Security Certificate Warnings Don't Work 432
angry tapir writes "In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users). The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web. They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites."
'People' don't understand computers (Score:5, Interesting)
Re:'People' don't understand computers (Score:5, Funny)
Yeah, it's kind of sad how regular people are expecting us programmers to have our shit together.
Re:'People' don't understand computers (Score:4, Insightful)
Excuse me? How can I make a user more secure if he is the one that clicks away all my warnings?
Re:'People' don't understand computers (Score:5, Insightful)
Quote from my human factors instructor of many years ago:
"Any system that depends on the user doing the right thing has already failed."
There should be no warnings. Nothing to click. You simply don't let them see the page and you tell them why. Assume they will work around it and protect them as much as you can anyway.
Most programmers at this point ask, "And should I wipe for them too?"
The correct answer is, "Yes, but ask what brand of paper they prefer and make sure there's an alternative if they forget." Sorry, but THAT'S YOUR JOB AS A PROGRAMMER.
Programs are for PEOPLE, not computers. Computers don't matter. At all. They exist ONLY for PEOPLE. Your job is to take care of the PEOPLE's issues like *they* matter. The computer is secondary, or tertiary.
Re: (Score:3, Insightful)
But more importantly your average user doesn't have a clue what a security certificate is, so why would they care if there's a warning about it?
Re:'People' don't understand computers (Score:5, Funny)
*Checks watch* Any day now...
Re:'People' don't understand computers (Score:5, Insightful)
I don't think it's a problem of not "understanding" computers. Rather that the language used in a lot of cases for the certificates is so verbose, that it confuses people. Remember that when you deal with the average member of the population you're dealing with someone who reads and writes somewhere between a grade 7-10 level. That means that their grasp of language is lower, their understanding is lower, and their frustration level is lower.
If you want to get through to people, you make warnings simpler. Make things simpler, people understand them better, and everyone is happy. Those of us who are in, have been in, the IT field(or associated areas), have a grasp of the English language somewhere around grade 12 to early college, or higher. In other words, this stuff is way beyond what most people can understand.
After all, if you told someone on the street you spent an evening going through a kernel recompile for fun they'd look at like you're an idiot with 3 heads. To them you are; to the rest of us, you're just another geek.
Re:'People' don't understand computers (Score:5, Insightful)
This. Developers seem convinced that adding more explanation can result in a better educated user. In reality, it just guarantees that fewer people will have read the whole thing. Make informational text as short as possible, but no shorter. IMHO, that's one of the things Apple traditionally nails in their designs that Microsoft flubs. "Save your work?" is a vastly more useful message in a dialog box than something like, "you have clicked a button which is used to close this application. if you close this application without saving changes to your data, it will be lost. You might also want to keep working. Click yes to save your work, no to discard it, or click cancel to continue working."
With Certificate issues, Firefox makes me jump through so many hoops that all my focus is on getting through the hoops, rather than evaluating security. I've never understood how the 'get certificate' button is supposed to make me safer. It seems to just add more steps in an effort to force me to pay attention to the process, but IMO fails to actually provide a security benefit.
Re: (Score:3, Informative)
(That's the idea. In reality, you just skip by that screen and bemoan the annoyance.)
Re:'People' don't understand computers (Score:5, Informative)
Firefox makes users jump through hoops for a reason. Once upon a time, webmasters were terrible at keeping websites up to date, and browsers didn't work very hard to make it apparent. If the website is built and operated correctly, users never see a damn thing.
The first hoop is the most important: the page looks like an error, because it is. The proper thing to do is contact the webmaster, or call your helpdesk, and get the cert fixed. Don't continue. The wrong thing to do here is all the rest of the crap where you "pay attention" but intentionally make a stupid decision and "continue anyway." That process does actually give much more information than previous incarnations. If it's self-signed, or expired, or invalid, it'll say so. Not that it matters, because you as a user have no control over whether the certificate is valid or not. These messages should be intended for power users and developers, since they're the only people who might be able to escalate or *fix it*.
The problem as I see it is that web people seem okay with the idea of allowing bad certs. Helpdesk might have previously told users "just click continue anyways, and go on your way." So yea, error dialogs were much easier for users when they could click once and permanently ignore security warnings caused by incompetent IT.
Re:'People' don't understand computers (Score:5, Insightful)
Oh come on, a self signed certificate is ten times better than no certificate at all. But in the first case, both FF and IE will go berserk with all kind of ways to prevent you from visiting the site. In the second, totally unsecure scenario, the browser won't say a word ..
So again, I have a working site. I decide to add a layer of encryption - and the browser starts warning my users that it's unsafe. Illogical at least .. and here you are defending this idiocy.You must be working for verisign or thawte ..
Re: (Score:3, Insightful)
Re:'People' don't understand computers (Score:4, Interesting)
No.
