it any wonder they just bypass the error.
Certs never guarantee who you're talking to, they only provide encrypted communication.
SnooPING AS usual, I see (Score:4, Interesting)
Ignore certificate warnings if you're not planning to give the site any important information (e.g. a password). Otherwise, don't.
So you don't want to send passwords over an HTTPS connection with a self-signed certificate. I take it you don't want to send passwords over an HTTP connection either, as HTTP is even easier to snoop than self-signed HTTPS. Should everybody who runs a forum or a wiki pay $$$ per year for a CA-signed certificate?
But is this person the same as that person? (Score:3, Interesting)
Actually, certificates do guarentee that the person you are talking to is the same as the time the certificate was first issued.
So how do you know that the person to whom you are talking using a given URL is the same person to whom, say, a software reviewer was talking when he downloaded a given release?
Re:SnooPING AS usual, I see (Score:3, Interesting)
Well, they could use OpenID or something.
Not that I do, because OpenID is a huge hassle to deal with, but you could.
Re:Not many people have the money... (Score:4, Interesting)
Re:Mac (Score:1, Interesting)
Absolutely agree!!!! I post photos to Facebook from my Mac using Firefox 3. When I post these photos Firefox tells me that the certificate from Facebook is bad EVERY SINGLE STINKIN' TIME!!!!! So yes yes yes I ignore the messages. What else am I supposed to do?!?! I can't get Facebook to fix their certificates. Am I supposed to just never post photos because Facebook can't figure out their certs?
Failed logic, again (Score:4, Interesting)
I get certificate warnings for internal sites, inside the firewall, without having accessed anything external. Yes, our CA people and developers are morons. No, let me state that more clearly. They are offshored, overpaid by a factor of five, patent leather morons. And they all talk too fast, fail to deliver a statement of work, and fail to deliver even what they say they will, in writing, before witnesses. But I digress.
Certificate warnings are relatively pointless, because they point out a technical flaw without distiguishing between bookeeping flaws, expired or poorly minted certificates due to simple incompetence, private certificates that serve the purpose, and actual explotations.
Many of our certificates at work would raise warnings, and do when I indulge in testing, but the sites are application-specific. A browser never needs to access these, and doesn't unless I'm verifying connectivity. Otherwise, the firewalls and application rules kick in and discourage an attacker by either blocking their IP or delaying response and slowing the attack to a crawl.
I get these warnings pretty regularly on public sites, and generally ignore them. But anything I was linked to, or referred, or a URL I am not entirely sure of, I either close the session and start over, or try it on my phone.
So far, my phone has shrugged off some clever but Windows-specific attacks. Always fun to revel in the agony of others.
Re:'People' don't understand computers (Score:2, Interesting)
And why don't they understand them. BECAUSE THEY CAN. Really. :)
People are all about efficiency. But if you are so "efficient" that you hurt yourself, it is called "laziness". (Although some people also call others lazy, when they do not follow *their* standards, which is pointless.)
Now why do they hurt themselves here?
Either because the risk is too small to be relevant (evolutionary and on the level that makes your brain learn it).
Or, what I think, because the failure, and the pain that results from it, are way too distinct from each other for people to learn it.
Think about, what would happen, if they would get stung by a bee, every time they would do such a stupid thing like ignore certificates. You could bet that they would learn it. Because really, and it took me long to learn and believe this, people are not stupid. (If they have to, they can do very impressive things in very short times. I witnessed a girl learn to do basic things in C in one week, because she really really really wanted that advantage in that game she was playing. And the next week she learned how to do collages in Photoshop. Mind you that she is just your average girl. No geek or anything.)
But what happens right now, when they do dumb things: First, nothing happens. Nothing at all. No flashing lights. No alarm. No fire. No pain. Even an infection with a trojan that their AV tool notices is no problem. A virus killing everything? Well, just ask your local geek to re-install Windows. The data was not that important anyway. (That's what I usually hear from them. Sometimes they backed it up a month ago and that is OK too. Often I have the feeling, that a read-only HDD and a USB stick would suffice for them.)
