back to article Google boffins PROVE security warnings don't ... LOOK! A funny cat!

The revised SSL warning interface introduced in Chrome 37, designed to teach users more secure behaviours, was only a partial success – according to the Chrome security team's own analysis. Confusing security warnings serve only to make users more insecure and normalise risky behaviours, according to Google. To try and beat …

  1. Anonymous Coward
    Alert

    POPUP ALERT!

    Maybe part of the problem is that ANY popup warning is often viewed with suspicion when it appears. Except by those with sixth-grade reading comprehension...

    1. gollux

      Re: POPUP ALERT!

      Flash and Java popup alerts are always a good indicator you're on a compromised WordPress website...

      Not that your long removed and nonexistent Oracle Java is in need of upgrade.

      Or not that your recently manually upgraded Adobe Flash player is defunct because you didn't want to wait till the automatic update kicked in and you finally gave in and installed Flash Block because you don't really trust that the latest upgrade actually did anything (aka January 2015 0-day fatigue)

      The annoyance continues with all the other popups including the marginal security goofery mentioned.

    2. TheVogon Silver badge

      Re: POPUP ALERT!

      Always good to start a story with nice pussy shot.

  2. Stu 18

    Did they study the prevalence of bad certificates at the same time?

    I have numerous sites I interact with that I have to click passed warnings because it is internal, registered in a different name etc. Of course I'm careful about what I'm doing and I realize there is a risk associated with this practice,

    Unfortunately for Google I would add to the numbers that bypass the 'back away' button and they might not know that I'm fully aware of what I'm doing.

    At the end of the day, some of these things are similar to 'Caution hot drink is hot'. If the users (you have / want) are that ignorant the issue the technology needs to change to cater for them - which could may make it unusable an inefficient in the short term.

    As mentioned a key reason for error message fatigue is the facts that often they are misleading, attempts at automated help often cause more problems or are simply wrong or obfuscated with web links to dead ends or gibberish (thank you Microsoft) and any app on the machine can make them.

    I think something like channeling through the OS / embedded AV (to check legitimacy) might be an option if you wanted to properly re-think things.

    1. Anonymous Coward
      Anonymous Coward

      Re: Did they study the prevalence of bad certificates at the same time?

      Agreed.

      My favorite yearly activity at work is clicking on "Ignore" for the SSL warning before completing the required IT Security Awareness Training in which they tell you you're never supposed to click on "Ignore" when you see the SSL warning.

  3. Steve Knox

    I've seen and bypassed this message.

    I do it regularly for one specific case: when I need to use the change management site we use at work.

    It's an internal site with a self-signed certificate, and a specific internal address.

    If there were an intuitive way in Chrome to trust the self-signed certificate, I'd do that and be done with it.

    As it currently stands, it's less work to ignore the warning.

    Want to improve compliance, Google? Make it easier for your users to configure your software to work in their environment.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: I've seen and bypassed this message.

      Want to improve compliance, Google? Make it easier for your users to configure your software to work in their environment.

      My impression of most Google offerings purportedly targeting the business environment is that they are trying to undermine their competition by offering "free" services, not so much that they are trying to offer customers good quality. They have improved since I first had to deal with their products, but they still don't seem to get corporate environments.

      1. gollux

        Re: I've seen and bypassed this message.

        My impression of most Google offerings purportedly targeting the business environment is that they are trying to undermine their competition by offering "free" services,

        Free consumer grade services at that even if you're paying for it.

        Every time you get used to something being useful in business, Google changes it to be more touchy-feely and social, often gutting the reasons you started using it in the first place. I've come to despise Google Apps.

    2. Dan 55 Silver badge

      Re: I've seen and bypassed this message.

      Self-signed certificates should be warned something like this...

      This is a private connection but the other party is unknown.

      You should never see this message with banks, online shops, or email providers. If you are trying to connect to one of these, your connection has been compromised - go back now (link).

      You often see this message with home router administration pages or Intranet sites.

      Continue just this time (link).

      Continue and don't warn me again about this connection (link).

