UI for secure web and email

Albert Cahalan acahalan at gmail.com
Wed Oct 3 23:19:14 EDT 2007


Starting with the browser...

The usual "secure site" icon and "bad certificate" warnings
have lots of problems.

They don't address the common problems well, they annoy and
confuse the user, and they train users to bypass security by
clicking OK.

A common attack is to hack into the web server, often via a
flaw in shared hosting. The attacker can then use the site's
certificate. A secure icon gives a false sense of security.

Another common attack is to use look-alike domain names, now
including international domain names. Then there are two things
the attacker can do. The attacker can live without a certificate.
(People don't notice, don't understand, and/or just take the risk
because they want to use the web site.) The attacker can get a
certificate for their own site. (1aptop.org, laptop.org.ru,
laptop.or, etc.)

Prompting the user for every bad certificate makes things worse.
If the user can click "OK" to make technobabble go away, they will!
When this happens often, "click OK" becomes a subconcious activity
that the user performs to make the computer go -- kind of like
pedaling a bicycle. Microsoft Windows users are often mostly unaware
of the things they click through, because the clicking is so often.

A redesign is in order, maybe along the lines of ssh. Note that ssh
doesn't bother the user much unless the server's identity suddenly
changes. If that ever happens, the user has to take more extreme
measures to make the problem go away.

For a web browser this would mean keeping certificates of visited
web sites for a while (suggestion: one month) so that web sites
with unexplained certificate changes could be blocked. There would
not need to be anything else to mark a "good" or "bad" certificate;
that would be UI noise that the user will ignore or worse.

BTW, the ssh method could work well for email too. Email signing
has been inhibited because nobody wants to mess with complicated
crypto systems. If the public keys were always passed around, then
we'd be able to detect most problems. We could do this without
having to pester the user with technobabble in the normal case.

See also:
https://dev.laptop.org/ticket/3602  secure site icon
https://dev.laptop.org/ticket/542   dialog for SSL
https://dev.laptop.org/ticket/17    email



More information about the Devel mailing list