back to article Google study finds users ignore Chrome security warnings

You're surfing the 'net when Chrome decides not to bring you the web site of your choice, but instead a page warning that the site you'd hoped to visit might be bogus or contain malware. Do you: (a) Click on “Proceed anyway” because you really want to see the cat picture someone Tweeted to you; (b) Click “Back to safety” …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    [url=http://en.wikipedia.org/wiki/Dancing_pigs]Dancing Pigs[/url]

    1. Anonymous Coward
      Anonymous Coward

      Not surprising

      Is there a correlation between Google and Android security problems and malware?

      Or is it the demographic of the users?

      1. Anonymous Coward
        Anonymous Coward

        Re: Not surprising

        I am not surprised, either. Over the past 2-3 years, while reading consumer tech blogs, I've noticed a high correlation between self-professed Chrome use and trolling asshatery. Vitriolic hatred of Firefox and a Top Gun-like "need for speed" are common themes. I am pretty confident these are young male idiots we're talking about.

        It takes one to know one, but at least I'm aging out of it.

    2. Anonymous Coward
      1. Anonymous Coward
  2. Anonymous Coward
    Anonymous Coward

    Avg. IQ

    "...there's no need to feel completely stupid..."

    So, if the entire world is stupid, does that make you not stupid? Nope.

  3. Pen-y-gors
    Headmaster

    It only applies to women - apparently

    from the pdf...

    "A user clicks through a warning to dismiss it and proceed with her original task. A user

    leaves the warning when she navigates away and does not continue with her original task...the user has (1) ignored the warning because she did not read or understand it or (2) made an informed decision to proceed because she believes that the warning is a false positive or her computer is safe against these attack"

    Will someone please teach these academics about the idea that 'he/his' refers to specifically male people, 'she/her' refers to specifically female people - and that if it could be referring to either male or female then the tradional usage is to say 'he or she/his or her' or (my preference, although it is frowned on by classic grammar pedants) to use 'they/their'.

    1. frank ly

      Re: It only applies to women - apparently

      I believe this style (quite common in Google sourced text) is intended to address the historic imbalance of written gender representation, because it is felt to be 'a good thing to do'.

      My personal preference would be to write, "When one is presented with a warning which advises one that proceeding further will compromise one's computer security ....etc". People always laugh at me when I do that so I've stopped bothering.

    2. El Andy
      Facepalm

      Re: It only applies to women - apparently

      Except that "he" is the correct word when gender is unspecified, it also happens to be correct for males. Similarly "she" is the correct word if you're personifying an object, such as a boat, car etc and also just happens to be correct for females.

      The ridiculous "political correctness" approach of constantly using he/she, or worse using the feminine variants as some sort of gender redressing, just makes people look unbelievably ignorant of their own language.

      1. albaleo

        Re: It only applies to women - apparently

        'The ridiculous "political correctness" approach of constantly using he/she...'

        As opposed to some other form of correctness by using 'he' when gender is unspecified? I tend to use 'he/she' in more formal writing, not for its elegance or its political correctness, but because I find it more accurate. I use 'they' in less formal writing and probably in speech. Perhaps I should use it all the time. It was good enough for Shakespeare. And if it pisses off those who believe there are 'correct' and 'incorrect' forms of grammar, all the better.

    3. Anonymous Coward
      Anonymous Coward

      Re: It only applies to women - apparently

      Given The Rise Of The Machines I use "he/she/it" - you never know.

      Plus, some people I have to deal with are more accurately referred to that way, on account of being beaten in the IQ polls by any desk calculator , even with the batteries removed.

      1. Eddy Ito
        Coat

        Re: It only applies to women - apparently

        "on account of being beaten in the IQ polls by any desk calculator , even with the batteries removed."

        Wait, if they were being beaten with calculators, doesn't that count as battery regardless of where they were at the time?

    4. ratfox

      Re: It only applies to women - apparently

      I was once told by my professor to replace he/his by she/her because I should not assume people are male…

      1. Anonymous Coward
        Anonymous Coward

        Re: It only applies to women - apparently

        I hope the new curriculum reintroduces English grammar and literature in some depth.

        1. "Man" is the species as well as being used in some contexts to mean a human mail. cf. Dog and dog/bitch.

        2. On the same principal, "He" is sexless in the generic sense. "She" is not.

        3. Even the Oxford dictionary lists one usage of "they" as the sexless pronoun that can be used when the gender if not known or is irrelevant.

        4. "One" is another neutral term, with the added advantage of putting a disinterested distance between the writer or speaker and the subject matter.

