Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Certificate Warnings Don't Work

timothy posted about 5 years ago | from the for-the-same-reason-most-people-ignore-etruscan dept.

Security 432

angry tapir writes "In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users). The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web. They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites."

cancel ×

432 comments

Sorry! There are no comments related to the filter you selected.

Maybe Firefox will Chill Out now (0)

Anonymous Coward | about 5 years ago | (#28832577)

Those damned full-stop full-page security warnings about self-signed certs are really freaking annoying. Maybe this will be the impetus needed to have them revert to the older behavior.

Re:Maybe Firefox will Chill Out now (2, Insightful)

calmofthestorm (1344385) | about 5 years ago | (#28832865)

"Legitimate sites will not do this" == lie. Seriously guys, fucking grow up. The number of changes I have had to make to firefox in code (not about:config, code) to disable autocomplete prevention, self-signed certs, etc...it's getting frustrating.

Re:Maybe Firefox will Chill Out now (1)

Antidamage (1506489) | about 5 years ago | (#28832977)

Exactly. My bank can spring for a paid certificate, but everyone else is free to make them on the spot. I'd love it if there was a way to tone them right down. The "add an exception" mechanism in Firefox 3+ are really fucking annoying.

Re:Maybe Firefox will Chill Out now (1)

Brian Gordon (987471) | about 5 years ago | (#28833225)

I swear if I see another (read: the exact same) wallet.crypto.autocompleteoverride argument I will Foe every user posting in this story.

'People' don't understand computers (5, Interesting)

doishmere (1587181) | about 5 years ago | (#28832579)

This shouldn't come as a surprise, since most people still don't understand how viewing a website can affect their computer.

Re:'People' don't understand computers (4, Funny)

Goaway (82658) | about 5 years ago | (#28832621)

Yeah, it's kind of sad how regular people are expecting us programmers to have our shit together.

Re:'People' don't understand computers (-1, Troll)

Anonymous Coward | about 5 years ago | (#28833173)

That'll be the day. In related news, niggers, coons, and fucking porchmonkeys have learned proper english, got rid of their shitty attitudes and excessive loudness, and have decided to better themselves instead of aspiring to be thugs. Yeah right!

Re:'People' don't understand computers (3, Insightful)

Anonymous Coward | about 5 years ago | (#28832635)

But more importantly your average user doesn't have a clue what a security certificate is, so why would they care if there's a warning about it?

Re:'People' don't understand computers (5, Funny)

TinBromide (921574) | about 5 years ago | (#28832715)

some day, in the far off future of October 1st, 1993, [wikipedia.org] 'people' will understand computers and all of this tomfoolery will cease to be a problem. The internet will revert to civilized discourse for the propagation of knowledge and ideas.

*Checks watch* Any day now...

Re:'People' don't understand computers (4, Insightful)

Mashiki (184564) | about 5 years ago | (#28832723)

I don't think it's a problem of not "understanding" computers. Rather that the language used in a lot of cases for the certificates is so verbose, that it confuses people. Remember that when you deal with the average member of the population you're dealing with someone who reads and writes somewhere between a grade 7-10 level. That means that their grasp of language is lower, their understanding is lower, and their frustration level is lower.

If you want to get through to people, you make warnings simpler. Make things simpler, people understand them better, and everyone is happy. Those of us who are in, have been in, the IT field(or associated areas), have a grasp of the English language somewhere around grade 12 to early college, or higher. In other words, this stuff is way beyond what most people can understand.

After all, if you told someone on the street you spent an evening going through a kernel recompile for fun they'd look at like you're an idiot with 3 heads. To them you are; to the rest of us, you're just another geek.

Re:'People' don't understand computers (5, Insightful)

forkazoo (138186) | about 5 years ago | (#28832955)

I don't think it's a problem of not "understanding" computers. Rather that the language used in a lot of cases for the certificates is so verbose, that it confuses people. Remember that when you deal with the average member of the population you're dealing with someone who reads and writes somewhere between a grade 7-10 level. That means that their grasp of language is lower, their understanding is lower, and their frustration level is lower.

This. Developers seem convinced that adding more explanation can result in a better educated user. In reality, it just guarantees that fewer people will have read the whole thing. Make informational text as short as possible, but no shorter. IMHO, that's one of the things Apple traditionally nails in their designs that Microsoft flubs. "Save your work?" is a vastly more useful message in a dialog box than something like, "you have clicked a button which is used to close this application. if you close this application without saving changes to your data, it will be lost. You might also want to keep working. Click yes to save your work, no to discard it, or click cancel to continue working."

With Certificate issues, Firefox makes me jump through so many hoops that all my focus is on getting through the hoops, rather than evaluating security. I've never understood how the 'get certificate' button is supposed to make me safer. It seems to just add more steps in an effort to force me to pay attention to the process, but IMO fails to actually provide a security benefit.

Re:'People' don't understand computers (4, Insightful)

causality (777677) | about 5 years ago | (#28833193)

Remember that when you deal with the average member of the population you're dealing with someone who reads and writes somewhere between a grade 7-10 level.

Then why don't we fix that and solve or prevent a whole host of other problems by doing so?

There's something seriously pathological about seeing this as a situation to be accommodated rather than a disease state to be remedied.

Re:'People' don't understand computers (-1, Offtopic)

henrymaquli (1559425) | about 5 years ago | (#28832903)

I appreciate the concern which is been rose. The things need to be sorted out because itâ(TM)s not about the individual but it can be with everyone. first people have to aware from harms then only they think for security. Maquli Real Estate [fastrealestate.net]

Mod -1 Spam (1)

TypoNAM (695420) | about 5 years ago | (#28832971)

The parent's comment doesn't make sense and it is clearly spam. Hopefully a mod will come along and mod it down to -1 Offtopic.

Re:'People' don't understand computers (1)

Dullstar (1581331) | about 5 years ago | (#28833107)

No OS is perfect, so this doesn't hold true all the time, but as far as effect on the computer, Mac OS X and Linux would lighten the effect.