But even a MITM attack on their bank account, stealing all the money and everything. That's so rare. And if, they are completely unable to associate it with that one warning that they ignored. And how can you blame them for it? Would you remember what you did a week ago, that did probably not even enter your conscience? No.
So I propose this solution: Make the warning dialog contain one paragraph max. In big red letters. With a flashing alarm light and sound. Filling 3/4 of the screen. Saying is the shortest possible way, that they are going to get robbed, and could go to jail, if they do not exactly know what's going on now. Make the dialog un-closable for at least 30 seconds. And only give them the ability to move it away quicker, if you got proof that it's burned into their brains forever. If that is not possible, then never give them that ability, and only add a "I am a security expert" add-on that you have to manually install and jump trough hoops that only people who know what they are doing can pass.
Optimally make it completely impossible to go to a site with security problems, except if you use that add-on. (But beware, that then people will let their "expert" friend install it, ever if they do not know anything.)
But realistically, let the "i have no idea what to do" button be clickable at the very first second, and the "go to the site (i am a security expert)" one only after a minute of waiting.
Then when they click it, tell them that the site was very evil, dangerous, etc, and... pew... the browser saved them.... but it was very close.
Yes. You have to be that over the top. How else will you make it stick in their heads? It has to be associated with instant robbery and horrible things. Just like it is in the brains of us experts.
What do you think? Anything one could make better? Let's implement it? :)
The cert model is broken (Score:3, Interesting)
SSH has it right. Tiny warning the first time you visit a site, big warning if the key changes later. If you improved that with a GPG-like system where you could see whether your friends/bank/certificate authority trust a particular key, you would get rid of 99% of the warnings. Suddenly the warnings would be a once-a-month (or even once-a-year, if you only browse mainstream sites) event, and the users would click no.
As long as warnings happen all the time, people will ignore them. You can't educate your way out of so many false positives.
I'm not surprised (Score:2, Interesting)
Re:Maybe Firefox will Chill Out now (Score:5, Interesting)
Get a free certificate, then. http://www.startssl.com/ [startssl.com] generates basic certificates at no charge. It works in most major browsers, and IE support is expected in the near future. Now that startssl exists, there's really no excuse for self-signed certs even inside a corporate firewall, much less for a real public website.
Free, schmee, that is not the problem at all. Why in hell should I trust someone ELSE to verify my ownership of a domain name on MY internal network? The real problem is everything using their own damn CA lists, making it impossible for us to easily publish internal CA certs. Subversion has one, Windows has one, OS X has one, Gnome probably has one, Firefox has one, Java has one, SSH does NOT have one, etc, etc, etc.
Why aren't CA's delegated just like DNS is? I own all of foobar.net, so grant me an intermediate CA responsible for only *.foobar.net and let me verify & issue certs for my own fraking domain names (internal or NOT!). It is much easier to chain an intermediate cert to the server than add a new internal CA to the clients. Obviously, distributing trust to the rightful owners cuts the CA roots out of their silly trust monopolies.
The determination of who owns a domain name TWICE, for registration & certification is a straight up failure. Own the domain, you should own the CA authority, stop owning it, your cert chain is revoked.
Re:No shit (Score:3, Interesting)
Challenge/response authentication using a credit card number and PIN as the encryption key. Let the bank issue the challenge, have the e-commerce site pass that right on to the browser. Let the browser do the encryption, and pass it all back to the bank via the site.
Too difficult to use.
The problem of security is in getting the right balance between protection and usability. (This is true for physical security too.)
Re:I would probably do the same thing (Score:3, Interesting)
Sorry buddy, but you are full of it.... I went through the process of getting a cert for a domain at Thawte. It was snail-mail, they called and all sorts of hassle. The documentation needed included a copy of the corporate registration (presumably then verified by Thawte) :-D
In the end my company could prove that the domain was legit. Actually only the url-trees that I provided were included in the cert. (mycompany.com/url1 would return a valid cert whereas mycompany.com/url2 would return a non-valid response)
I cannot see that they have slacked off on that...
