Google boffins PROVE security warnings don't ... LOOK! A funny cat! The revised SSL warning interface introduced in Chrome 37, designed to teach users more secure behaviours, was only a partial success – according to the Chrome security team's own analysis. Confusing security warnings serve only to make users more insecure and normalise risky behaviours, according to Google. To try and beat …
Flash and Java popup alerts are always a good indicator you're on a compromised WordPress website...
Not that your long removed and nonexistent Oracle Java is in need of upgrade.
Or not that your recently manually upgraded Adobe Flash player is defunct because you didn't want to wait till the automatic update kicked in and you finally gave in and installed Flash Block because you don't really trust that the latest upgrade actually did anything (aka January 2015 0-day fatigue)
The annoyance continues with all the other popups including the marginal security goofery mentioned.
I have numerous sites I interact with that I have to click passed warnings because it is internal, registered in a different name etc. Of course I'm careful about what I'm doing and I realize there is a risk associated with this practice,
Unfortunately for Google I would add to the numbers that bypass the 'back away' button and they might not know that I'm fully aware of what I'm doing.
At the end of the day, some of these things are similar to 'Caution hot drink is hot'. If the users (you have / want) are that ignorant the issue the technology needs to change to cater for them - which could may make it unusable an inefficient in the short term.
As mentioned a key reason for error message fatigue is the facts that often they are misleading, attempts at automated help often cause more problems or are simply wrong or obfuscated with web links to dead ends or gibberish (thank you Microsoft) and any app on the machine can make them.
I think something like channeling through the OS / embedded AV (to check legitimacy) might be an option if you wanted to properly re-think things.
Agreed.
My favorite yearly activity at work is clicking on "Ignore" for the SSL warning before completing the required IT Security Awareness Training in which they tell you you're never supposed to click on "Ignore" when you see the SSL warning.
I do it regularly for one specific case: when I need to use the change management site we use at work.
It's an internal site with a self-signed certificate, and a specific internal address.
If there were an intuitive way in Chrome to trust the self-signed certificate, I'd do that and be done with it.
As it currently stands, it's less work to ignore the warning.
Want to improve compliance, Google? Make it easier for your users to configure your software to work in their environment.
Want to improve compliance, Google? Make it easier for your users to configure your software to work in their environment.
My impression of most Google offerings purportedly targeting the business environment is that they are trying to undermine their competition by offering "free" services, not so much that they are trying to offer customers good quality. They have improved since I first had to deal with their products, but they still don't seem to get corporate environments.
My impression of most Google offerings purportedly targeting the business environment is that they are trying to undermine their competition by offering "free" services,
Free consumer grade services at that even if you're paying for it.
Every time you get used to something being useful in business, Google changes it to be more touchy-feely and social, often gutting the reasons you started using it in the first place. I've come to despise Google Apps.
Self-signed certificates should be warned something like this...
This is a private connection but the other party is unknown.
You should never see this message with banks, online shops, or email providers. If you are trying to connect to one of these, your connection has been compromised - go back now (link).
You often see this message with home router administration pages or Intranet sites.
Continue just this time (link).
Continue and don't warn me again about this connection (link).
See? Not that difficult.
Self-signed certificates should be warned something like this...
I would agree that your message is clear and correct.
However, I don't think you've worked much in support. A message like this is too long.
*ring* *ring* "Hello, I got an error message."
"What did it say"
"I don't know. Party something."
Nope, I'm really not sure what causes it, I've tried both Comodo Dragon and Mozilla Firefox without plugins.
I'm also not using any security software other than basic antivirus; this broken behaviour predates the antivirus installation so it's not that.
<blockquote> test </blockquote>
The Windows version of Chrome uses the OS certificate store rather than maintaining its own (like Firefox), which makes it hard to handle accepting self-signed certs you're sure are legit directly from within the browser in a user friendly way. You have to import it via the Windows "Internet Options".
This is what Firefox says about that page...
Secure Connection Failed
An error occurred during a connection to msdn.microsoft.com. The OCSP response contains out-of-date information. (Error code: sec_error_ocsp_old_response)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
I saw this one today:
A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I think it means the website is using an old version of SSL, possibly SSLv3; maybe.
Those sort of error messages bug me, you KNOW what is wrong Mr Chrome but you give me a message with OR in it. Firefox was a little better with:
Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
And IE? Well IE 8 just worked fine with no error message at all.
This post has been deleted by its author
"You have just clicked on a Google AdWord-promoted site link which will happily charge you an 'administration fee' for an otherwise free UK Government or other service. But we don't care, because we got our cut. So go right ahead. It's fine. Honest. Look; we're Google, would we lie to you?"
I can get it higher. Try this:
"Your neighbour or that person over there at the next table could be looking at your screen right now. See that little padlock icon at the bottom that is red? That means you're broadcasting what you're doing right now."