Re:'People' don't understand computers (1, Interesting)

Hurricane78 (562437) | about 5 years ago | (#28833165)

And why don't they understand them. BECAUSE THEY CAN. Really. :)

People are all about efficiency. But if you are so "efficient" that you hurt yourself, it is called "laziness". (Although some people also call others lazy, when they do not follow *their* standards, which is pointless.)

Now why do they hurt themselves here?
Either because the risk is too small to be relevant (evolutionary and on the level that makes your brain learn it).
Or, what I think, because the failure, and the pain that results from it, are way too distinct from each other for people to learn it.

Think about, what would happen, if they would get stung by a bee, every time they would do such a stupid thing like ignore certificates. You could bet that they would learn it. Because really, and it took me long to learn and believe this, people are not stupid. (If they have to, they can do very impressive things in very short times. I witnessed a girl learn to do basic things in C in one week, because she really really really wanted that advantage in that game she was playing. And the next week she learned how to do collages in Photoshop. Mind you that she is just your average girl. No geek or anything.)

But what happens right now, when they do dumb things: First, nothing happens. Nothing at all. No flashing lights. No alarm. No fire. No pain. Even an infection with a trojan that their AV tool notices is no problem. A virus killing everything? Well, just ask your local geek to re-install Windows. The data was not that important anyway. (That's what I usually hear from them. Sometimes they backed it up a month ago and that is OK too. Often I have the feeling, that a read-only HDD and a USB stick would suffice for them.)

But even a MITM attack on their bank account, stealing all the money and everything. That's so rare. And if, they are completely unable to associate it with that one warning that they ignored. And how can you blame them for it? Would you remember what you did a week ago, that did probably not even enter your conscience? No.

So I propose this solution: Make the warning dialog contain one paragraph max. In big red letters. With a flashing alarm light and sound. Filling 3/4 of the screen. Saying is the shortest possible way, that they are going to get robbed, and could go to jail, if they do not exactly know what's going on now. Make the dialog un-closable for at least 30 seconds. And only give them the ability to move it away quicker, if you got proof that it's burned into their brains forever. If that is not possible, then never give them that ability, and only add a "I am a security expert" add-on that you have to manually install and jump trough hoops that only people who know what they are doing can pass.
Optimally make it completely impossible to go to a site with security problems, except if you use that add-on. (But beware, that then people will let their "expert" friend install it, ever if they do not know anything.)
But realistically, let the "i have no idea what to do" button be clickable at the very first second, and the "go to the site (i am a security expert)" one only after a minute of waiting.
Then when they click it, tell them that the site was very evil, dangerous, etc, and... pew... the browser saved them.... but it was very close.

Yes. You have to be that over the top. How else will you make it stick in their heads? It has to be associated with instant robbery and horrible things. Just like it is in the brains of us experts.

What do you think? Anything one could make better? Let's implement it? :)

Re:'People' don't understand computers (0, Troll)

DNS-and-BIND (461968) | about 5 years ago | (#28833205)

"Us experts"...bahaha...slashdot commenters...hahahahaha...oh, my sides are hurting, make it stop, make it stop!

And I love how you condescend to include the "average" girl in the elite ranks of "us". Novices should really stop getting so much disrespect dumped on them. "Us experts" BAHAHAHAH ow ow it's starting again...HAHAHAHAHAHAHHAHA

That's not really a surprise (1)

danomac (1032160) | about 5 years ago | (#28832585)

Given the users I've seen using systems where I work, the computer could say it'll format or shut itself down and users will ignore it and click whatever to make it go away. I've seen the shutdown one personally several times....

I would probably do the same thing (4, Insightful)

piojo (995934) | about 5 years ago | (#28832617)

I blame firefox's big scary error page that comes up every time a page uses a self-signed certificate. I've gotten so good at ignoring that, I probably wouldn't notice if a page said "the certificate doesn't match" instead of "the certificate is self-signed."

Mozilla isn't doing anybody any favors with their heightened paranoia.

Re:I would probably do the same thing (5, Insightful)

cas2000 (148703) | about 5 years ago | (#28832699)

mozilla didn't start this, their ancestor Netscape did. they're the ones who tried to bootstrap and cash-in on a PKI market by creating a bogus scarcity (browser recognised Certificate Authorities) on an infinite supply (Certificates), and deliberately blurred the distinction between encryption (which is all that many or even most sites need, and for which self-signed certs are good enough) and authentication (which very few sites need, banks and so on for which the ONLY real solution is certs signed by government agencies with responsibility for banks in each country, not some private company).

every mainstream browser since then has continued the trend.

Re:I would probably do the same thing (1)

tepples (727027) | about 5 years ago | (#28832737)

authentication (which very few sites need

When I log into $FORUM, how do I make sure that I am giving my password to $FORUM and not to someone who has intercepted my Internet connection?

banks and so on

Every time you shop online, you deal with banks.

Re:I would probably do the same thing (4, Informative)

oGMo (379) | about 5 years ago | (#28832815)

authentication (which very few sites need

When I log into $FORUM, how do I make sure that I am giving my password to $FORUM and not to someone who has intercepted my Internet connection?

You don't. Unless you call up $FORUM_OWNER at a verified number (not off the domain)---which means you first have to investigate and verify who the owner is---and get them to verify their certificate fingerprint. You do that every time you log in somewhere? I didn't think so.

The PKI "authorities" do no checking. Anyone with a few hundred bucks can get a "valid" cert, so if you're relying on that ...

banks and so on

Every time you shop online, you deal with banks.

No, you deal with merchants. Merchants deal with a chain of other people, who may or may not be banks. Credit card companies are not, but your card may be managed through one.

Re:I would probably do the same thing (1)

timmarhy (659436) | about 5 years ago | (#28832991)

you don't know, and no you don't deal with banks unless it's their online website, in which case the op is right.