      See? Not that difficult.

      1. Bucky 2

        Re: I've seen and bypassed this message.

        Self-signed certificates should be warned something like this...

        I would agree that your message is clear and correct.

        However, I don't think you've worked much in support. A message like this is too long.

        *ring* *ring* "Hello, I got an error message."

        "What did it say"

        "I don't know. Party something."

        1. Anonymous Coward
          Anonymous Coward

          Re: I've seen and bypassed this message.

          @bucky2

          How did you get tab spacing for the quote?

          1. dogged

            Re: I've seen and bypassed this message.

            By using the blockquote tag.

            1. Anonymous Coward
              Anonymous Coward

              Re: I've seen and bypassed this message.

              blockquote never worked for me

              <blockquote>Test1 Test2 Test3</blockquote>

              [blockquote]Test1 Test2 Test3[/blockquote]

              See?

              1. dogged

                Re: I've seen and bypassed this message.

                Hmm. Let me try that -

                Test1 Test2 Test3

                Maybe it's a badge-related thing? I literally copied your text into my post.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: I've seen and bypassed this message.

                  Which one did you use? <blockquote> or [blockquote] I'll assume the former.

                  1. dogged

                    Re: I've seen and bypassed this message.

                    The former is correct. I dunno, is badge-rep (and functionality) switched off when you post AC?

                    Maybe try a non-anon post (in a different topic or one of the forums, natch) to test it.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: I've seen and bypassed this message.

                      testing as anon -

                      All anonymous cowards should be shot

                      Okay, guess that's not the problem. You're not using Opera Mini or something that pre-sanitized your POSTed data, are you?

                      1. Anonymous Coward
                        Anonymous Coward

                        Re: I've seen and bypassed this message.

                        Nope, I'm really not sure what causes it, I've tried both Comodo Dragon and Mozilla Firefox without plugins.

                        I'm also not using any security software other than basic antivirus; this broken behaviour predates the antivirus installation so it's not that.

                        <blockquote> test </blockquote>

    3. Buzzword

      Re: I've seen and bypassed this message.

      Can't they just detect intranet sites and adjust the message accordingly? If the address resolves to 10.*.*.* (or any of the private IP ranges) then make the security warning less intense. Now, where do I collect my cheque from Google?

    4. idiotsavant

      Re: I've seen and bypassed this message.

      The Windows version of Chrome uses the OS certificate store rather than maintaining its own (like Firefox), which makes it hard to handle accepting self-signed certs you're sure are legit directly from within the browser in a user friendly way. You have to import it via the Windows "Internet Options".

      1. LDS Silver badge

        Re: I've seen and bypassed this message.

        Only if you can't code for Windows properly:

        https://msdn.microsoft.com/en-us/library/windows/desktop/aa382368(v=vs.85).aspx

        1. Dan 55 Silver badge
          Happy

          Re: I've seen and bypassed this message.

          This is what Firefox says about that page...

          Secure Connection Failed

          An error occurred during a connection to msdn.microsoft.com. The OCSP response contains out-of-date information. (Error code: sec_error_ocsp_old_response)

          The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

          Please contact the web site owners to inform them of this problem.

          1. Anonymous Coward
            Anonymous Coward

            Re: I've seen and bypassed this message.

            "The OCSP response contains out-of-date information. (Error code: sec_error_ocsp_old_response)"

            Thank you for a perfect example of exactly what this article is about.

    5. dogged

      Re: I've seen and bypassed this message.

      > If there were an intuitive way in Chrome to trust the self-signed certificate, I'd do that and be done with it.

      Stop using Chrome.

      Firefox can do it. And it contains no spyware.

    6. Tom 38 Silver badge

      Re: I've seen and bypassed this message.

      Install the certificate in chrome? Takes about 30 seconds.

  4. Flat Phillip
    Unhappy

    They are pretty awful messages

    I saw this one today:

    A secure connection cannot be established because this site uses an unsupported protocol.

    Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

    I think it means the website is using an old version of SSL, possibly SSLv3; maybe.