Encryption doesn't require 'importance'. It's just good practice. Anything that asks for passwords - slashdot for example - should probably be encrypted.
The only value of certificates is when they *change*. You can't verify who you're talking to the first time around anyway.. a certificate is *not* sufficient verification.
sosume isn't a bank (Score:4, Insightful)
"Hi, I'm sosume. I say I'm sosume, and that's all that matters. Please enjoy the random stuff I have to say, and log in with an otherwise pointless username and password if you want to leave comments."
See how it changes when it's just some random dude's website?
Obviously, there's no way for Firefox to tell the difference between a bank's website and some random dude's blog, but it seems to me there must be a middle ground between a tiny little notification saying, "Hey, you should worry about this website!" and an error page saying, "I didn't load this website because of a serious security error! Proceed at your own peril!".
Dan Aris
Re: (Score:3, Insightful)
Sometimes all you're after is an encrypted connection. Self signed certs. do that just fine. Firefox should only warn if a certificate for that *changes* not the first time you go to it. This scheme works just fine for ssh for example.
The way firefox is, you might as well use plaintext.. in fact you *have to* otherwise half your users will complain that they can't access your site. Or pay arm+leg to verisign, who'll refuse you the cert anyway unless you're a registered company (been there.. done that..)
The reasons for SSL (Score:5, Insightful)
1. connection encryption (i.e. nobody else can read the transmission);
2. site authentication (i.e. you can be certain that this page is actually your bank's website).
See, here's the problem. Many a time I need to put up encryption, but have no need whatsoever for authentication (sending data like passwords or whatever, but not that critical to be a target of somebody setting up a bigus copy). Firefox says "whatever", and proceeds to complain about 2. above not being satisfied. And complain loud!
Something's wrong in this image. I think there should be 2 classes of SSL certs - "encryption-only" and "full-mode", or whatever they'd be called. the "encryption-only" cert could allow you to use SSL without warnings; the "full-mode" cert wouldn't. The icon or other graphical method of identifying "trusted sites" could even be completely different for both modes.
Re: (Score:3, Insightful)
If you don't know you're talking to the correct endpoint, you have no idea if you're the victim of a man-in-the-middle attack. That's why certificates exist.
That said, a self-signed cert is definitely better than no encryption at all, because it changes the attack mode from passive (just read the conversation as it passes by on the wire) to active (intercept all communication between Alice and Bob and pretend to be Bob when talking to Alice and pretend to be Alice when talking to Bob). However the latter wi
Re: (Score:3, Insightful)
I don't authenticate my SSH sessions until after the encryption has begun... so obviously, YOU don't understand encryption.
Re: (Score:3, Informative)
Except underscore is not a legal character in a host name.
Hyphen however is.
Re:'People' don't understand computers (Score:5, Insightful)
Then why don't we fix that and solve or prevent a whole host of other problems by doing so?
There's something seriously pathological about seeing this as a situation to be accommodated rather than a disease state to be remedied.
Re: (Score:3, Insightful)
"Page maybe evil! There be dragons, do not go there!"
Better?
It does not change a thing. People do not read that shit. Even if they do, what's lacking is that we do not (and often cannot) offer them an alternative or solution. We don't tell them "instead, do this and you can still accomplish what you wanted to do". So the obvious response is "hmm... it said maybe. Ok, hopefully it won't be that bad".
Because they don't see any alternative. Their choice is only to take the (possible) risk or simply not do what
Mod -1 Spam (Score:2)
The parent's comment doesn't make sense and it is clearly spam. Hopefully a mod will come along and mod it down to -1 Offtopic.
Re: (Score:3, Insightful)
I have several sites I use regularly which are permanently on self-signed certificates. Why? Because the cost of getting a real, properly signed certificate is f$&@ing highway robbery. It's one entry in a lookup table, yet it costs more per year than my last car. Sure, BankOfAmerica.com can afford that, but can your small business's intranet? Can a small hobby out of someone's basement?
We're trained every day that legitimate sites self-sign. And that the warnings can safely be ignored. This isn't
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
I agree that there is nothing wrong with self-signed certificates but if you don't want to confuse users then you can get an SSL certificate for about £50 per year, hardly a huge outlay for a business.
We went this route with the OWA site for our employees. We made sure our browser (IE 6 at the time) supported it seamlessly. When IE 7 came out, we found that Microsoft dropped this CA from their built-in list. Then we started getting more Windows Mobile smart phones in the company and realized that Opera Mobile also doesn't play nice with these guys. At this point, a self-signed would be no worse and it would have been cheaper.
Bad idea (Score:4, Insightful)
Instead you just screan loudlier while hold them by the shoulder. That will not help, it will only do two things 1) search for a web browser which do not scream at them 2) ignore even more the cert warning by going take a coffee and click it away anyway when they come back.