Re:I would probably do the same thing (3, Insightful)

Burdell (228580) | about 5 years ago | (#28832807)

Encryption is useless if you don't know who is at the other end. SSL and TLS are designed to stop man-in-the-middle attacks, and you cannot do that without trusted authentication.

Re:I would probably do the same thing (4, Insightful)

NFN_NLN (633283) | about 5 years ago | (#28832847)

I work on a lab intranet. Almost every switch and ILOM uses an https GUI for management. I 100% don't care about man in the middle attacks, but I do care about the 4 clicks (now 2 with a little tweaking) that Firefox makes me jump through every time I open up a new console to do work. It's ridiculous and the 'chicken little' scenario just desensitizes users.

Re:I would probably do the same thing (2, Informative)

Anonymous Coward | about 5 years ago | (#28832927)

well if you managed it properly and installed the proper certificates and a proper root in your browser, you wouldn't have the certificate warning problem.

like you said - you work on a lab intranet. You're the one responsible for setting it up properly.

Re:I would probably do the same thing (3, Informative)

zippthorne (748122) | about 5 years ago | (#28832935)

You know you can import the certificates manually. And if you carry them by hand instead of over the network, it really is more secure than the CA solution. The only way you should have extra clicks every time is if you're changing the certificate frequently. Or the guy running the MITM attack on you is changing his certificate frequently...

Re:I would probably do the same thing (1)

piojo (995934) | about 5 years ago | (#28832897)

Encryption is useless if you don't know who is at the other end. SSL and TLS are designed to stop man-in-the-middle attacks, and you cannot do that without trusted authentication.

A self-signed certificate can reduce man-in-the-middle attacks. Here's how it works: I log on the first time from my home computer. Ideally, Firefox would prompt me once and I would choose "allow this certificate in the future" (without its current punitive user-interface). Because my home connection is mostly secure (Comcast isn't changing my data), I can subsequently log in from a coffee shop, I'll know that the certificate is legitimate, and I mostly trust the transaction.

Re:I would probably do the same thing (1)

RobNich (85522) | about 5 years ago | (#28833001)

A self-signed certificate can reduce man-in-the-middle attacks. Here's how it works: I log on the first time from my home computer. Ideally, Firefox would prompt me once and I would choose "allow this certificate in the future" (without its current punitive user-interface). Because my home connection is mostly secure (Comcast isn't changing my data), I can subsequently log in from a coffee shop, I'll know that the certificate is legitimate, and I mostly trust the transaction.

Unless the MITM is closer to the web server than you. Just because you think your home connection is trustworthy doesn't make it so, and just because you're using a different Internet connection doesn't mean that it doesn't go through most of the same routers.

Re:I would probably do the same thing (0)

Anonymous Coward | about 5 years ago | (#28833203)

Umm...I'm gonna fail at my civility here...

You're an idiot.

I can't speak for the parent--but I'm pretty sure there's no MITM on the crossover cable to the extra NIC I pull down the cert from. But you're right--just because I consider my length of cable trustworthy doesn't make it trustworthy--maybe my laptop or my home server is rooted and has something that can MITM them when I first open up that connection and say "trust it".

Wait--why don't they just read the data out of memory instead of decrypting it? Your example--it fails miserably. If your home network isn't secure, even a real certificate won't work.

Re:I would probably do the same thing (1)

davester666 (731373) | about 5 years ago | (#28832855)

For certificates, I don't think just using them to encrypt the connection is good enough.

You need to know that not only is the connection encrypted, but that it is connected to the right server. Not just for banks, but for anything you want to keep confidential, like connecting to gmail, buying on amazon, any other financial transaction.

Otherwise, maninthemiddle attacks will suddenly become the attack-du-jour.

As to the crazy fee's for so-called 'authenticated/confirmed/validated' ssl certificates...that's a much longer post...

Re:I would probably do the same thing (0)

Anonymous Coward | about 5 years ago | (#28832987)

I remember suggesting to the powers at Mozilla to create a 'community CA'. That is, a system that basically allows you (the user) to 'rate' a website's certificate. None of this 'Certificate Authority' crap would be needed.

A webmaster can go to 'Community CA's website and generate a cert (for whatever task, not just web) and the user's of Firefox would then allow/block a website and their certificate if they misbehave.

All users understand rating systems. They don't understand subtleties in security warnings. All they want to know is 'is this good', or 'is this bad'. By using a rating system the user gets to decide easily for themselves (and quickly warn others).

PS: Of course there's quite a few logistics in su

Re:I would probably do the same thing (3, Insightful)

realmolo (574068) | about 5 years ago | (#28832727)

Uh, self-signed certificates shouldn't be trusted. Not on a public website.

On an intranet, they're acceptable, but you should be adding your own server as a CA on every client machines, so that people don't get the warning. Even then, hell, pay and get a certificate from one of the big CAs and be done with it. Saves hassle, and it's cheap.

That big scary page that Firefox shows you is EXACTLY what every browser should show you. Self-signed certificates are NOT OKAY for production/public use. Encryption is more or less worthless without proof-of-identity. Now, if you want to argue about how the the big CAs don't require much in the way of proof anymore, I'll agree with you.

Re:I would probably do the same thing (1)

tepples (727027) | about 5 years ago | (#28832759)

Self-signed certificates are NOT OKAY for production/public use.

Then what is okay for production/public use on a non-commercial site?

Re:I would probably do the same thing (1)

piojo (995934) | about 5 years ago | (#28832919)

A self-signed certificate isn't a good reason to trust a site, but untrustworthy sites can get certificates, too. Trust is a complicated beast.

If a site doesn't require much security (no logins or commercial transactions), self-certification is great! It makes it more difficult for an ISP to inject ads, and other users on your network can't see what you're reading.

Re:I would probably do the same thing (1)

Kjella (173770) | about 5 years ago | (#28832931)

Uh, self-signed certificates shouldn't be trusted. Not on a public website. (...) That big scary page that Firefox shows you is EXACTLY what every browser should show you. Self-signed certificates are NOT OKAY for production/public use. Encryption is more or less worthless without proof-of-identity.