    Those sort of error messages bug me, you KNOW what is wrong Mr Chrome but you give me a message with OR in it. Firefox was a little better with:

    Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

    And IE? Well IE 8 just worked fine with no error message at all.

  5. RISC OS
    FAIL

    Attackers...

    ...might be trying tos teal your information... jesus? Attackers?? lol

    What's next? Terrorists?

    FAIL

    1. Def Silver badge

      Re: Attackers...

      As opposed to Google who are openly slurping as much information about you as possible to sell on to advertisers.

      I suggest Microsoft add similar warnings to Windows for when Chrome starts

      1. Tim Jenkins

        Re: Attackers...

        "You have just clicked on a Google AdWord-promoted site link which will happily charge you an 'administration fee' for an otherwise free UK Government or other service. But we don't care, because we got our cut. So go right ahead. It's fine. Honest. Look; we're Google, would we lie to you?"

  6. h4rm0ny

    I can get it higher. Try this:

    "Your neighbour or that person over there at the next table could be looking at your screen right now. See that little padlock icon at the bottom that is red? That means you're broadcasting what you're doing right now."

    Make it personal. It might not be completely accurate but mostly people are using Wi-Fi these days so it's good enough. But the real problem that leads to people ignoring the warnings is because they simply don't know what they can actually do about it. A warning saying "bad things might be happening" is just clutter if it doesn't tell you how to fix it. So person wants to visit site X. They get a warning. What next? Don't go to site X or make an uninformed choice about whether the risk is worthwhile and carry on. They don't know what the risks actually are, warnings are routine and people mostly think it wont happen to them, so they go to the site anyway.

    There are only two ways to fix this. Either make your browser refuse to use a site where the certificates mismatch, no "ignore this" button. Or get things to the point where it is so rare that people actually are spooked by such a warning.

    I don't think the second is happening any time soon, though the first would be a massive impetus to bring about the second. I actually would be in favour of the first if public certificates weren't such a money-making racket.

    1. DropBear Silver badge
      Facepalm

      Either make your browser refuse to use a site where the certificates mismatch, no "ignore this" button

      Oh, they did that. Don't ask me the specifics, but it was some sort of SSL/certificate problem, and Chrome flat out refused to show me the site, no overrides. The result? I found the command line argument that could be used to override this, and now use it by default - because what the IDIOTS devising these schemes don't understand is that 99% of the time IT DOESN'T MATTER if the entire living population of Earth is queuing up behind me to look over my shoulder - the ONLY thing that matters is that I want to see that page. NOW.

      Now, if I were to be doing something truly sensitive or handle private data like payment / address information etc, THEN I would very much pay attention to something like this and probably turn back. But as long as all I'm trying to do is get to, say, wikipedia I - just - don't - care...!

      1. Anonymous Coward
        Anonymous Coward

        Why no warning for HTTP?

        HTTPS with a bad or self-signed certificate is better than HTTP - it's protected from passive sniffing - and certainly no worse.

        So surely it makes no sense to give a scary warning for a HTTPS site with a bad certificate, but no warning at all for HTTP. How many people look at the letter 's' in the URL bar?

        I suggest browsers should show:

        - red (and no padlock) for both HTTP and HTTPS with bad cert

        - a severe warning message which interrupts your workflow, if you try to POST a form containing any sort of text field, or use HTTP basic auth, over either HTTP or HTTPS with bad cert

        The flaw in this argument is cookies. Some cookies contain an authentication token which could be used to impersonate you; but the majority are just tracking junk. So unfortunately, you can't just give a blanket warning for all cookies which are sent over an insecure channel.

  7. thomas k.

    Hey!

    You said there was a funny cat picture but there wasn't. Bastards!

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: Hey!

      What? No cat picture? FTFY!

  8. Ian Emery Silver badge

    Google need to fix their own issues

    I get security alerts for Gmail 3-4 time per week when trying to log in via Thunderbird, and this week it kept throwing password errors - before admitting it was blocking TB for being an insecure program!!