That's not really a surprise (Score:2)
I would probably do the same thing (Score:5, Insightful)
I blame firefox's big scary error page that comes up every time a page uses a self-signed certificate. I've gotten so good at ignoring that, I probably wouldn't notice if a page said "the certificate doesn't match" instead of "the certificate is self-signed."
Mozilla isn't doing anybody any favors with their heightened paranoia.
Re:I would probably do the same thing (Score:5, Insightful)
mozilla didn't start this, their ancestor Netscape did. they're the ones who tried to bootstrap and cash-in on a PKI market by creating a bogus scarcity (browser recognised Certificate Authorities) on an infinite supply (Certificates), and deliberately blurred the distinction between encryption (which is all that many or even most sites need, and for which self-signed certs are good enough) and authentication (which very few sites need, banks and so on for which the ONLY real solution is certs signed by government agencies with responsibility for banks in each country, not some private company).
every mainstream browser since then has continued the trend.
Re: (Score:2)
authentication (which very few sites need
When I log into $FORUM, how do I make sure that I am giving my password to $FORUM and not to someone who has intercepted my Internet connection?
banks and so on
Every time you shop online, you deal with banks.
Re:I would probably do the same thing (Score:5, Informative)
authentication (which very few sites need
When I log into $FORUM, how do I make sure that I am giving my password to $FORUM and not to someone who has intercepted my Internet connection?
You don't. Unless you call up $FORUM_OWNER at a verified number (not off the domain)---which means you first have to investigate and verify who the owner is---and get them to verify their certificate fingerprint. You do that every time you log in somewhere? I didn't think so.
The PKI "authorities" do no checking. Anyone with a few hundred bucks can get a "valid" cert, so if you're relying on that ...
banks and so on
Every time you shop online, you deal with banks.
No, you deal with merchants. Merchants deal with a chain of other people, who may or may not be banks. Credit card companies are not, but your card may be managed through one.
Re: (Score:3, Interesting)
Sorry buddy, but you are full of it.... I went through the process of getting a cert for a domain at Thawte. It was snail-mail, they called and all sorts of hassle. The documentation needed included a copy of the corporate registration (presumably then verified by Thawte)
In the end my company could prove that the domain was legit. Actually only the url-trees that I provided were included in the cert. (mycompany.com/url1 would return a valid cert whereas mycompany.com/url2 would return a non-valid response)
I
Re: (Score:2)
Re:I would probably do the same thing (Score:4, Insightful)
Encryption is useless if you don't know who is at the other end. SSL and TLS are designed to stop man-in-the-middle attacks, and you cannot do that without trusted authentication.
Re:I would probably do the same thing (Score:5, Insightful)
I work on a lab intranet. Almost every switch and ILOM uses an https GUI for management. I 100% don't care about man in the middle attacks, but I do care about the 4 clicks (now 2 with a little tweaking) that Firefox makes me jump through every time I open up a new console to do work. It's ridiculous and the 'chicken little' scenario just desensitizes users.
Re: (Score:2, Informative)
well if you managed it properly and installed the proper certificates and a proper root in your browser, you wouldn't have the certificate warning problem.
like you said - you work on a lab intranet. You're the one responsible for setting it up properly.
Re:I would probably do the same thing (Score:4, Informative)
You know you can import the certificates manually. And if you carry them by hand instead of over the network, it really is more secure than the CA solution. The only way you should have extra clicks every time is if you're changing the certificate frequently. Or the guy running the MITM attack on you is changing his certificate frequently...
Re: (Score:2)
Encryption is useless if you don't know who is at the other end. SSL and TLS are designed to stop man-in-the-middle attacks, and you cannot do that without trusted authentication.
A self-signed certificate can reduce man-in-the-middle attacks. Here's how it works: I log on the first time from my home computer. Ideally, Firefox would prompt me once and I would choose "allow this certificate in the future" (without its current punitive user-interface). Because my home connection is mostly secure (Comcast isn't changing my data), I can subsequently log in from a coffee shop, I'll know that the certificate is legitimate, and I mostly trust the transaction.
Re: (Score:2)
A self-signed certificate can reduce man-in-the-middle attacks. Here's how it works: I log on the first time from my home computer. Ideally, Firefox would prompt me once and I would choose "allow this certificate in the future" (without its current punitive user-interface). Because my home connection is mostly secure (Comcast isn't changing my data), I can subsequently log in from a coffee shop, I'll know that the certificate is legitimate, and I mostly trust the transaction.
Unless the MITM is closer to the web server than you. Just because you think your home connection is trustworthy doesn't make it so, and just because you're using a different Internet connection doesn't mean that it doesn't go through most of the same routers.
Re: (Score:3, Insightful)
Uh, self-signed certificates shouldn't be trusted. Not on a public website.
On an intranet, they're acceptable, but you should be adding your own server as a CA on every client machines, so that people don't get the warning. Even then, hell, pay and get a certificate from one of the big CAs and be done with it. Saves hassle, and it's cheap.