Make it personal. It might not be completely accurate but mostly people are using Wi-Fi these days so it's good enough. But the real problem that leads to people ignoring the warnings is because they simply don't know what they can actually do about it. A warning saying "bad things might be happening" is just clutter if it doesn't tell you how to fix it. So person wants to visit site X. They get a warning. What next? Don't go to site X or make an uninformed choice about whether the risk is worthwhile and carry on. They don't know what the risks actually are, warnings are routine and people mostly think it wont happen to them, so they go to the site anyway.
There are only two ways to fix this. Either make your browser refuse to use a site where the certificates mismatch, no "ignore this" button. Or get things to the point where it is so rare that people actually are spooked by such a warning.
I don't think the second is happening any time soon, though the first would be a massive impetus to bring about the second. I actually would be in favour of the first if public certificates weren't such a money-making racket.
Either make your browser refuse to use a site where the certificates mismatch, no "ignore this" button
Oh, they did that. Don't ask me the specifics, but it was some sort of SSL/certificate problem, and Chrome flat out refused to show me the site, no overrides. The result? I found the command line argument that could be used to override this, and now use it by default - because what the IDIOTS devising these schemes don't understand is that 99% of the time IT DOESN'T MATTER if the entire living population of Earth is queuing up behind me to look over my shoulder - the ONLY thing that matters is that I want to see that page. NOW.
Now, if I were to be doing something truly sensitive or handle private data like payment / address information etc, THEN I would very much pay attention to something like this and probably turn back. But as long as all I'm trying to do is get to, say, wikipedia I - just - don't - care...!
HTTPS with a bad or self-signed certificate is better than HTTP - it's protected from passive sniffing - and certainly no worse.
So surely it makes no sense to give a scary warning for a HTTPS site with a bad certificate, but no warning at all for HTTP. How many people look at the letter 's' in the URL bar?
I suggest browsers should show:
- red (and no padlock) for both HTTP and HTTPS with bad cert
- a severe warning message which interrupts your workflow, if you try to POST a form containing any sort of text field, or use HTTP basic auth, over either HTTP or HTTPS with bad cert
The flaw in this argument is cookies. Some cookies contain an authentication token which could be used to impersonate you; but the majority are just tracking junk. So unfortunately, you can't just give a blanket warning for all cookies which are sent over an insecure channel.
“We attribute the low comprehension rates to the difficulty of creating an SSL warning that is simultaneously brief, non-technical, simple, and specific"
What's the solution? Changing the wording of the warning clearly isn't sufficient. As long as the browser doesn't have sufficient information to distinguish a harmless forgotten renewal or incorrect local configuration from a genuine attack that problem will remain.
I believe we need new protocols and infrastructure that focus on the negative validation case. The client such as a browser needs more information to make an informed risk assessment. For example:
- has the certificate recently changed
- do I get the same certificate as other clients
- do other clients also have certificate failures or is it only me
- would it validate ok if the client had a missing root certificate
- contact the certificate issuer in case a client verification fails
Telling the average user to not proceed any time there is a certificate error is not realistic or practical. With such additional information however the client could distinguish between a low-risk configuration error and high-risk targeted attack and hence make clear recommendations that can sensibly be followed.
I totally ignore SSL warnings for some sites. Example: I don't care if 4chan connection is secure, wether cat photos leak to third parties or not makes no difference to me. And, if I was posting something more sensitive and less legal than cat photos, SSL is still useless, as it's permanently broken and insecure.
Did their survey take into account these "User's level of safety isn't changed by the use or nonuse of a proper SSL connection"?
.
This is what I hate about these warnings. Against all logic, whoever designed them seems to think a self-signed certificate or an expired one is more dangerous than no certificate at all. Clearly that isn't true. In fact right now I'm about to submit a form over an unsecured connection, and Firefox won't say a thing.
Making everyone use SSL for everthing is pointless and will ensure that ordinary folks get more and more security warnings, which they will continue to ignore as it stops them getting where they want to go.
Who cares if someone snoops on me reading a "how to take funny cat pictures" article?
If Google want to improve security, they want to start by collectling less information on their "products".
Leaving out the whole issue of user non-compliance because we've all been conditioned to either block or instantly close any pop-ups that come our way, could someone insert a seemingly-concerned popup that says "Your session is not safe--click here!" and then it hijacks the user and takes them to a compromised site, or installs some malware?
No surprise to me that this is where we are, but it seems that the real problem is that we need smarter users and dumber criminals.
Since we have yet to find a way of accomplishing that, I am going to do the next best thing and drink on it.
the answer is to use cat photos, Scary pussy when you should not go there( maybe with a dog in it)
happy pussy when all is good , timmid pussy when you need to be carefull,
Google has lots of photos of cats it could use without incuring copy right(ha ha)
could even have constantly changing photos so you were never sure what was going on( so M$ users feel at home)
good for ages 3 - IT manager
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