  9. Joseba4242

    “We attribute the low comprehension rates to the difficulty of creating an SSL warning that is simultaneously brief, non-technical, simple, and specific"

    What's the solution? Changing the wording of the warning clearly isn't sufficient. As long as the browser doesn't have sufficient information to distinguish a harmless forgotten renewal or incorrect local configuration from a genuine attack that problem will remain.

    I believe we need new protocols and infrastructure that focus on the negative validation case. The client such as a browser needs more information to make an informed risk assessment. For example:

    - has the certificate recently changed

    - do I get the same certificate as other clients

    - do other clients also have certificate failures or is it only me

    - would it validate ok if the client had a missing root certificate

    - contact the certificate issuer in case a client verification fails

    Telling the average user to not proceed any time there is a certificate error is not realistic or practical. With such additional information however the client could distinguish between a low-risk configuration error and high-risk targeted attack and hence make clear recommendations that can sensibly be followed.

  10. Lallabalalla
    FAIL

    Please contact the web site owners to inform them of this problem.

    Using the contact details provided on the page we won't let you access.

    "No keyboard detected. Press F1 to continue"

    1. Anonymous Coward
      Anonymous Coward

      Re: Please contact the web site owners to inform them of this problem.

      abuse@, webmaster@ or check whois, but anyone who knows that will probably also know what to do with the warning without contacting anyone.

  11. Alistair Silver badge
    Coat

    Ummm? what?

    "“We ultimately failed at our goal of a well-understood warning. However, nearly 30% more total users chose to remain safe after seeing our warning,” the paper says."

    Umm -- they chose to uninstall chrome?

  12. Florida1920
  13. ilmari

    I totally ignore SSL warnings for some sites. Example: I don't care if 4chan connection is secure, wether cat photos leak to third parties or not makes no difference to me. And, if I was posting something more sensitive and less legal than cat photos, SSL is still useless, as it's permanently broken and insecure.

    Did their survey take into account these "User's level of safety isn't changed by the use or nonuse of a proper SSL connection"?

    .

    1. Old Handle
      Flame

      This is what I hate about these warnings. Against all logic, whoever designed them seems to think a self-signed certificate or an expired one is more dangerous than no certificate at all. Clearly that isn't true. In fact right now I'm about to submit a form over an unsecured connection, and Firefox won't say a thing.

  14. Anonymous Coward
    Anonymous Coward

    Tossers

    Making everyone use SSL for everthing is pointless and will ensure that ordinary folks get more and more security warnings, which they will continue to ignore as it stops them getting where they want to go.

    Who cares if someone snoops on me reading a "how to take funny cat pictures" article?

    If Google want to improve security, they want to start by collectling less information on their "products".

  15. Andrew Punch

    What about scam HTTP sites

    Most paypal / bank scam websites I have seen use plain old HTTP then just copy+paste the real site's design and graphics - which people fall for.

    As such why do these HTTPS improvements matter?

  16. Marketing Hack Silver badge
    Pint

    Could these Google pop-ups be used as a phishing tool?

    Leaving out the whole issue of user non-compliance because we've all been conditioned to either block or instantly close any pop-ups that come our way, could someone insert a seemingly-concerned popup that says "Your session is not safe--click here!" and then it hijacks the user and takes them to a compromised site, or installs some malware?

    No surprise to me that this is where we are, but it seems that the real problem is that we need smarter users and dumber criminals.

    Since we have yet to find a way of accomplishing that, I am going to do the next best thing and drink on it.

  17. moiety

    Just helping with the SEO...

    My goodness! That is the best pussy close up I have seen so far this week.

  18. southen bastard

    the answer is to use cat photos

    the answer is to use cat photos, Scary pussy when you should not go there( maybe with a dog in it)

    happy pussy when all is good , timmid pussy when you need to be carefull,

    Google has lots of photos of cats it could use without incuring copy right(ha ha)

    could even have constantly changing photos so you were never sure what was going on( so M$ users feel at home)

    good for ages 3 - IT manager

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019