You can't do mass scale automated MITM. Someone would communicate the fingerprint using other channels or in an obfuscated form on the page. If you tried doing it selectively and turning it on and off, a known_hosts file like openssh has would warn just fine. It's not secure but it'd protect most of the information most of the time instead of being like an open book to anyone that can sniff the traffic. A letter is still pretty vulnerable to the "tearing open" attack, but it's still a step up from postcards even if it's several steps below being encoded with a one time pad.

Re:I would probably do the same thing (1, Insightful)

Anonymous Coward | about 5 years ago | (#28833017)

Trust and encryption are two different things. A self-signed cert is fine when all you need or want is some encryption.

Trust is a hard issue no matter what. Just because your browser happens to trust the CA that issued the cert doesn't mean jack. Do you trust every CA preloaded in your browser? It's really easy for anyone to get certs from most of them.

Re:I would probably do the same thing (1)

Zalbik (308903) | about 5 years ago | (#28833067)

Trust and encryption are two different things.

Please explain when you would want encryption but not trust?

You want to make sure that the data you are sending is encrypted, but you don't care who you are sending it to?!?!

That doesn't make any sense.

Put it another way (1)

Matthew Weigel (888) | about 5 years ago | (#28833117)

Why is there any unencrypted HTTP traffic going around? Encrypt everything, absolutely everything, traveling over the wire. Then, when it's important, you should also worry about whether the machine on the other end is who they say they are.

Re:I would probably do the same thing (1)

kabloom (755503) | about 5 years ago | (#28832799)

It would help if people didn't protect their email list archives behind self-signed SSL certificates. It's a waste of peoples' energy to force them through 3 clicks to allow access to a site when nobody cares if that site is secure or not. And it cuts down on the number of times real security is in order too.

Re:I would probably do the same thing (1)

lorenlal (164133) | about 5 years ago | (#28832989)

Would it be much easier for a browser maker to do the following?

If visiting a secure site with a cert from a non-trusted source. Have the browser check to see if there's a good chance that the cert is self-signed. Have a warning pop up, or something that tells the user: "The site's certificate seems to be self-signed. If you want more information, click here."

It could be much less intrusive than the current "OMFG! NO TRUST-es! This site may be Tricksy!"

Note: I'm not a coder by trade. I prefer to use domain CAs for the intranet and am a strong advocate of having a good solid trusted cert for anything outside. I am a huge fan of not scaring my users (much).

Re:I would probably do the same thing (1)

timeOday (582209) | about 5 years ago | (#28832825)

At work we use email encryption, and more and more of the emails I get from govt employees are digitally signed, and I am constantly getting warnings from the encryption software and having to click through. I'm sure if everything at every company was configured correctly, and companies always renewed their certifications before the expiration dates, that the warnings would go away - but that's not the real world. So, count me among those who "know better" and ignore the warnings.

Re:I would probably do the same thing (1)

Deanalator (806515) | about 5 years ago | (#28832933)

I blame groups like slashdot and google that intentionally downgrade https connections, and get people used to the idea of logging in without ssl. If there weren't so many broken ass web deployments out there set up by people with zero understanding of https and security in general, then this would not even be an issue. Every browser would have proper https enforcement, and every web session would be secure.

Blaming the web browser for trying to educate users, and blaming the users for being dumb is a total cop out. Want to know how slashdot keeps getting owned? Because it is IMPOSSIBLE to log in securely. Seriously, an ssl cert is not that expensive. At least let those of us who care log in securely.

Re:I would probably do the same thing (1)

bky1701 (979071) | about 5 years ago | (#28833043)

So, would you like to pay for slashdot and [Random Website You Have Account On]'s cert? No? Then you're in no place to be complaining.

Self-signed could be an answer, not perfect but a step up from plain-text on sites where the owner already think they're spending too much for what the site is worth to them (most). Yet here we have browsers "educating" the users on how dangerous those are. Sort of like killing yourself because you found out you have a terminal illness and a few years to live.

No shit (5, Interesting)

QuantumG (50515) | about 5 years ago | (#28832623)

Do we really need a lab study to tell us this? Even the article admits that we've known for decades now that users will happily accept a broken cert. There was a case where the Mozilla people received a complaint from a security researcher saying their certificate checking was broken because he was connecting to a known trusted website and her certificate wasn't broken, so it must be Mozilla's fault - they concluded that it was man-in-the-middle attack and she later apologized. If a security researcher can't even tell, how are my parents supposed to?

How about this for a solution? Instead of a "Privacy Shield" you have a "Security Shield".. when you press the Security Shield button you enter Lock Down Mode and your web browser will refuse to display pages that are not retrieved via TLS. You could also enable some extra paranoia settings.. turn off plugins, Flash, etc. When you've finished your banking, or whatever, you press the Security Shield button again and now you can go back to Facebook.

Re:No shit (1)

Eskarel (565631) | about 5 years ago | (#28832733)

Or how about we come up with a technology which actually proves who the person on the other end is, as opposed to proving that someone has a credit card and we stop treating certs as proof of identity.

Re:No shit (3, Funny)

kabloom (755503) | about 5 years ago | (#28832813)

Challenge/response authentication using a credit card number and PIN as the encryption key. Let the bank issue the challenge, have the e-commerce site pass that right on to the browser. Let the browser do the encryption, and pass it all back to the bank via the site.

That's because security warnings are stupid. (5, Interesting)

Eskarel (565631) | about 5 years ago | (#28832625)

The only difference between a self signed certificate and one that is signed by a CA is that someone wrote a check for the CA signed cert. No CA does any verification that the person writing that check is who they say they are, has any rights to that domain, or anything else, they only check to see if they already have a signed certificate. I've personally bought Verisign certificates for other people, without any proof that I'm in any way authorized to do so, let alone proving who I actually am. They mean absolutely nothing.

