Feeds

back to article Google study finds users ignore Chrome security warnings

You're surfing the 'net when Chrome decides not to bring you the web site of your choice, but instead a page warning that the site you'd hoped to visit might be bogus or contain malware. Do you: (a) Click on “Proceed anyway” because you really want to see the cat picture someone Tweeted to you; (b) Click “Back to safety” …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

[url=http://en.wikipedia.org/wiki/Dancing_pigs]Dancing Pigs[/url]

0
0
Anonymous Coward

Not surprising

Is there a correlation between Google and Android security problems and malware?

Or is it the demographic of the users?

2
2
Anonymous Coward
0
0
Anonymous Coward

TY

0
0
Anonymous Coward

Re: Not surprising

I am not surprised, either. Over the past 2-3 years, while reading consumer tech blogs, I've noticed a high correlation between self-professed Chrome use and trolling asshatery. Vitriolic hatred of Firefox and a Top Gun-like "need for speed" are common themes. I am pretty confident these are young male idiots we're talking about.

It takes one to know one, but at least I'm aging out of it.

4
1
Anonymous Coward

Avg. IQ

"...there's no need to feel completely stupid..."

So, if the entire world is stupid, does that make you not stupid? Nope.

1
0
Silver badge
Headmaster

It only applies to women - apparently

from the pdf...

"A user clicks through a warning to dismiss it and proceed with her original task. A user

leaves the warning when she navigates away and does not continue with her original task...the user has (1) ignored the warning because she did not read or understand it or (2) made an informed decision to proceed because she believes that the warning is a false positive or her computer is safe against these attack"

Will someone please teach these academics about the idea that 'he/his' refers to specifically male people, 'she/her' refers to specifically female people - and that if it could be referring to either male or female then the tradional usage is to say 'he or she/his or her' or (my preference, although it is frowned on by classic grammar pedants) to use 'they/their'.

3
13
Silver badge

Re: It only applies to women - apparently

I believe this style (quite common in Google sourced text) is intended to address the historic imbalance of written gender representation, because it is felt to be 'a good thing to do'.

My personal preference would be to write, "When one is presented with a warning which advises one that proceeding further will compromise one's computer security ....etc". People always laugh at me when I do that so I've stopped bothering.

10
1
Bronze badge
Facepalm

Re: It only applies to women - apparently

Except that "he" is the correct word when gender is unspecified, it also happens to be correct for males. Similarly "she" is the correct word if you're personifying an object, such as a boat, car etc and also just happens to be correct for females.

The ridiculous "political correctness" approach of constantly using he/she, or worse using the feminine variants as some sort of gender redressing, just makes people look unbelievably ignorant of their own language.

16
8
Anonymous Coward

Re: It only applies to women - apparently

Given The Rise Of The Machines I use "he/she/it" - you never know.

Plus, some people I have to deal with are more accurately referred to that way, on account of being beaten in the IQ polls by any desk calculator , even with the batteries removed.

7
0

Re: It only applies to women - apparently

'The ridiculous "political correctness" approach of constantly using he/she...'

As opposed to some other form of correctness by using 'he' when gender is unspecified? I tend to use 'he/she' in more formal writing, not for its elegance or its political correctness, but because I find it more accurate. I use 'they' in less formal writing and probably in speech. Perhaps I should use it all the time. It was good enough for Shakespeare. And if it pisses off those who believe there are 'correct' and 'incorrect' forms of grammar, all the better.

7
1
Silver badge

Re: It only applies to women - apparently

I was once told by my professor to replace he/his by she/her because I should not assume people are male…

0
0
Anonymous Coward

Re: It only applies to women - apparently

I hope the new curriculum reintroduces English grammar and literature in some depth.

1. "Man" is the species as well as being used in some contexts to mean a human mail. cf. Dog and dog/bitch.

2. On the same principal, "He" is sexless in the generic sense. "She" is not.

3. Even the Oxford dictionary lists one usage of "they" as the sexless pronoun that can be used when the gender if not known or is irrelevant.

4. "One" is another neutral term, with the added advantage of putting a disinterested distance between the writer or speaker and the subject matter.

