Google study finds users ignore Chrome security warnings You're surfing the 'net when Chrome decides not to bring you the web site of your choice, but instead a page warning that the site you'd hoped to visit might be bogus or contain malware. Do you: (a) Click on “Proceed anyway” because you really want to see the cat picture someone Tweeted to you; (b) Click “Back to safety” …
@Justin: Indeed. Notice that the browser/OS combinations with the largest proportion of clickthroughs tend to be the ones most used by sysadmins, especially when using a Linux machine to investigate pages that users have received warning messages about. I've had Trend Micro tagged by Google as a malware site. The more this keeps up, the greater the chances of users going on to a real malware or phishing site, because of the number of false positives.
Let's have a look at why people use Chrome:
"Well its safe innit? Evverywun on teh internets sez use Chrome not IE cos Chrome's rilly safe and cant be pwned. Must be rite cos it sez so on teh internets.".
They then ignore the warnings because they're sure that Chrome will prevent anything nasty happening anyway.
It does not matter what you use. The largest security loophole on any combination of machine and software is the idiot sat in the chair using it. Telling people that such and such software is somehow inherently safer is counterproductive and just leads them into a false sense of security.
My guess:
1) People who have firefox usually installed it because they thought it was a better browser.
2) People who have chrome probably installed it for no better reason than some other program came with a pre-ticked option to install chrome alongside the other program. Often, they are only using it because it installed itself as the default browser and they don't know how to change it.
And so, by marketing chrome in this insidious manner, its surely expected that it will have a greater proportion of less-intelligent users?
Simple answer -- stop bundling chrome with irrelevant stuff and it will progressively gain users with greater intelligence, those who are using it through choice not through deceit.
Chrome has consistently done the best out of the mainstream browsers on security tests (ex pwnium, etc). Maybe the users are more likely to be like "So what if the site pushes out malware. I'm on chrome, the malware won't pwn me"?
The thing is, when you pop up a malware or cert warning, with the only option being ignore or leave, you are asking people to stop the task they were trying to do - and the only way to move towards their goal is to ignore the warning entirely. They could improve the effectiveness of these warnings by giving us an alternative other than all or nothing...
They should always give an option to proceed with JS and all plugins disabled.
For cases where the warning is one of those "Site X contains content from Site Y which is known to distribute malware" - which are almost always caused by an ad network getting hacked and filled with malware - why is there no option to "Proceed, but block all content from site Y"?
I quite often ignore their warnings. Why? Some of the warnings are crap. Not all, but some. What Google don't acknowledge is there are the collateral damage blocks from as using the www equivalent of spamhaus blocklists. So if people get away with it 'I understand the risks durpy durp durp durp' once....
Do Google publish their false positive statistics?
I click through that security warning two times a day every day on my phone. The guest wifi redirect at my place of employment has a bad security certificate. Every day I tap the proceed anyway button and log in. No malware.
At home I've seen it from time to time and turned back.
I'd wager a lot of the people using Chrome are smart enough to know when it is a valid or invalid warning, and many of them probably have strong enough security software that they're confident if their browser gets pwnd it won't hurt them anyway.
I don't care anymore, as everyone from the Council to the Binman has access to 'my` computer ..
Extent of council spying revealed, Mar 2009
I sometimes do and sometimes don't ignore the warnings, I ignore them when going to my NAS drive site, because I know why Chrome isn't happy. And I ignore it other times as well, but I don't always ignore it.
It all depends on what I clicked on, if I'm fairly sure its just a miscategorisation then I'll proceed.
And there's no stats that is going to tell Google that.
For me to never ignore it, then they need to be damn (as in 100%) sure its a harmful site which isn't doable, or have a 'I trust this site checkbox'.
Then the stats might be actually be saying what you say their saying now!
Any business up to Microsoft is liable to let its certificates and even domain name registrations expire. And as for providing up-to-date secure access for your own employees on the intranet, don't be silly. Even though paying your workers to click "Ignore" whenever the security warning appears also costs money, a second at a time.
And even though this is just how they'd be informed if they were tricked into going to a resource that is -not- on the internal network.
On the other hand, if I'm searching for something arbitrary, not specific, online, and the browser or the search engine says "That web page is dangerous", then I am fairly confident of finding a non-dangerous substitute page with a similar resource.
Having said that, when I last looked - which is quite a while ago - the Linux-based SystemRescueCD, which I'm inclined to trust, produced a warning from Malwarebytes security software when visiting SRCD's web site, which seems to be because although it's probably clean, it was or is hosted in a bad neighbourhood on the internet: several IP addresses nearby were malware sites.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