        I suppose men should complain that their gender is not treated with the respect accorded by a unique indicator.

        Pet hates:

        Chair or chairperson, showing ignorance and disrespect in one go (can you not see if the person is male or female?).

        Unmarried woman using, "Ms", that stood for "manuscript" at one time and is unpronouncable and unnecessary. After all, the convention has long been that, if one does not know, call her "Miss" (I think the very old convention of changing that to "Mrs" for more mature women is gone); married women sometimes kept their maiden name, using "Miss", particularly at work for professional women and actresses (I know a couple who do that for continuity with their pre-married work references and to distance work from private life).

        The obsession with sex in all aspects of life, leading to this nonsense of concentrating on one's gender rather than ones abilities and deeds, interpreting all interactions as a competition between the sexes and corrupting language and communication for the narrow concerns of a few who seem to need props.

        1. Ottman001
          Trollface

          Re: It only applies to women - apparently

          "mean a human mail."

          You mean letters and so forth but excluding that sent out by automated systems?

  4. austerusz

    At my company, we ignore those warnings on a daily basis.

    Why? Because we do some development and some of our webservers use a basic shared SSL certificates which is proper for just one URL out of 132 people use. So for the rest, people need to ignore those warnings.

    Same goes for one of my personal sites which is on a shared hosting account with shared SSL. Every now and then people need to ignore SSL warnings. There are plenty of reasons to ignore SSL certificate warnings unfortunately.

    1. dogged

      Agreed. My current workplace does the same thing with test sites. The CSS guys routinely blow through security warnings because that's their job.

    2. robmobz
      Thumb Up

      If you are using ESXi with the default settings then you would need to do this each time you visited the page since that has an untrusted SSL cert.

    3. Anonymous Coward
      Facepalm

      No, your certificate master is an idiot

      all that needs to be done is for them to generate a wildcard certificate, or, if your network is more than a single namespace, then a wildcard certificate per namespace.

      1. Steven Raith
        Thumb Up

        Re: No, your certificate master is an idiot

        Theodore - I set up a lot of test environments and these warnings tick me off.

        I'll have a look at wildcard certs later today (I assume this isn't the same as self-signed certs, as these are what give the warnings) and see if it can help prevent my stabbing hand itch when I'm doing testing.

        Ta for that :)

        Steven R

        1. El Andy

          Re: No, your certificate master is an idiot

          If you're using self signed certs internally (which is a perfectly reasonable use of them) then whomever is in charge of your network ought to push them out to users via some out-of-band mechanism. It's not hard to do and it's much better than training users of your corporate network to ignore potential security warnings.e

      2. austerusz
        Stop

        Re: No, your certificate master is an idiot

        "all that needs to be done is for them to generate a wildcard certificate, or, if your network is more than a single namespace, then a wildcard certificate per namespace."

        - sure, that's the normal approach. But the guys here are cheap. The host administrator's protocol doesn't include using wildcards because as they charge a couple of euros per certificate, generating a wildcard certificate isn't really bringing them any profit.

        - internally, wirldcards are used, but the problem is that in order to comply, we would need to use the form "*.TLD" which is not accepted (still generates warning).

        To better understand what I mean, internally we use the form <user>.<language subdomain, 12 variations>.<site name, 132 variations>.<domain, 14 variations>.<environment, 6 variations>.

        Even the combination *.domain.environment means 6*14 options, but it doesn't work. The lowest that seems to not generate warnings is *.site.domain.environment. It's much less of a headache to ignore the warnings.

        Also, one of the environments is actually an external server that has an internal alias. It already has valid SSL for all sites, but as we usually use the internal aliases (because in that case we can force the site to use an internal CDN for static resources) so not even wildcards help in this case.

        Let the warnings ignore rain down.

    4. John M. Drescher

      Now if this is what they are tracking.. I have to enter a site with a self signed certificate at least 1 time per week for what 15 years now? As a programmer (besides the ones I have generated on my own) I click through the warning a lot in forums, wikis, blogs and source code download sites for individual open source projects.

    5. Franklin
      Holmes

      I routinely track down malware and phishing sites (bit of a hobby, I like figuring out what the crims are up to and how they're doing it), and I generally use Chrome in a VM to do it. So I always ignore Chrome's malware/phishing warning page...not that it matters, since that warning always seems a bit behind the curve anyway.

      I had no idea I was cooking the statistics by doing that.

      1. virhunter

        tracking down malware and phishing sites

        That probably explains the high numbers for Linux users going to these sites. I was probably among the 18.2% going to a malware site, and I wonder how many others of that 18.2 are doing it deliberately.