I suppose men should complain that their gender is not treated with the respect accorded by a unique indicator.

Pet hates:

Chair or chairperson, showing ignorance and disrespect in one go (can you not see if the person is male or female?).

Unmarried woman using, "Ms", that stood for "manuscript" at one time and is unpronouncable and unnecessary. After all, the convention has long been that, if one does not know, call her "Miss" (I think the very old convention of changing that to "Mrs" for more mature women is gone); married women sometimes kept their maiden name, using "Miss", particularly at work for professional women and actresses (I know a couple who do that for continuity with their pre-married work references and to distance work from private life).

The obsession with sex in all aspects of life, leading to this nonsense of concentrating on one's gender rather than ones abilities and deeds, interpreting all interactions as a competition between the sexes and corrupting language and communication for the narrow concerns of a few who seem to need props.

2
4
Trollface

Re: It only applies to women - apparently

"mean a human mail."

You mean letters and so forth but excluding that sent out by automated systems?

3
0
Silver badge
Coat

Re: It only applies to women - apparently

"on account of being beaten in the IQ polls by any desk calculator , even with the batteries removed."

Wait, if they were being beaten with calculators, doesn't that count as battery regardless of where they were at the time?

4
0

At my company, we ignore those warnings on a daily basis.

Why? Because we do some development and some of our webservers use a basic shared SSL certificates which is proper for just one URL out of 132 people use. So for the rest, people need to ignore those warnings.

Same goes for one of my personal sites which is on a shared hosting account with shared SSL. Every now and then people need to ignore SSL warnings. There are plenty of reasons to ignore SSL certificate warnings unfortunately.

5
1
Silver badge

Agreed. My current workplace does the same thing with test sites. The CSS guys routinely blow through security warnings because that's their job.

0
1
Thumb Up

If you are using ESXi with the default settings then you would need to do this each time you visited the page since that has an untrusted SSL cert.

1
0
Silver badge
Facepalm

No, your certificate master is an idiot

all that needs to be done is for them to generate a wildcard certificate, or, if your network is more than a single namespace, then a wildcard certificate per namespace.

1
0
Silver badge
Thumb Up

Re: No, your certificate master is an idiot

Theodore - I set up a lot of test environments and these warnings tick me off.

I'll have a look at wildcard certs later today (I assume this isn't the same as self-signed certs, as these are what give the warnings) and see if it can help prevent my stabbing hand itch when I'm doing testing.

Ta for that :)

Steven R

0
0
Bronze badge

Re: No, your certificate master is an idiot

If you're using self signed certs internally (which is a perfectly reasonable use of them) then whomever is in charge of your network ought to push them out to users via some out-of-band mechanism. It's not hard to do and it's much better than training users of your corporate network to ignore potential security warnings.e

4
0
Stop

Re: No, your certificate master is an idiot

"all that needs to be done is for them to generate a wildcard certificate, or, if your network is more than a single namespace, then a wildcard certificate per namespace."

- sure, that's the normal approach. But the guys here are cheap. The host administrator's protocol doesn't include using wildcards because as they charge a couple of euros per certificate, generating a wildcard certificate isn't really bringing them any profit.

- internally, wirldcards are used, but the problem is that in order to comply, we would need to use the form "*.TLD" which is not accepted (still generates warning).

To better understand what I mean, internally we use the form <user>.<language subdomain, 12 variations>.<site name, 132 variations>.<domain, 14 variations>.<environment, 6 variations>.

Even the combination *.domain.environment means 6*14 options, but it doesn't work. The lowest that seems to not generate warnings is *.site.domain.environment. It's much less of a headache to ignore the warnings.

Also, one of the environments is actually an external server that has an internal alias. It already has valid SSL for all sites, but as we usually use the internal aliases (because in that case we can force the site to use an internal CDN for static resources) so not even wildcards help in this case.

Let the warnings ignore rain down.

2
0

Now if this is what they are tracking.. I have to enter a site with a self signed certificate at least 1 time per week for what 15 years now? As a programmer (besides the ones I have generated on my own) I click through the warning a lot in forums, wikis, blogs and source code download sites for individual open source projects.