The only kind of certificate warning is one which indicates that a certificate is not what it's supposed to be. However, since there's still no central way to check a certificate(even a signed one) the only way to do that is to compare it with what you had before, which means the only viable certificate warning is one indicating a certificate has changed.

When browsers panic over things that aren't worth panicking over (most folks will have encountered a perfectly legitimate self signed cert at some point in their time on the web, is it any wonder they just bypass the error.

Certs never guarantee who you're talking to, they only provide encrypted communication.

Re:That's because security warnings are stupid. (2, Insightful)

Twide (1142927) | about 5 years ago | (#28832657)

Certs never guarantee who you're talking to, they only provide encrypted communication.

Actually, certificates do guarentee that the person you are talking to is the same as the time the certificate was first issued.

But is this person the same as that person? (2, Interesting)

tepples (727027) | about 5 years ago | (#28832677)

Actually, certificates do guarentee that the person you are talking to is the same as the time the certificate was first issued.

So how do you know that the person to whom you are talking using a given URL is the same person to whom, say, a software reviewer was talking when he downloaded a given release?

Re:But is this person the same as that person? (1)

Twide (1142927) | about 5 years ago | (#28832691)

Thats more to do with the way the Private/Public key Infrastructure is based.

Re:But is this person the same as that person? (1)

tepples (727027) | about 5 years ago | (#28832711)

Thats more to do with the way the Private/Public key Infrastructure is based.

In other words, CA-signed certificates actually mean something: everyone can agree that "the operator of https://www.example.com" is one person.

Re:But is this person the same as that person? (2, Informative)

Eskarel (565631) | about 5 years ago | (#28832965)

Yes, but that's still more or less useless if you can't verify who that "one person" is.

Re:That's because security warnings are stupid. (2, Informative)

mrbcs (737902) | about 5 years ago | (#28832695)

I can also attest to this. When I signed up for my cert, I got an automated phone call to the phone number that I have registered with the certificate. They verified that I am who I said I was and that my domain was my domain.

I do agree with most of the posters here though, there's no reason that they can't change that ignorant warning to something a bit more user friendly. Users obviously don't care what it says.

Re:That's because security warnings are stupid. (1)

Chuck Chunder (21021) | about 5 years ago | (#28832757)

most folks will have encountered a perfectly legitimate self signed cert at some point in their time on the web

Do you seriously hold that to be true? I'd expect 0% would be a far closer approximation.

Re:That's because security warnings are stupid. (1)

Eskarel (565631) | about 5 years ago | (#28832981)

For the purposes of this post, "web" means anything they access through a browser. Self signed certs are not all that uncommon on internal company web systems, and users don't really know the difference.

Re:That's because security warnings are stupid. (1)

ls671 (1122017) | about 5 years ago | (#28832795)

> which means the only viable certificate warning is one indicating a certificate has changed

This kind of make sense I guess, at least it is the default behavior for Open-SSH, it will accept any host public key when connecting to a host for the first time but it will warn you if that public key then changes to prevent a man in the middle attack.

If it's good for ssh I guess it could work too for web browsing. This way, a warning might have more success in preventing a man in the middle attack. By showing up too many warnings, users will tend to ignore them more I guess !;-))

Of course, people making money signing certs would oppose this idea I would assume...

Re:That's because security warnings are stupid. (1)

Chuck Chunder (21021) | about 5 years ago | (#28833013)

This kind of make sense I guess, at least it is the default behavior for Open-SSH, it will accept any host public key when connecting to a host for the first time

Openssh doesn't just blindly accept any host key. It prompts you to confirm it with the sort of message that people are apparently decrying in Firefox. If it seems less scary it's merely because the sort of people who use SSH tend to understand it.

99% of people aren't capable of making an informed decision about a certificates validity so CA signing is a reasonable way of getting security to those people.

If you want to use a self signed certificate then you better know that your audience is capable of understanding them. If they are then they won't have any problem with the Firefox dialogues. If they aren't capable then you are doing them a disservice by offering something that will confuse them and training them to click through something they don't understand.

Re:That's because security warnings are stupid. (1)

Eskarel (565631) | about 5 years ago | (#28833143)

It's not actually adequate, for SSH or for the secure web. If you want a secure connection you need to identify not only that your conversation isn't being listened to, but that you're talking to the person you think you are. Identity is an important part of real security.

The problem is that certificates don't ensure identity, and making a big fuss about them really serves no purpose. Verisign requires no proof of identity(beyond a valid credit card) let alone authority to act on behalf of any given entity. I've personally ordered a cert with a company credit card for someone else who wasn't even an employee of the company. The only form of security involved in the process was someone checking the credit card statement.

Making a fuss about security isn't a problem. The problem is making a fuss about a security feature which doesn't actually work. I could go and get a signed certificate for s1ashdot.org tomorrow if someone hasn't already, and if I scam linked someone to it, it would work perfectly well. If I had access to stolen credit card numbers there's nothing that would stop me doing that either. Browsers make a fuss about certificates, but certificates don't accomplish what the browsers claim they do. When people encounter legitimate self signed certs they ignore the warnings, and there's no real reason why they shouldn't.

Re:That's because security warnings are stupid. (1)

Cthefuture (665326) | about 5 years ago | (#28833057)

Certs never guarantee who you're talking to

That's not completely true. If you can verify and trust who signed the cert then that will guarantee who you're talking to. This could be a self-signed cert or anything really but you have to be able to know 100% that the cert you're trusting is the correct one (this would be establishing the initial trust). Once you trust it then if someone tries a MITM attack you will get a warning, a real warning that you should not ignore.

It's not hard. (1)

Hatta (162192) | about 5 years ago | (#28832629)

Ignore certificate warnings if you're not planning to give the site any important information (e.g. a password). Otherwise, don't.

SnooPING AS usual, I see (3, Interesting)

tepples (727027) | about 5 years ago | (#28832651)

Ignore certificate warnings if you're not planning to give the site any important information (e.g. a password). Otherwise, don't.