  5. alain williams Silver badge

    How did Google get this data ?

    How many people are aware that their decisions like this are reported back to google ?

    This is a privacy scandal.

    1. robmobz

      Re: How did Google get this data ?

      There is an option t report back at install time. It is not hidden and is right below the set as default option.

      1. Anonymous Coward
        Anonymous Coward

        Re: How did Google get this data ?

        There is an option t report back at install time. It is not hidden and is right below the set as default option.

        Hmm. I hope that data is anonymised, otherwise such an option must be OFF by default and must explicitly (i.e. separately) ask for permission to comply with EU Data Protection laws.

    2. Anonymous Coward
      Anonymous Coward

      Re: How did Google get this data ?

      You're using Google Chrome FFS.

      If you are worried about privacy, use SW Iron (or TOR browser) and not something from the world largest advertising agency.

    3. Jon 37
      Boffin

      Re: How did Google get this data ?

      When you download Chrome, there is a tickbox option to "Help make Google Chrome better by automatically sending usage statistics and crash reports to Google.". There's a "learn more" link that goes to https://support.google.com/chrome/answer/96817?hl=en This option is ticked by default, but you can untick it if you want.

      Information about whether the warning page is used or skipped counts as part of that "usage statistics".

      More generally, in order to figure out how to improve a computer program, you need to know how it's used. E.g. if 1% of customers use feature A, and 80% of customers use feature B, then perhaps you should spend more development effort on feature B since improvements there will benefit more people. In ye olde days most companies would just guess what users would do, although some companies ran usability tests where they'd get maybe 10 people to use the software in a controlled lab setting with artificial tasks. Nowadays, it's trivial to measure what the actual users are really doing, which gives you solid data to use to improve your product. That's why Google collects this telemetry.

    4. Anonymous Coward
      Thumb Up

      Re: How did Google get this data ?

      @ alain williams

      Actually it's not a privacy scandal, but it does show that many people similarly ignore the "send google info" checkbox that isn't hidden during installation. Presumably a similar percentage to those who routinely ignore safety warnings et al.

  6. adnim
    Facepalm

    Is this surprising?

    If the user was concerned about security/privacy, they would not be using Chrome in the first place.

  7. Anonymous Coward
    Anonymous Coward

    Ask youself this.....

    how did these uses get Chrome?

    a) Went and looked for it, checked out reviews, read it's privacy policy and then activly choose it

    or

    b) clicked on a big icon saying install Chrome or blindly clicked next, next, next when installing "free" software

    .

    And there folks, is your answer why so many ignored the warnings.

    1. jason 7

      Re: Ask youself this.....

      Nah, probably through Adobe installs and hundreds of other crapware downloads.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ask youself this.....

        @ Jason

        that would be b) then?

        1. Rukario

          Re: Ask youself this.....

          > that would be b) then?

          If the question is "What ark do these numpties belong on?" then that is the correct answer.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ask youself this.....

      This. I think the next time someone hands me a laptop with > 4 IE toolbars and a myriad of fake virus/optimisation/fault-finding scanners I am going to insert it into them.

  8. Jess

    Perhaps they should have a proceed with javascript disabled button

    Perhaps they should have a big proceed with javascript and plugins disabled button. (And a tiny f*ck it, please pwn my computer button)

    1. Old Handle

      Re: Perhaps they should have a proceed with javascript disabled button

      That's a pretty good idea. It could cover other security risks besides JS too. The only problem that immediately occurs to me is that to do much good it would have to automatically extend whatever restrictions it put in place to other sites linked to from their as well, which could possible become confusing. Maybe it could open in a new window with some kind of visual cue that everything in there is being treated as suspect.

  9. Anonymous Coward
    Anonymous Coward

    In other news....

    Dolly Parton sleeps on back.

    1. adnim
      Joke

      Re: In other news....

      I heard someone once say that she slept on her face.

  10. Turtle

    Here kitty kitty kitty! Here kitty kitty! That's a good little kitty!

    "Do you: (a) Click on “Proceed anyway” because you really want to see the pussy picture someone Tweeted to you; (b) Click “Back to safety” because it's not worth having crims empty your bank account for a peek at one cute pussy."

    1) When we substitute one euphemism for another, we begin to better understand the situation, which is that:

    2) according to empirically verified data, yes, it is "worth having crims empty your bank account for a peek at one cute pussy."

    This should help resolve the question of gendered pronouns, as discussed earlier in the thread. But, for inclusivity's sake, maybe not...

