Something I take for granted working in the “IT industry” are the many different security dialogs and graphics I encounter. I am generally wise enough to interpret the security graphics and input choices put before me and make a well reasoned decision about the consequences of taking a particular action. I know enough about SSL and how the major web browser’s implement it that I can tell when something is wrong with the SSL on a site. However, I am not a typical computer user. I sat down and thought about the sheer quantity, type and variety of security dialogs out there. Many times a user is one security dialog or missed visual cue away from a security disaster. So, I started collecting images of various ways software indicates to me some significant security setting is set or a security event just occurred. What I saw, when comparing the various images, was quite interesting.
Whenever I want to know if something is to technical or tricky for the common user I think to myself, “would my mom understand this?”. With that thought in mind I am going to present some address bar images from three popular web browsers. Look at these images carefully and ponder them for a moment before continuing.
There are some very interesting things happening here. In my opinion the complete lack of consistency is the first, huge problem. Every browser looks different in some significant way. For EV certificates, Firefox has a green bubble. Internet explorer makes the entire address bar green. Google Chrome makes the text for the company name green. Chrome and Firefox show the company name. Internet explorer does not show the company name. Why even bother with an EV certificate when the average user will have no clue? What value is this really adding. What are the odds a user will click through and explore the details of the certificate?
Next up we have standard SSL. Two browsers incorporate a lock icon (Internet Explorer and Chrome). Firefox uses a blue bubble? Why blue? Should I trust the blue bubbles? What does that “s” in http mean? What happens if a user forgets to type it? Is this all documented somewhere in easy reach for a user or is the average user left to their own devices?
For final comparison we also have a few HTTP addresses. Notice that we use the lock as a favicon. Will the average user really be able to distinguish that these are not secure sites? Some of my family members don’t even use the URI bar (in fact, it’s turned off). In their mind the way you get to yahoo, is by first googleing for yahoo.com, then click the first link. Forgive me if some of these questions are hopelessly naive sounding, in my estimation, they are completely fair from the perspective of most browser user’s.
Next up we have some some dialogs and graphics from the iPhone:
The thing that is striking to me is that this dialog is all that separates a user from being man in the middled. There is no wording or verbiage to even indicate this is a security dialog. This dialog presumes the user knows what a “website certificate” is and the implications of said certificate being invalid. I am guessing most users will click right on through. And for comparison the small lock in the upper left corner is the only indication (other than the s, in https) that the user is “secured”
Superb. A tiny grey-ish lock. yet another different way the user is notified the site is “secure” or not. One tiny graphic. Finally, the browser on the blackberry gives absolutely no visual cues regarding the SSL status of the site. See the following screenshots for an example:
Where is the lock? How will I know the site is secure if I don’t have a lock, a golden address bar, a green address bar, the company’s name in green, a blue or green bubble, a s in the address, or some other indicator that everything is OK? What is a user to do?
Away from the topic of browsers and their differing presentation of SSL security dialogs there are application permission dialogs. The following screenshots are from the BlackBerry OS (5.x).
Here the user is being asked to grant an application “Trusted Application” status. What is “Trusted Application” status? To BlackBerry’s credit it is one of the few dialogs that offers “Help” which further explains just what you will be granting this application. This is actually quite critical as most dialogs or security visuals don’t give the user any way to easily learn more.
Next we see another permission dialog from BlackBerry. This time it is trying to access “phone information”. You are not told what information until you click “Deny” as shown below. How can we expect users to make rational choices if they are not given the opportunity to discover what exactly they are allowing or denying?
Next is the standard windows UAC dialog:
Uh oh, an “unknown publisher”. Will the average user know that if the publisher is unknown that means that the executable has not been digitally signed using a code signing key? Will they know they are missing out on the opportunity to validate the binary has been signed with a certificate that has been verified by a trusted third party that lets them know everything is alright? One final image, and one of pieces of research on a previous blog post:
My conclusion and the point I am hoping to drive home is that application developers all have a responsibility to make sure a user can understand the implications of what they are clicking through. My goal is not to make any particular piece of software look bad. It is great that these dialogs and opportunities for security interaction exist at all. What is not so great is that users are often not informed enough about what these decisions represent so they are ignored or clicked through to make everything keep working. Strong messages and a way for the user to learn more about what is at stake are key. Command line SSH clients often have a very blunt approach:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)!
At the end of the day there is not an easy solution. Users are inclined to do whatever lets them accomplish their task at hand with a minimum of disruption. This means that helping them make the right security choice must also be minimally disruptive, and that can be a very hard task. It is something of a truism that usability often suffers for security features. It is “relatively” easy to design a secure system that is about as usable as a brick. It is much harder to design one that is easy to use and secure. Here is to hoping the software industry and information security communities can continue to advance the start of the art.
Reference: From the Sour Grapes Department at Microsoft: Summary: “Yeah, we know people REALLY hated Vista UAC, so instead of fixing it, we’ll just have some research guys write a paper about it” Start with RSnake’s coverage: http://ha.ckers.org/blog/20100317/effectiveness-of-user-training-and-security-products-in-general/
UPDATE: Reader Clerkendweller pointed me over to his excellent blog article on the rainbow of colors in IE8 with tab grouping.
Both comments and trackbacks are currently closed.