So you don't want to send passwords over an HTTPS connection with a self-signed certificate. I take it you don't want to send passwords over an HTTP connection either, as HTTP is even easier to snoop than self-signed HTTPS. Should everybody who runs a forum or a wiki pay $$$ per year for a CA-signed certificate?

Re:SnooPING AS usual, I see (2, Interesting)

FishWithAHammer (957772) | about 5 years ago | (#28832751)

Well, they could use OpenID or something.

Not that I do, because OpenID is a huge hassle to deal with, but you could.

Mac (2, Insightful)

tsa (15680) | about 5 years ago | (#28832637)

I am reasonable computer-savvy but I also don't understand these messages most of the time. I then use the 'I have a Mac, I am invincible' attitude, which is dangerous of course. But I just want to view that website!

Re:Mac (1)

CSMatt (1175471) | about 5 years ago | (#28832717)

The danger isn't so much that you will receive malware on your machine. The far more likely scenario is that someone is pretending to be that online retailer you browsed to, and tricks you into connecting to that person instead. He or she gets your credit card number and leaves you with the bill for that expensive boat or timeshare he or she buys with it. That kind of thing is not something that your browser or operating system alone can save you from.

Re:Mac (2, Funny)

Anonymous Coward | about 5 years ago | (#28832835)

I then use the 'I have a Mac, I am invincible' attitude, which is dangerous of course.

You should upgrade to the "I run Linux, I am invincible" attitude. 5% safer, 95% more smugness! (And some of it's actually justifiable. Disclosure: I run Linux and believe myself to be invincible.)

And the obligatory... [xkcd.com]

Re:Mac (1, Interesting)

Anonymous Coward | about 5 years ago | (#28832879)

Absolutely agree!!!! I post photos to Facebook from my Mac using Firefox 3. When I post these photos Firefox tells me that the certificate from Facebook is bad EVERY SINGLE STINKIN' TIME!!!!! So yes yes yes I ignore the messages. What else am I supposed to do?!?! I can't get Facebook to fix their certificates. Am I supposed to just never post photos because Facebook can't figure out their certs?

Re:Mac (1)

ls671 (1122017) | about 5 years ago | (#28833011)

If Facebook presents a valid cert to you for the domain you are connecting to, then you could look at who signed the certificate (which certificate was used to sign the certificate Facebook presents to you).

The certificate that was used to sign the Facebook certificate is called a CA (certificate authority) cert. Then, you could import that CA cert in Firefox or look for updates from Firefox regarding CA certs, many CA certs are already installed in the Firefox version you are running but maybe the CA cert used to sign the Facebook certificate isn't installed in your Firefox.

If it wouldn't pop up everywhere it shouldn't (3, Insightful)

guruevi (827432) | about 5 years ago | (#28832645)

The problem is that those things are just a nuisance for a lot of things. It just pops up randomly because a developer forgot to test the latest update or didn't install the new certificate on all the frontends. Then you have the 'intermediate' CA's where if the intermediate issuer isn't in the browser CA's or the browser doesn't support intermediates or wildcard certificates it gives you another warning. Or somebody let the certificate expire or didn't get it signed by a well-known CA (usually the less-professional sites that are self-signing). Then if your ISP isn't honest (which apparently 99% of them these days aren't) with their DNS and you go to https://wrongname.com/ [wrongname.com] it will give you the https version of their ad page on the other domain which of course gives a big warning.

I have seen warnings on important sites like Wells Fargo and Bank of America and there are permanent warnings on some other sites that I use frequently that are either self-signed or expired. I usually verify them and it's not my system that's been hijacked so I am ignoring them largely as well.

Re:If it wouldn't pop up everywhere it shouldn't (2, Informative)

Animats (122034) | about 5 years ago | (#28832817)

There's so much certificate misuse. A typical mistake is getting a cert for, say, "*.slashdot.org", and then serving it for "slashdot.org". That will cause a reject. Then there are U.S. Government certificate authorities, too many of them. Try, for example, USMC Doctrine Division [usmc.mil] . The CA is "DOD CA-13". DoD alone has root CAs "CA-5", through "CA-18", and not all browsers know all of them.

This is a headache for SiteTruth [sitetruth.com] , which uses certificates as a indication of web site validity and a source of business names and addresses. Only certs that are valid, using the Firefox cert file as authority, are accepted. There are more rejects than there should be.

Re:If it wouldn't pop up everywhere it shouldn't (1)

Chuck Chunder (21021) | about 5 years ago | (#28833033)

This is a headache for SiteTruth [sitetruth.com], which uses certificates as a indication of web site validity and a source of business names and addresses. Only certs that are valid, using the Firefox cert file as authority, are accepted. There are more rejects than there should be.

Is there some reason people should be trusting certs issued by the US military?

Because... (2, Insightful)

w0mprat (1317953) | about 5 years ago | (#28832659)

... these warnings can be safely ignored 90% of the time. IIndeed software and web developers bombard users with uncessary messages and errors, such they become a little keen just to click ok and see what happens anyway. Another problem is with wording of the warnings which are too formal-technical and not plain-english-ok-so-what-should-i-do-now.

Just wording it differently like 'If you are accessing what appears to be a trusted website, and you are recieving this warning, you should not visit it as it could be a nasty security risk. Try again later." Rather than "Warning: Security certificate is not valid... [etc etc..]". This makes a huge difference.

WOT is more to the point: "This website is dangerous" and the page is locked out until you navigate away or click on a very clear "Ignore this warning and proceed".

Big surprise! (5, Insightful)

rantingkitten (938138) | about 5 years ago | (#28832669)

First, users don't know what certificates are, or why it matters. That should be pretty obvious.

The situation isn't helped by the fact that the overwhelming majority of invalid certs, in my experience, are just from random sites which you find with a Google search, and those sites for some reason have https instead of http as their search result. You click, and oh shock, the administrator hasn't updated his cert in ages, because nobody cares. After endless warnings about this, even I have stopped caring. It's almost a Pavlovian conditioning to see that warning and say "Yeah, whatever."