That big scary page that Firefox shows you is EXACTLY what every browser should show you. Self-signed certificates are NOT OKAY for production/public use. Encryption is mo
Re: (Score:2)
Self-signed certificates are NOT OKAY for production/public use.
Then what is okay for production/public use on a non-commercial site?
Re: (Score:2)
A self-signed certificate isn't a good reason to trust a site, but untrustworthy sites can get certificates, too. Trust is a complicated beast.
If a site doesn't require much security (no logins or commercial transactions), self-certification is great! It makes it more difficult for an ISP to inject ads, and other users on your network can't see what you're reading.
Re: (Score:2)
Uh, self-signed certificates shouldn't be trusted. Not on a public website. (...) That big scary page that Firefox shows you is EXACTLY what every browser should show you. Self-signed certificates are NOT OKAY for production/public use. Encryption is more or less worthless without proof-of-identity.
You can't do mass scale automated MITM. Someone would communicate the fingerprint using other channels or in an obfuscated form on the page. If you tried doing it selectively and turning it on and off, a known_hosts file like openssh has would warn just fine. It's not secure but it'd protect most of the information most of the time instead of being like an open book to anyone that can sniff the traffic. A letter is still pretty vulnerable to the "tearing open" attack, but it's still a step up from postcards
Re: (Score:2)
It would help if people didn't protect their email list archives behind self-signed SSL certificates. It's a waste of peoples' energy to force them through 3 clicks to allow access to a site when nobody cares if that site is secure or not. And it cuts down on the number of times real security is in order too.
Re: (Score:2)
Would it be much easier for a browser maker to do the following?
If visiting a secure site with a cert from a non-trusted source. Have the browser check to see if there's a good chance that the cert is self-signed. Have a warning pop up, or something that tells the user: "The site's certificate seems to be self-signed. If you want more information, click here."
It could be much less intrusive than the current "OMFG! NO TRUST-es! This site may be Tricksy!"
Note: I'm not a coder by trade. I prefer to use do
Re: (Score:2)
Re: (Score:2)
I blame groups like slashdot and google that intentionally downgrade https connections, and get people used to the idea of logging in without ssl. If there weren't so many broken ass web deployments out there set up by people with zero understanding of https and security in general, then this would not even be an issue. Every browser would have proper https enforcement, and every web session would be secure.
Blaming the web browser for trying to educate users, and blaming the users for being dumb is a tota
No shit (Score:5, Interesting)
Do we really need a lab study to tell us this? Even the article admits that we've known for decades now that users will happily accept a broken cert. There was a case where the Mozilla people received a complaint from a security researcher saying their certificate checking was broken because he was connecting to a known trusted website and her certificate wasn't broken, so it must be Mozilla's fault - they concluded that it was man-in-the-middle attack and she later apologized. If a security researcher can't even tell, how are my parents supposed to?
How about this for a solution? Instead of a "Privacy Shield" you have a "Security Shield".. when you press the Security Shield button you enter Lock Down Mode and your web browser will refuse to display pages that are not retrieved via TLS. You could also enable some extra paranoia settings.. turn off plugins, Flash, etc. When you've finished your banking, or whatever, you press the Security Shield button again and now you can go back to Facebook.
Re: (Score:2)
Re:No shit (Score:4, Funny)
Challenge/response authentication using a credit card number and PIN as the encryption key. Let the bank issue the challenge, have the e-commerce site pass that right on to the browser. Let the browser do the encryption, and pass it all back to the bank via the site.
Re: (Score:3, Interesting)
Challenge/response authentication using a credit card number and PIN as the encryption key. Let the bank issue the challenge, have the e-commerce site pass that right on to the browser. Let the browser do the encryption, and pass it all back to the bank via the site.
Too difficult to use.
The problem of security is in getting the right balance between protection and usability. (This is true for physical security too.)
That's because security warnings are stupid. (Score:5, Interesting)
The only difference between a self signed certificate and one that is signed by a CA is that someone wrote a check for the CA signed cert. No CA does any verification that the person writing that check is who they say they are, has any rights to that domain, or anything else, they only check to see if they already have a signed certificate. I've personally bought Verisign certificates for other people, without any proof that I'm in any way authorized to do so, let alone proving who I actually am. They mean absolutely nothing.
The only kind of certificate warning is one which indicates that a certificate is not what it's supposed to be. However, since there's still no central way to check a certificate(even a signed one) the only way to do that is to compare it with what you had before, which means the only viable certificate warning is one indicating a certificate has changed.
When browsers panic over things that aren't worth panicking over (most folks will have encountered a perfectly legitimate self signed cert at some point in their time on the web, is it any wonder they just bypass the error.
Certs never guarantee who you're talking to, they only provide encrypted communication.