But maybe you are referring to thawte.haxxor.net not thawte.com
Re:'People' don't understand computers (Score:3, Interesting)
Re:The reasons for SSL (Score:2, Interesting)
So true!
Anytime you try to combine two goals in one design you are sure to make a bad decision. SSL is no exception. Both authentication and encryption are valuable. Why make the later depend on the former ??? This is just a blatant beginner's design mistake, there is no excuse for this. I am still waiting for somebody trying to explain me how this was a good idea in the first place.
The only players who gain anything from that are the certificate monopolies.
And the funniest thing is that nobody seems to be trying to fix the problem. The closest thing that resembles a fix for this mistake are the self-signed certificates, but none of the major browser accept them for what they are (I want encryption, I don't care for authentication), and instead insist in scaring everybody off. Sad sad sad!
Re:'People' don't understand computers (Score:4, Interesting)
No.
Encryption doesn't require 'importance'. It's just good practice. Anything that asks for passwords - slashdot for example - should probably be encrypted.
The only value of certificates is when they *change*. You can't verify who you're talking to the first time around anyway.. a certificate is *not* sufficient verification.
Re:'People' don't understand computers (Score:3, Interesting)
I agree that there is nothing wrong with self-signed certificates but if you don't want to confuse users then you can get an SSL certificate for about £50 per year, hardly a huge outlay for a business.
We went this route with the OWA site for our employees. We made sure our browser (IE 6 at the time) supported it seamlessly. When IE 7 came out, we found that Microsoft dropped this CA from their built-in list. Then we started getting more Windows Mobile smart phones in the company and realized that Opera Mobile also doesn't play nice with these guys. At this point, a self-signed would be no worse and it would have been cheaper.
The browsers only show it for https (Score:3, Interesting)
The big problem that keeps most users from understanding the warnings (thereby making the warnings useful), is that the warnings are only shown when https is used. This leads to the ridiculous and misleading situation where..
..browsers like Firefox 3 (probably the worst of the bunch, in this regard) makes the user think that an uncertified identity is unusually vulnerable to eavesdropping, when in fact it's vastly more secure than 99.9% of their web usage. They see the message and think something exceptional and more worrisome than usual has happened.
And this implication is utterly false. An identity being certified by someone the user trusts, is the actual exceptional situation (at least right now, until serious efforts are ever made to secure the web). Not being sure who you are talking to (thus, you might be getting MitMed), is the "normal" situation.
Firefox 3 makes the classical mistake of trying to enumerate the bad things that can happen (as though a typical user understands what those bad things are); block or display a warning when it doesn't know who is on the other end (and then it totally flubs up even this mistake, by only doing it sometimes), instead of pointing out when things are going right (the unusual case where you actually know whose webserver you are talking to, and know that you're not being eavesdropped).
I think the core reason that browser people keep getting this wrong (and evolve toward getting things wronger in the case of Firefox), is that they think the protocol displayed in the URL bar, is an important part of the UI. They think that when "https" is in the URL bar, then the requirements have changed and the browser should behave differently than when "http" is displayed. Joe Sixpack doesn't even know what SSL is, though, much less understand how it works. As long as we pretend that Joe Sixpack understands key exchange and identity certification, the browsers are going to have horrible UIs.
https is something the user enters (either directly, or by clicking a link). It cannot ever signal the user agent's evaluation of the situation's security. The padlock/keyhole/whatever icon is for that, as is a color added the URL bar or an icon to the left of it, or a look-at-this-cert popup (whatever--the point is, it's information provided by the browser, not the user). Use of SSL doesn't mean you need MitM protection. Whatever the user is doing (e.g. entering bank account access credentials, as opposed to, say, reading Twitter) dictates whether or not they need to see the padlock icon.
What really ironic is the Firefox 3 does do the right thing just left of the URL bar. When the user wants to know how safe things are, the FF3 actually team gave them a pretty good UI for that. But the obtrusive cert warning that happens when (and only when!?!) using SSL, is totally stupid. It's like part of the FF team had a clue, and part didn't, so they compromised on something half-assed.