It's even worse now. Back in the day, you could dismiss these mostly spurious warnings with one click. These days, Firefox makes you go through an utterly obnoxious process of acknowledging the warning, then manually adding the certificate, then approving it. All because I needed to see some forum where people were discussing some problem I needed to solve. I am so tired of having to go through this that I just sigh and back away from the site and try to find another one that won't make me do this. I am not shocked that users just click whatever it takes to make the warnings go away.

Re:Big surprise! (1)

yuhong (1378501) | about 5 years ago | (#28832929)

Usually what I do in this case is just take the letter 's' off of the https URL so it becomes http.

You had to ignore them to do anything (1)

basementman (1475159) | about 5 years ago | (#28832681)

A couple years back when FireFox threw a security warning on every single freaking site, including legitimate ones you basically had to ignore it. It was either that or just don't get anything done. FireFox isn't that bad anymore, but because of that people are used to just clicking through without caring.

This is why there is a delicate balance between too much and too little security.

Not many people have the money... (2, Insightful)

djfuq (1151563) | about 5 years ago | (#28832687)

I have ran into countless situations where a self signed cert is the only cost sensible way to provide a secure HTTPS connection, and it comes across to users like me as something like this:

Oh great this again -- reminds me of UAC -- stupid security measures for site owners / browser makers / site users / who don't want to be caught in the aftermath of a criminal situation -- by appearing to make some people feel safer by telling them they are potentially NOT SAFE...
"You agreed that you may not be safe, and you did it anyways! YOUR FAULT! :-)

Hmmmm well I want to see this page, *NOW* And I know its the page I want to see, it is secure... that is good because I'm logging into this, oh it looks like they didn't go through Verisign etc, big deal. Cheapskates! Oh well..

God I hate being asked stupid questions ACCEPT, YES, OK
(I wish clicking "get me out of here" meant YES OK FINE!!! Let me log into the site already!)

I really think this practice of certs and security theater is just making cheap yet good *secure* sites look bad...
The cynic in me sees this as a way to line the pockets of so called "trusted authorities".

Cant this be done in a NON PROFIT manner???

Either way the users needs what the user needs and no amount of paternalism will save them from the monsters!

Re:Not many people have the money... (1)

FishWithAHammer (957772) | about 5 years ago | (#28832755)

If you don't have a CA-signed cert, the connection is not secure.

Re:Not many people have the money... (1)

tepples (727027) | about 5 years ago | (#28832821)

Then how would you go about getting a CA-signed cert with little or no money?

Re:Not many people have the money... (1)

FishWithAHammer (957772) | about 5 years ago | (#28832907)

I get a offer for Comodo through my domain registrar that's like $15/year. I don't use it, as I go through Thawte for my stuff because I always have and don't want to screw with changing it, but if you look around it's not hard to find browser-preloaded CAs at reasonable prices.

Re:Not many people have the money... (1)

djfuq (1151563) | about 5 years ago | (#28832841)

How so? It is encrypted -- I think what you mean is:
Its not secure because its cert has not been bought from someone who can say it is secure and be responsible if it is not.

How about this then:
Is Verisign then responsible for any secure site they vetted that is actually malicious? Can they be sued?

Re:Not many people have the money... (3, Interesting)

onefriedrice (1171917) | about 5 years ago | (#28832861)

If I can go out and get a certificate signed by "FishWithAHammer" for a couple dozen bucks from some CA which happens to have its root certificate in your browser by default (and I can), even CA-signed certificates aren't worth much. Actually, the fact that you think a CA-signed cert is much better than a self-signed one means to me that they are causing more harm than good in the form of false security.

Re:Not many people have the money... (4, Insightful)

Rockoon (1252108) | about 5 years ago | (#28832975)

If you do have a CA-signed cert, the connection still isnt secure. Thats the real problem.

Anyone willing to screw lots of people, each out of thousands of dollars, is also willing to game the CA system with stolen credit cards.

It is all about trust. If you can't trust the signing authority, how can you trust the signer?

the average person (0)

Anonymous Coward | about 5 years ago | (#28832703)

oh gawd, how i get here. i not good with computer.

With untrustworthy CA's, who cares? (5, Insightful)

tbradshaw (569563) | about 5 years ago | (#28832783)

Verisign is untrustworthy, so why should I care if a certificate is signed or not?

Signed certificates are a complete racket: If you don't pay us then when your users show up they will get a giant warning shown in their face, telling them not to trust you. You wouldn't want that would you? Nope, don't care who you are, what you do, or why. $100 bucks please.

Government certificates always seem to be broken (1)

discorob3 (1479279) | about 5 years ago | (#28832867)

The only warnings I ever get are from .mil and .gov sites.... Which is about right...

Not a big surprise (2, Insightful)

DarthBart (640519) | about 5 years ago | (#28832887)

You could have a big pop up box that says "Clicking here will empty your bank account, steal your car, rape your women and children, and cancel your NASCAR season pass on your TiVo" and John Q Public will still click on it.

Most of the non-techies and a lot of techies are sick of "The Browser/OS who cried wolf".

Re:Not a big surprise (1)

megrims (839585) | about 5 years ago | (#28833201)

To be fair, I think most people would click that button out of curiosity.

Those security warnings remind me of... (1)

Doug52392 (1094585) | about 5 years ago | (#28832923)

... The Everything's-Okay Alarm, as invented by Homer Simpson. Now you to can have a very annoying warning go off every few seconds if everything is indeed okay!

no wonder (1)

margaret (79092) | about 5 years ago | (#28832937)

If you think this is bad, consider that most electronic medical records pop up pointless warnings even more frequently. Sometimes they catch a legitimate error, but it's hard to not get conditioned to ignore those without really reading them.

I think I read some story many years ago about a boy who cried wolf... Same principle. Warnings cease to be effective if they pop up all the freakin' time for no good reason.