0
0
Holmes

I routinely track down malware and phishing sites (bit of a hobby, I like figuring out what the crims are up to and how they're doing it), and I generally use Chrome in a VM to do it. So I always ignore Chrome's malware/phishing warning page...not that it matters, since that warning always seems a bit behind the curve anyway.

I had no idea I was cooking the statistics by doing that.

0
0

tracking down malware and phishing sites

That probably explains the high numbers for Linux users going to these sites. I was probably among the 18.2% going to a malware site, and I wonder how many others of that 18.2 are doing it deliberately.

0
0
Silver badge

How did Google get this data ?

How many people are aware that their decisions like this are reported back to google ?

This is a privacy scandal.

0
5

Re: How did Google get this data ?

There is an option t report back at install time. It is not hidden and is right below the set as default option.

2
0
Anonymous Coward

Re: How did Google get this data ?

You're using Google Chrome FFS.

If you are worried about privacy, use SW Iron (or TOR browser) and not something from the world largest advertising agency.

6
1
Boffin

Re: How did Google get this data ?

When you download Chrome, there is a tickbox option to "Help make Google Chrome better by automatically sending usage statistics and crash reports to Google.". There's a "learn more" link that goes to https://support.google.com/chrome/answer/96817?hl=en This option is ticked by default, but you can untick it if you want.

Information about whether the warning page is used or skipped counts as part of that "usage statistics".

More generally, in order to figure out how to improve a computer program, you need to know how it's used. E.g. if 1% of customers use feature A, and 80% of customers use feature B, then perhaps you should spend more development effort on feature B since improvements there will benefit more people. In ye olde days most companies would just guess what users would do, although some companies ran usability tests where they'd get maybe 10 people to use the software in a controlled lab setting with artificial tasks. Nowadays, it's trivial to measure what the actual users are really doing, which gives you solid data to use to improve your product. That's why Google collects this telemetry.

1
0
Anonymous Coward

Re: How did Google get this data ?

There is an option t report back at install time. It is not hidden and is right below the set as default option.

Hmm. I hope that data is anonymised, otherwise such an option must be OFF by default and must explicitly (i.e. separately) ask for permission to comply with EU Data Protection laws.

0
0
Thumb Up

Re: How did Google get this data ?

@ alain williams

Actually it's not a privacy scandal, but it does show that many people similarly ignore the "send google info" checkbox that isn't hidden during installation. Presumably a similar percentage to those who routinely ignore safety warnings et al.

4
0
Silver badge
Facepalm

Is this surprising?

If the user was concerned about security/privacy, they would not be using Chrome in the first place.

4
1
Anonymous Coward

Ask youself this.....

how did these uses get Chrome?

a) Went and looked for it, checked out reviews, read it's privacy policy and then activly choose it

or

b) clicked on a big icon saying install Chrome or blindly clicked next, next, next when installing "free" software

.

And there folks, is your answer why so many ignored the warnings.

6
1
Silver badge

Re: Ask youself this.....

Nah, probably through Adobe installs and hundreds of other crapware downloads.

2
0
Anonymous Coward

Re: Ask youself this.....

This. I think the next time someone hands me a laptop with > 4 IE toolbars and a myriad of fake virus/optimisation/fault-finding scanners I am going to insert it into them.

2
0
Anonymous Coward

Re: Ask youself this.....

@ Jason

that would be b) then?

0
0
Bronze badge

Re: Ask youself this.....

> that would be b) then?

If the question is "What ark do these numpties belong on?" then that is the correct answer.

0
0
Bronze badge

Perhaps they should have a proceed with javascript disabled button

Perhaps they should have a big proceed with javascript and plugins disabled button. (And a tiny f*ck it, please pwn my computer button)

3
1
Bronze badge

Re: Perhaps they should have a proceed with javascript disabled button

That's a pretty good idea. It could cover other security risks besides JS too. The only problem that immediately occurs to me is that to do much good it would have to automatically extend whatever restrictions it put in place to other sites linked to from their as well, which could possible become confusing. Maybe it could open in a new window with some kind of visual cue that everything in there is being treated as suspect.