  11. Tomato42

    Warning fatigue

    I'm quite sure it's caused by warning fatigue. Seriously, who got a certificate warning because of active Man in the Middle? Because that's the only thing that a non self-signed certificates protects you against: active man in the middle. Stuff even PRISM didn't attempt.

    We really should opt for SSL everywhere (as in browser tries :443 first), and if the connection is secure, then it shows a padlock/golden address bar/cute pussy.

    I need to know if the connection I'm using is secure only if I entered some data on it, not when I just want to read the page!

  12. John Lilburne

    Not surprising

    Most people have Chrome on their computer, not by choice, but because some other software's update system has installed it for them.

    Chrome users are self selected as being most liable to have unwanted software installed on their system.

  13. Moosh

    We ignore warnings because 99% of the time they pop up out of the blue on sites we visit every single day or when we visit torrent sites.

  14. weevil

    Anybody consider a large chunk of these will be from IT folks navigating their internal firewalls or somesuch?

  15. Anonymous Coward
    Anonymous Coward

    This isn't tech news per se...

    ...and I don't mean that disrespectfully to the author or El Reg.

    The sort of person that continues at a warning page like this on the open internet, is the same sort of person that falls for scams out there in meat-space. They forward chain letters, make no effort to lock doors, get taken in by frauds, spam their social networking site with chain status updates, forward virus 'warnings' en masse...

    We all know this. Most of us have been cleaning their computers up for years. Hell, most of 'em just panic and comply with absolutely anything the computer 'tells' them to do.

    Google could change that safety page to a line of drag can-can dancers, and it would make no difference - problem is in the chair, not in the web browser.

  16. FordPrefect

    It depends on the context

    I dont normally get warnings about malware or phising sites if I do I ignore them. I often get warnings about self signed SSL certs or mismatched SSL certs and I consider each one. If I am logging into the admin console of a customer device I know that its nothing to worry about generally as I trust the management network involved and know the certs are supposed to be self signed. Again when browsing the web if for example my bank site or facebook presented an SSL certificate error I'd run away! Its not the fact I'm ignoring the warning, I'm considering should this site be using a self signed certificate? Do I need to login to do anything on the site? Are those login credentials likely to cause me a loss(bank or online purchases) or embarrassment(if someone gets my facebook login details and posts malware or spam as me). Sometimes the user knows best!

  17. FordPrefect

    I dont normally get warnings about malware or phising sites if I do I wouldnt ignore them and wouldn't continue onto the site in question unless I was just being nosy and was sure I wouldn't be infected myself. I often get warnings about self signed SSL certs or mismatched SSL certs and I consider each one. If I am logging into the admin console of a customer device I know that its nothing to worry about generally as I trust the management network involved and know the certs are supposed to be self signed. Again when browsing the web if for example my bank site or facebook presented an SSL certificate error I'd run away! Its not the fact I'm ignoring the warning, I'm considering should this site be using a self signed certificate? Do I need to login to do anything on the site? Are those login credentials likely to cause me a loss(bank or online purchases) or embarrassment(if someone gets my facebook login details and posts malware or spam as me). Sometimes the user knows best!

  18. Justin Case

    Do it to see what's there

    As a "Pro" I have to ignore the warnings and visit the site to see what's been done and how it has been done. I'll be using Linux, naturally.

    1. Anonymous Coward
      Anonymous Coward

      Re: Do it to see what's there

      Lol Linux

    2. Rukario
      FAIL

      Re: Do it to see what's there

      @Justin: Indeed. Notice that the browser/OS combinations with the largest proportion of clickthroughs tend to be the ones most used by sysadmins, especially when using a Linux machine to investigate pages that users have received warning messages about. I've had Trend Micro tagged by Google as a malware site. The more this keeps up, the greater the chances of users going on to a real malware or phishing site, because of the number of false positives.

  19. Anonymous Coward
    Anonymous Coward

    That's bloody rich! Google Chrome = malware

    ......when distributed as an unwanted, totally irrelevant and completely unnecessary piece of parasiteware, with Foxit PDF reader, with the "Please install software that's so crap we had to distribute it like malware" selection box neatly pre-ticked.

  20. TeeCee Gold badge

    Well, colour me surprised!

    Let's have a look at why people use Chrome:

    "Well its safe innit? Evverywun on teh internets sez use Chrome not IE cos Chrome's rilly safe and cant be pwned. Must be rite cos it sez so on teh internets.".

    They then ignore the warnings because they're sure that Chrome will prevent anything nasty happening anyway.

    It does not matter what you use. The largest security loophole on any combination of machine and software is the idiot sat in the chair using it. Telling people that such and such software is somehow inherently safer is counterproductive and just leads them into a false sense of security.