Re: (Score:2, Insightful)
Certs never guarantee who you're talking to, they only provide encrypted communication.
Actually, certificates do guarentee that the person you are talking to is the same as the time the certificate was first issued.
But is this person the same as that person? (Score:3, Interesting)
Actually, certificates do guarentee that the person you are talking to is the same as the time the certificate was first issued.
So how do you know that the person to whom you are talking using a given URL is the same person to whom, say, a software reviewer was talking when he downloaded a given release?
Re: (Score:2)
Thats more to do with the way the Private/Public key Infrastructure is based.
In other words, CA-signed certificates actually mean something: everyone can agree that "the operator of https://www.example.com" is one person.
Re: (Score:3, Informative)
Re: (Score:3, Informative)
I do agree with most of the posters here though, there's no reason that they can't change that ignorant warning to something a bit more user friendly. Users obviously don't care what it says.
Re: (Score:2)
Do you seriously hold that to be true? I'd expect 0% would be a far closer approximation.
Re: (Score:2)
Re: (Score:2)
> which means the only viable certificate warning is one indicating a certificate has changed
This kind of make sense I guess, at least it is the default behavior for Open-SSH, it will accept any host public key when connecting to a host for the first time but it will warn you if that public key then changes to prevent a man in the middle attack.
If it's good for ssh I guess it could work too for web browsing. This way, a warning might have more success in preventing a man in the middle attack. By showing
Re: (Score:2)
Openssh doesn't just blindly accept any host key. It prompts you to confirm it with the sort of message that people are apparently decrying in Firefox. If it seems less scary it's merely because the sort of people who use SSH tend to understand it.
99% of people aren't capable of making an informed decision about a certificates validity so CA si
It's not hard. (Score:2)
Ignore certificate warnings if you're not planning to give the site any important information (e.g. a password). Otherwise, don't.
SnooPING AS usual, I see (Score:4, Interesting)
Ignore certificate warnings if you're not planning to give the site any important information (e.g. a password). Otherwise, don't.
So you don't want to send passwords over an HTTPS connection with a self-signed certificate. I take it you don't want to send passwords over an HTTP connection either, as HTTP is even easier to snoop than self-signed HTTPS. Should everybody who runs a forum or a wiki pay $$$ per year for a CA-signed certificate?
Re: (Score:3, Interesting)
Well, they could use OpenID or something.
Not that I do, because OpenID is a huge hassle to deal with, but you could.
Mac (Score:3, Insightful)
I am reasonable computer-savvy but I also don't understand these messages most of the time. I then use the 'I have a Mac, I am invincible' attitude, which is dangerous of course. But I just want to view that website!
Re: (Score:2)
The danger isn't so much that you will receive malware on your machine. The far more likely scenario is that someone is pretending to be that online retailer you browsed to, and tricks you into connecting to that person instead. He or she gets your credit card number and leaves you with the bill for that expensive boat or timeshare he or she buys with it. That kind of thing is not something that your browser or operating system alone can save you from.
Re: (Score:2, Funny)
I then use the 'I have a Mac, I am invincible' attitude, which is dangerous of course.
You should upgrade to the "I run Linux, I am invincible" attitude. 5% safer, 95% more smugness! (And some of it's actually justifiable. Disclosure: I run Linux and believe myself to be invincible.)
And the obligatory... [xkcd.com]
Re: (Score:2)
If Facebook presents a valid cert to you for the domain you are connecting to, then you could look at who signed the certificate (which certificate was used to sign the certificate Facebook presents to you).
The certificate that was used to sign the Facebook certificate is called a CA (certificate authority) cert. Then, you could import that CA cert in Firefox or look for updates from Firefox regarding CA certs, many CA certs are already installed in the Firefox version you are running but maybe the CA cert
If it wouldn't pop up everywhere it shouldn't (Score:4, Insightful)
The problem is that those things are just a nuisance for a lot of things. It just pops up randomly because a developer forgot to test the latest update or didn't install the new certificate on all the frontends. Then you have the 'intermediate' CA's where if the intermediate issuer isn't in the browser CA's or the browser doesn't support intermediates or wildcard certificates it gives you another warning. Or somebody let the certificate expire or didn't get it signed by a well-known CA (usually the less-professional sites that are self-signing). Then if your ISP isn't honest (which apparently 99% of them these days aren't) with their DNS and you go to https://wrongname.com/ [wrongname.com] it will give you the https version of their ad page on the other domain which of course gives a big warning.
I have seen warnings on important sites like Wells Fargo and Bank of America and there are permanent warnings on some other sites that I use frequently that are either self-signed or expired. I usually verify them and it's not my system that's been hijacked so I am ignoring them largely as well.