0
0
Anonymous Coward

In other news....

Dolly Parton sleeps on back.

0
0
Silver badge
Joke

Re: In other news....

I heard someone once say that she slept on her face.

0
0
Silver badge

Here kitty kitty kitty! Here kitty kitty! That's a good little kitty!

"Do you: (a) Click on “Proceed anyway” because you really want to see the pussy picture someone Tweeted to you; (b) Click “Back to safety” because it's not worth having crims empty your bank account for a peek at one cute pussy."

1) When we substitute one euphemism for another, we begin to better understand the situation, which is that:

2) according to empirically verified data, yes, it is "worth having crims empty your bank account for a peek at one cute pussy."

This should help resolve the question of gendered pronouns, as discussed earlier in the thread. But, for inclusivity's sake, maybe not...

0
0

Warning fatigue

I'm quite sure it's caused by warning fatigue. Seriously, who got a certificate warning because of active Man in the Middle? Because that's the only thing that a non self-signed certificates protects you against: active man in the middle. Stuff even PRISM didn't attempt.

We really should opt for SSL everywhere (as in browser tries :443 first), and if the connection is secure, then it shows a padlock/golden address bar/cute pussy.

I need to know if the connection I'm using is secure only if I entered some data on it, not when I just want to read the page!

3
0

Not surprising

Most people have Chrome on their computer, not by choice, but because some other software's update system has installed it for them.

Chrome users are self selected as being most liable to have unwanted software installed on their system.

1
1

We ignore warnings because 99% of the time they pop up out of the blue on sites we visit every single day or when we visit torrent sites.

1
0

Anybody consider a large chunk of these will be from IT folks navigating their internal firewalls or somesuch?

1
0
Anonymous Coward

This isn't tech news per se...

...and I don't mean that disrespectfully to the author or El Reg.

The sort of person that continues at a warning page like this on the open internet, is the same sort of person that falls for scams out there in meat-space. They forward chain letters, make no effort to lock doors, get taken in by frauds, spam their social networking site with chain status updates, forward virus 'warnings' en masse...

We all know this. Most of us have been cleaning their computers up for years. Hell, most of 'em just panic and comply with absolutely anything the computer 'tells' them to do.

Google could change that safety page to a line of drag can-can dancers, and it would make no difference - problem is in the chair, not in the web browser.

0
1

It depends on the context

I dont normally get warnings about malware or phising sites if I do I ignore them. I often get warnings about self signed SSL certs or mismatched SSL certs and I consider each one. If I am logging into the admin console of a customer device I know that its nothing to worry about generally as I trust the management network involved and know the certs are supposed to be self signed. Again when browsing the web if for example my bank site or facebook presented an SSL certificate error I'd run away! Its not the fact I'm ignoring the warning, I'm considering should this site be using a self signed certificate? Do I need to login to do anything on the site? Are those login credentials likely to cause me a loss(bank or online purchases) or embarrassment(if someone gets my facebook login details and posts malware or spam as me). Sometimes the user knows best!

0
0

I dont normally get warnings about malware or phising sites if I do I wouldnt ignore them and wouldn't continue onto the site in question unless I was just being nosy and was sure I wouldn't be infected myself. I often get warnings about self signed SSL certs or mismatched SSL certs and I consider each one. If I am logging into the admin console of a customer device I know that its nothing to worry about generally as I trust the management network involved and know the certs are supposed to be self signed. Again when browsing the web if for example my bank site or facebook presented an SSL certificate error I'd run away! Its not the fact I'm ignoring the warning, I'm considering should this site be using a self signed certificate? Do I need to login to do anything on the site? Are those login credentials likely to cause me a loss(bank or online purchases) or embarrassment(if someone gets my facebook login details and posts malware or spam as me). Sometimes the user knows best!

0
1

Do it to see what's there

As a "Pro" I have to ignore the warnings and visit the site to see what's been done and how it has been done. I'll be using Linux, naturally.

1
0

Page:

This topic is closed for new posts.