  21. Parax

    Phising Hazard

    Once you know its a scam what's the harm in learning how it intended to scam you?

    How is "click through curiosity once alerted" accounted for?

    Obviously same does not apply to security vuln's.

    1. Parax

      Re: Phising Hazard

      *[Phishing]

      Oh for an edit.

  22. Harry

    The study's authors ... are not sure why Chrome users are so blasé.

    My guess:

    1) People who have firefox usually installed it because they thought it was a better browser.

    2) People who have chrome probably installed it for no better reason than some other program came with a pre-ticked option to install chrome alongside the other program. Often, they are only using it because it installed itself as the default browser and they don't know how to change it.

    And so, by marketing chrome in this insidious manner, its surely expected that it will have a greater proportion of less-intelligent users?

    Simple answer -- stop bundling chrome with irrelevant stuff and it will progressively gain users with greater intelligence, those who are using it through choice not through deceit.

  23. Azzy

    Maybe Chrome users click through more because they're aware of Chrome's reputation for security?

    Chrome has consistently done the best out of the mainstream browsers on security tests (ex pwnium, etc). Maybe the users are more likely to be like "So what if the site pushes out malware. I'm on chrome, the malware won't pwn me"?

    The thing is, when you pop up a malware or cert warning, with the only option being ignore or leave, you are asking people to stop the task they were trying to do - and the only way to move towards their goal is to ignore the warning entirely. They could improve the effectiveness of these warnings by giving us an alternative other than all or nothing...

    They should always give an option to proceed with JS and all plugins disabled.

    For cases where the warning is one of those "Site X contains content from Site Y which is known to distribute malware" - which are almost always caused by an ad network getting hacked and filled with malware - why is there no option to "Proceed, but block all content from site Y"?

  24. RonWheeler

    Some of the warnings are crap

    I quite often ignore their warnings. Why? Some of the warnings are crap. Not all, but some. What Google don't acknowledge is there are the collateral damage blocks from as using the www equivalent of spamhaus blocklists. So if people get away with it 'I understand the risks durpy durp durp durp' once....

    Do Google publish their false positive statistics?

  25. Anonymous Coward
    Anonymous Coward

    My Experience

    I click through that security warning two times a day every day on my phone. The guest wifi redirect at my place of employment has a bad security certificate. Every day I tap the proceed anyway button and log in. No malware.

    At home I've seen it from time to time and turned back.

    I'd wager a lot of the people using Chrome are smart enough to know when it is a valid or invalid warning, and many of them probably have strong enough security software that they're confident if their browser gets pwnd it won't hurt them anyway.

  26. Anonymous Coward
    Anonymous Coward

    Computer insecurity ..

    I don't care anymore, as everyone from the Council to the Binman has access to 'my` computer ..

    Extent of council spying revealed, Mar 2009

  27. Chris Beach

    Misleading Stats Again

    I sometimes do and sometimes don't ignore the warnings, I ignore them when going to my NAS drive site, because I know why Chrome isn't happy. And I ignore it other times as well, but I don't always ignore it.

    It all depends on what I clicked on, if I'm fairly sure its just a miscategorisation then I'll proceed.

    And there's no stats that is going to tell Google that.

    For me to never ignore it, then they need to be damn (as in 100%) sure its a harmful site which isn't doable, or have a 'I trust this site checkbox'.

    Then the stats might be actually be saying what you say their saying now!

  28. Robert Carnegie Silver badge

    Yes on the internal net, no in the outside world

    Any business up to Microsoft is liable to let its certificates and even domain name registrations expire. And as for providing up-to-date secure access for your own employees on the intranet, don't be silly. Even though paying your workers to click "Ignore" whenever the security warning appears also costs money, a second at a time.

    And even though this is just how they'd be informed if they were tricked into going to a resource that is -not- on the internal network.

    On the other hand, if I'm searching for something arbitrary, not specific, online, and the browser or the search engine says "That web page is dangerous", then I am fairly confident of finding a non-dangerous substitute page with a similar resource.

    Having said that, when I last looked - which is quite a while ago - the Linux-based SystemRescueCD, which I'm inclined to trust, produced a warning from Malwarebytes security software when visiting SRCD's web site, which seems to be because although it's probably clean, it was or is hosted in a bad neighbourhood on the internet: several IP addresses nearby were malware sites.

  29. Badvok

    I wonder how many of these 'click-through' events are people like me accessing their development/test secure sites they haven't bothered getting a proper certificate for yet.

This topic is closed for new posts.

Other stories you might like