Re: (Score:3, Informative)
There's so much certificate misuse. A typical mistake is getting a cert for, say, "*.slashdot.org", and then serving it for "slashdot.org". That will cause a reject. Then there are U.S. Government certificate authorities, too many of them. Try, for example, USMC Doctrine Division [usmc.mil]. The CA is "DOD CA-13". DoD alone has root CAs "CA-5", through "CA-18", and not all browsers know all of them.
This is a headache for SiteTruth [sitetruth.com], which uses certificates as a indication of web site validity and a source of bus
Re: (Score:2)
Is there some reason people should be trusting certs issued by the US military?
Because... (Score:3, Insightful)
Just wording it differently like 'If you are accessing what appears to be a trusted website, and you are recieving this warning, you should not visit it as it could be a nasty security risk. Try again later." Rather than "Warning: Security certificate is not valid... [etc etc..]". This makes a huge difference.
WOT is more to the point: "This website is dangerous" and the page is locked out until you navigate away or click on a very clear "Ignore this warning and proceed".
Big surprise! (Score:5, Insightful)
The situation isn't helped by the fact that the overwhelming majority of invalid certs, in my experience, are just from random sites which you find with a Google search, and those sites for some reason have https instead of http as their search result. You click, and oh shock, the administrator hasn't updated his cert in ages, because nobody cares. After endless warnings about this, even I have stopped caring. It's almost a Pavlovian conditioning to see that warning and say "Yeah, whatever."
It's even worse now. Back in the day, you could dismiss these mostly spurious warnings with one click. These days, Firefox makes you go through an utterly obnoxious process of acknowledging the warning, then manually adding the certificate, then approving it. All because I needed to see some forum where people were discussing some problem I needed to solve. I am so tired of having to go through this that I just sigh and back away from the site and try to find another one that won't make me do this. I am not shocked that users just click whatever it takes to make the warnings go away.
Re: (Score:3, Insightful)
I am so tired of having to go through this that I just sigh and back away from the site and try to find another one that won't make me do this.
Looks like Firefox has accomplished the goal: It created enough burden that the user didn't want to go there anymore. While not a good solution, I prefer it to the "click yeah, whatever" solution, at least that way you won't get infected, and it teaches the website admin that he better gets some valid certs if he wants visitors.
Win-win.
You had to ignore them to do anything (Score:2)
A couple years back when FireFox threw a security warning on every single freaking site, including legitimate ones you basically had to ignore it. It was either that or just don't get anything done. FireFox isn't that bad anymore, but because of that people are used to just clicking through without caring.
This is why there is a delicate balance between too much and too little security.
With untrustworthy CA's, who cares? (Score:5, Insightful)
Verisign is untrustworthy, so why should I care if a certificate is signed or not?
Signed certificates are a complete racket: If you don't pay us then when your users show up they will get a giant warning shown in their face, telling them not to trust you. You wouldn't want that would you? Nope, don't care who you are, what you do, or why. $100 bucks please.
Not a big surprise (Score:3, Insightful)
You could have a big pop up box that says "Clicking here will empty your bank account, steal your car, rape your women and children, and cancel your NASCAR season pass on your TiVo" and John Q Public will still click on it.
Most of the non-techies and a lot of techies are sick of "The Browser/OS who cried wolf".
Those security warnings remind me of... (Score:2)
no wonder (Score:2)
If you think this is bad, consider that most electronic medical records pop up pointless warnings even more frequently. Sometimes they catch a legitimate error, but it's hard to not get conditioned to ignore those without really reading them.
I think I read some story many years ago about a boy who cried wolf... Same principle. Warnings cease to be effective if they pop up all the freakin' time for no good reason.
Failed logic, again (Score:4, Interesting)
I get certificate warnings for internal sites, inside the firewall, without having accessed anything external. Yes, our CA people and developers are morons. No, let me state that more clearly. They are offshored, overpaid by a factor of five, patent leather morons. And they all talk too fast, fail to deliver a statement of work, and fail to deliver even what they say they will, in writing, before witnesses. But I digress.
Certificate warnings are relatively pointless, because they point out a technical flaw without distiguishing between bookeeping flaws, expired or poorly minted certificates due to simple incompetence, private certificates that serve the purpose, and actual explotations.
Many of our certificates at work would raise warnings, and do when I indulge in testing, but the sites are application-specific. A browser never needs to access these, and doesn't unless I'm verifying connectivity. Otherwise, the firewalls and application rules kick in and discourage an attacker by either blocking their IP or delaying response and slowing the attack to a crawl.
I get these warnings pretty regularly on public sites, and generally ignore them. But anything I was linked to, or referred, or a URL I am not entirely sure of, I either close the session and start over, or try it on my phone.
So far, my phone has shrugged off some clever but Windows-specific attacks. Always fun to revel in the agony of others.
People forget how people work (Score:2)
In general, the reason that such warnings don't work, is because they present an impossible choice to the user.
