Admins warned: Drill SSL knowledge into your Chrome users

What's It Mean?

I'm fairly positive the average user doesn't have the slightest idea what those warnings mean. It's just an extra window that appears before they can get to their content. The average user has no knowledge of security certificates or even what they mean, or even that they even exist.

Useless certificate system

Given the apparent ease with which you can get a certificate in the first place, the system seems to be pretty useless anyway. With all those certificate authorities out there how is an individual supposed to know which ones to trust? A list built in to your website browser is ok, but then you've only got their word for it.

Effectively all the system does at best is tell you that some outfit out there that your browser developer has heard off has some sort if vague knowledge of where to find some other guy (probably just an email address; like they're a strong identity...) whose website it is that you're visiting. Even then that doesn't mean that the website is actually trustworthy or unhacked, and these days is anyway likely to be attempting to gather as much data about you as possible for their own commercial gain. And then there's the sites that reuse the same tech but isn't part of the certificates system at all that you really do want to visit (eg your own router), and the sites that you do know about which have forgotten to renew their certificates, meaning you've got to bypass the system anyway with one or more mouse clicks.

The Internet does not have a good means of establishing identity. The technology is probably as good as we can make it, but the system is badly run by the meat bags that inhabit the system who are themselves out to make as much money as possible for the least amount of work.

Anyone got a better idea?

A fairly common example

User gets an 'untrusted certificate' warning, and as Techy happens to be within sight, asks 'What does this mean?'

Techy: It either means that your employer is not properly maintaining their website or that this is not your employer's payroll website at all. Instead it is a copy controlled by criminals. If you log in, you will give you user name and password to the criminals, which makes you in breach of contract with your employer. The criminals will be able to divert your pay cheques to accounts they control. They will also be able to enter false time sheets, and when these are discovered, you can be charged with fraud. You should close this browser and contact your employer's payroll and IT departments as soon as possible. Tell them you saw an untrusted certificate warning when you tried to access their payroll web site.

Which is worse:

1) The user clicked through the warning and logged in.

2) No-one at the company who understood what 'untrusted certificate' means had the authority to fix it.

Self Signed is fine for internal stuff just install the right things for the CA onto the clients.

That just paying someone for the certificate magically makes it any better is nonsense.

(External stuff obviously you cannot expect customers to do that).

But there again the way startssl does it could be used depending on the site.

Using a client side certificate as well as a login mechanism would be useful for certain things.

hmm

Firefox has really come a long way and is a very nice browser these days. Its just too bad they shit the bed so badly in their bloaty dog slow memory leaky unstable insecure Edsel like days of Firefox 2 to 3.5 or so. A lot of Chrome users won't be coming back unless Chrome goes so badly off the rails as well.

Chrome...

... would be the browser that insists on its sandbox process running as root on linux. And people actually use it?? Wonders never cease.

This study is kinda useless in my opinion. It basically boils down to Firefox having an unfriendly UI for certificate issues and people using it less as a result. It doesn't say anything about which browser's users were better able to correctly discriminate between certificate problems that can safely be ignored and those which should not be.

I donno about Chrome, but Firefox could hardy be worse on that score, since it make you do several clicks to even read details about the problem.

NOT a fan lock forcing security

Work networks are different, at least as long as espionage in general and "Intellectual Property" are concerns - they are no concern of mine though.

I connect one box alone to do banking and that's all it does.

Other than that, I hate security - I can evict the unwanted on my own, have no secrets, and value convenience highly, and privacy not at all.

Many things are slowed down or sometimes obstructed entirely by dumb-ass security.

Chrome is a terrible browser unless media consumption is the objective, which for me it is not, unless it is printed text.

Wish we had meaningful statistics

Most of my "untrusted site" warnings are clearly administrative errors: certificate is for the wrong sub-domain, certificate is expired, certificate depends on a government root I don't have, etc. How many of these click-throughs the author is warning about are actually MITM attacks? Sure, those errors could be cleverly disguised as MITM attacks, but odds are way against it. Administrative incompetence is far more widespread than sophisticated adversaries, in my experience.

If I were serious about stopping MITM attacks, I'd fix my browser to say "DANGER DANGER DANGER" whenever a site's cert turns up signed by a different CA than the same site had last time.

That's because most web devs use Chrome, they regularly have Fiddler/Charles/other proxies and dodgy certificates in the way and CHROME WONT LET YOU WHITELIST INTERNAL DEV SITES.