If the display were: "visit this site securely and safely; or visit this site dangerously", you'd get everyone wanting the big fancy secure and safe method -- whether they need it or not -- because people are paranoid and trained to listen to fear-tactics.
But the display is currently: "visit this web-site dangerously, or don't visit it at all". That's never been anything that most people can handl
This was never the purpose (Score:3, Insightful)
There are actually many pieces of UX that fall into this camp, where the UX makes little sense until you understand the various lawsuits that led to it. For instance, did you ever wonder why the "Pictures" item in the Windows start menu doesn't take you to the photo gallery - which is what something like 95% of users expect?
Unfortunately, over time we can expect this to increase instead of decrease.
The cert model is broken (Score:3, Interesting)
SSH has it right. Tiny warning the first time you visit a site, big warning if the key changes later. If you improved that with a GPG-like system where you could see whether your friends/bank/certificate authority trust a particular key, you would get rid of 99% of the warnings. Suddenly the warnings would be a once-a-month (or even once-a-year, if you only browse mainstream sites) event, and the users would click no.
As long as warnings happen all the time, people will ignore them. You can't educate your way out of so many false positives.
It's no wonder they don't work (Score:3, Informative)
Companies don't even use security certificates properly. I've worked at several places in both the public and private sector where the IT folks didn't even get proper security certificates. So when you go to their websites, or some internal servers, you'd be greeted with 'invalid certificate' warnings and just take it as normal.
One company I worked for was an IT security company whose main services were conducting C&A activities for government and private sector agencies. You can't even go to their company website (https) without getting an invalid certificate warning. You would think a company that is trying to get their name out there in the IT Security world would 'do it right.'
The browsers only show it for https (Score:3, Interesting)
The big problem that keeps most users from understanding the warnings (thereby making the warnings useful), is that the warnings are only shown when https is used. This leads to the ridiculous and misleading situation where..
..browsers like Firefox 3 (probably the worst of the bunch, in this regard) makes the user think that an uncertified identity is unusually vulnerable to eavesdropping, when in fact it's vastly more secure than 99.9% of their web usage. They see the message and think something exceptional and more worrisome than usual has happened.
And this implication is utterly false. An identity being certified by someone the user trusts, is the actual exceptional situation (at least right now, until serious efforts are ever made to secure the web). Not being sure who you are talking to (thus, you might be getting MitMed), is the "normal" situation.
Firefox 3 makes the classical mistake of trying to enumerate the bad things that can happen (as though a typical user understands what those bad things are); block or display a warning when it doesn't know who is on the other end (and then it totally flubs up even this mistake, by only doing it sometimes), instead of pointing out when things are going right (the unusual case where you actually know whose webserver you are talking to, and know that you're not being eavesdropped).
I think the core reason that browser people keep getting this wrong (and evolve toward getting things wronger in the case of Firefox), is that they think the protocol displayed in the URL bar, is an important part of the UI. They think that when "https" is in the URL bar, then the requirements have changed and the browser should behave differently than when "http" is displayed. Joe Sixpack doesn't even know what SSL is, though, much less understand how it works. As long as we pretend that Joe Sixpack understands key exchange and identity certification, the browsers are going to have horrible UIs.
https is something the user enters (either directly, or by clicking a link). It cannot ever signal the user agent's evaluation of the situation's security. The padlock/keyhole/whatever icon is for that, as is a color added the URL bar or an icon to the left of it, or a look-at-this-cert popup (whatever--the point is, it's information provided by the browser, not the user). Use of SSL doesn't mean you need MitM protection. Whatever the user is doing (e.g. entering bank account access credentials, as opposed to, say, reading Twitter) dictates whether or not they need to see the padlock icon.
What really ironic is the Firefox 3 does do the right thing just left of the URL bar. When the user wants to know how safe things are, the FF3 actually team gave them a pretty good UI for that. But the obtrusive cert warning that happens when (and only when!?!) using SSL, is totally stupid. It's like part of the FF team had a clue, and part didn't, so they compromised on something half-assed.
Re: (Score:2)
If you don't have a CA-signed cert, the connection is not secure.
Re: (Score:2)
Re: (Score:2)
I get a offer for Comodo through my domain registrar that's like $15/year. I don't use it, as I go through Thawte for my stuff because I always have and don't want to screw with changing it, but if you look around it's not hard to find browser-preloaded CAs at reasonable prices.
Re:Not many people have the money... (Score:4, Interesting)
Re:Not many people have the money... (Score:5, Insightful)
Anyone willing to screw lots of people, each out of thousands of dollars, is also willing to game the CA system with stolen credit cards.
It is all about trust. If you can't trust the signing authority, how can you trust the signer?
Re: (Score:3, Insightful)
"Legitimate sites will not do this" == lie. Seriously guys, fucking grow up. The number of changes I have had to make to firefox in code (not about:config, code) to disable autocomplete prevention, self-signed certs, etc...it's getting frustrating.
Re: (Score:2)
Exactly. My bank can spring for a paid certificate, but everyone else is free to make them on the spot. I'd love it if there was a way to tone them right down. The "add an exception" mechanism in Firefox 3+ are really fucking annoying.
Re: (Score:3, Insightful)
Exactly. My bank can spring for a paid certificate
Sure they can! Because those asswipes have a ton of fucking taxpayer money!
You are correct. The cert. method in FF3 sucks big time.
Re:Maybe Firefox will Chill Out now (Score:4, Informative)
Uh, no, they'd better not be doing that. A certificate authority (CA), in order to be recognized by any of the major browser vendors, is required to contact the people responsible for a domain before issuing a cert for that domain. Normally, the CA does this by sending email to the contact addresses in the domain's whois record. Unless one of those contacts clicks a link or takes some other action to confirm that the person is authorized to obtain a cert on the domain's behalf, the CA is not allowed to issue the cert. Some CAs will also allow certified letters from the registrar if your whois contact info is stale, but that's likely to be an even bigger hoop.
If you know of a CA that is violating this policy and is just issuing a cert if the credit card clears, please contact every browser vendor out there, and that CA will immediately cease to be a recognized CA.
Re: (Score:3, Insightful)
Here's a neato business plan. Buy a bunch of certs. Sell them to other people. http://www.google.com/search?q=anonymous+ssl+cert [google.com]
Of course, if all it takes is an email from the domain you just registered for your phishing site, how is it that you won't get the email? I once bought bought cheap cert from godaddy for a site I ran (legit site) -- I never got a phone call. What's an email prove -- nothing except I can fill in some forms on a webhost admin console to set up an email. It doesn't say a thing
Re:Maybe Firefox will Chill Out now (Score:5, Informative)
Standard certs do nothing to establish identity. They merely establish that the site is not being spoofed. Thus, the purpose of the whois email verification is not to prevent illegitimate sites from getting certs. The purpose of the whois email verification is to ensure that I can't get a cert for www.bankofamerica.com, hack an ISP's DNS server to redirect their traffic to my site, and pose as Bank of America. For those purposes, it is sufficient to merely require that the domain owners confirm via email that the request was authorized.
If you want to confirm that a domain owner is in any way anything approaching a legitimate business, that's what an EV cert is for. Only an EV cert establishes identity in any way.
Confirm via email?.. (Score:3, Insightful)
Standard certs do nothing to establish identity. They merely establish that the site is not being spoofed. Thus, the purpose of the whois email verification is not to prevent illegitimate sites from getting certs. The purpose of the whois email verification is to ensure that I can't get a cert for www.bankofamerica.com, hack an ISP's DNS server to redirect their traffic to my site, and pose as Bank of America. For those purposes, it is sufficient to merely require that the domain owners confirm via email that the request was authorized.
..right.. but how does the email get delivered? if the bad guy has hacked the right dns server he can tailor the MX record as well and get the "confirm you want a certificate" email delivered to himself...
Re:Maybe Firefox will Chill Out now (Score:5, Interesting)
Get a free certificate, then. http://www.startssl.com/ [startssl.com] generates basic certificates at no charge. It works in most major browsers, and IE support is expected in the near future. Now that startssl exists, there's really no excuse for self-signed certs even inside a corporate firewall, much less for a real public website.
Free, schmee, that is not the problem at all. Why in hell should I trust someone ELSE to verify my ownership of a domain name on MY internal network? The real problem is everything using their own damn CA lists, making it impossible for us to easily publish internal CA certs. Subversion has one, Windows has one, OS X has one, Gnome probably has one, Firefox has one, Java has one, SSH does NOT have one, etc, etc, etc.
Why aren't CA's delegated just like DNS is? I own all of foobar.net, so grant me an intermediate CA responsible for only *.foobar.net and let me verify & issue certs for my own fraking domain names (internal or NOT!). It is much easier to chain an intermediate cert to the server than add a new internal CA to the clients. Obviously, distributing trust to the rightful owners cuts the CA roots out of their silly trust monopolies.
The determination of who owns a domain name TWICE, for registration & certification is a straight up failure. Own the domain, you should own the CA authority, stop owning it, your cert chain is revoked.
Re:Maybe Firefox will Chill Out now (Score:5, Informative)
Right now, the only suitable infrastructure for such delegation is DNS. And it's horribly insecure for such things.
Fortunately, it'll become possible with DNSSEC. Indeed, there are groups working on certificate delegation via DNS.
http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F10467%2F33214%2F01565268.pdf%3Farnumber%3D1565268&authDecision=-203 [ieee.org]
Re:Maybe Firefox will Chill Out now (Score:4, Insightful)
A company which is running their own CA for internal use should have the means to install that CA on each workstation -- thus, no warning, and as a bonus, no possibility of MITMs inside their network.