Failed logic, again (3, Interesting)

rickb928 (945187) | about 5 years ago | (#28832949)

I get certificate warnings for internal sites, inside the firewall, without having accessed anything external. Yes, our CA people and developers are morons. No, let me state that more clearly. They are offshored, overpaid by a factor of five, patent leather morons. And they all talk too fast, fail to deliver a statement of work, and fail to deliver even what they say they will, in writing, before witnesses. But I digress.

Certificate warnings are relatively pointless, because they point out a technical flaw without distiguishing between bookeeping flaws, expired or poorly minted certificates due to simple incompetence, private certificates that serve the purpose, and actual explotations.

Many of our certificates at work would raise warnings, and do when I indulge in testing, but the sites are application-specific. A browser never needs to access these, and doesn't unless I'm verifying connectivity. Otherwise, the firewalls and application rules kick in and discourage an attacker by either blocking their IP or delaying response and slowing the attack to a crawl.

I get these warnings pretty regularly on public sites, and generally ignore them. But anything I was linked to, or referred, or a URL I am not entirely sure of, I either close the session and start over, or try it on my phone.

So far, my phone has shrugged off some clever but Windows-specific attacks. Always fun to revel in the agony of others.

Re:Failed logic, again (1)

techno-vampire (666512) | about 5 years ago | (#28833159)

I get certificate warnings for internal sites, inside the firewall, without having accessed anything external.

BTDTGTTS. Not only that, it was when I was doing tech support for an ISP! Not only couldn't the mucking forons get their acts together to renew all of the out-of-date certs on our intranet, they'd locked our machines down so badly that every time you rebooted, you'd have to go through the same song and dance again, telling IE (No, we couldn't use Netscape on those pages and Firefox wasn't out yet.) to import all those bad certs. And, of course, NT4 was so unstable that you'd either have to restart or power cycle three or four times a day. Not having to deal with that was almost worth getting laid off when they outsourced Tech Support to India.

People forget how people work (1)

holophrastic (221104) | about 5 years ago | (#28832985)

In general, the reason that such warnings don't work, is because they present an impossible choice to the user.

If the display were: "visit this site securely and safely; or visit this site dangerously", you'd get everyone wanting the big fancy secure and safe method -- whether they need it or not -- because people are paranoid and trained to listen to fear-tactics.

But the display is currently: "visit this web-site dangerously, or don't visit it at all". That's never been anything that most people can handle. Think of why they wound up there in the first place. They were either sent by a colleague, sent by an employer, sent by a friend, or clicked from an interesting link. If you expect them to say no to their employer, or friend, or colleague, then you're crazy -- people don't do that. They simply lack the confidence and self-esteem for such things. As for the following-an-interesting-link scenario, you've thrown a negative warning when a human being was expecting a pleasant experience to continue into a new place. They'll push ahead for the chance that it'll be "ok", rather than cut-off their good experience.

And, of course, it takes $12 and five minutes for anyone to get a valid certificate, so it really doesn't have much meaning in the first place. It's the encrypted protocol that's important, not the trusting of the site owner by the visitor. That's something completely independent.

comic con is for fags (-1, Troll)

Anonymous Coward | about 5 years ago | (#28833021)

totally gay.

sex wit4 a tr0ll (-1, Troll)

Anonymous Coward | about 5 years ago | (#28833037)

Sales 4nd so on, fear the reaper Market. Therefore, subscribers. Please are there? Oh,

they sure are useless for me (1)

Odinlake (1057938) | about 5 years ago | (#28833041)

My email provider changes the name of their imap server every now and then and it's always something different than what is documented. If I don't figure out what the name in the certificate is and update my settings accordingly I get warnings. If I'm busy with something more important I just click past them.

Now, at least I can figure out how to fix (check out) this but most people wouldn't, they'd just see some problem that more than 99% of the times (if they are in my situation) is no attack but just some kind of administrative thing that fortunately you can click your way through and won't have to waste half a day trying to catch an admin for.

@those who whine about stupid users: I don't think this problem is about stupid users.

Well, the problem lies in the fact... (1)

FragInc (931710) | about 5 years ago | (#28833047)

that very few websites implement security certificates correctly and keep them up-to-date. Many have signed certs for their site but it is old and subsequently gets flagged. No one is ever going to actually pay attention to the security certs until they are implemented correctly across the board... ya, like that's going to happen! :-/

Sending data or not? (0)

Anonymous Coward | about 5 years ago | (#28833079)

The only time I ever pay attentions to these warnings is when I'm sending important data. Otherwise, really, I could not care less. On top of that if there are images being accessed using http on a https accessed web page, a similar warning comes up.

Most of the time though I'm just trying to view a web page - don't care about security.

The online survey (1)

westlake (615356) | about 5 years ago | (#28833081)

The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings.

How much credence can you give an online survey?

You could reasonably argue that respondents are a self-selected and overly trusting audience to begin with.
 

OpenSSH (0)

Anonymous Coward | about 5 years ago | (#28833109)

OpenBSD doesn't exactly have a fork of Firefox, but their port has been patched to make the horrible Firefox certificate warnings better (certs can be added with one click).

The fact that they make the warnings are so scary is a bad thing, and kind of silly. Self-signed certs are no less trustworthy than plain HTTP connections, and they are encrypted which is better.

Personally, I would like to see a browser that does it the SSH way. When you first connect to an untrusted server, you get a message like this:

The authenticity of host '192.168.0.66 (192.168.0.66)' can't be established. RSA key fingerprint is b1:22:9b:bd:a8:c9:22:d7:04:52:79:7c:9c:0e:e7:d6. Are you sure you want to continue connecting (yes/no)?

If you choose to trust it, the key is stored in your SSH options. The next time you connect, no message, because you chose to trust the cert. But if the key fingerprint ever changes:

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

This, in my opinion, makes more sense than the way browsers currently do it.

90% of SSL is unnecessary (1)

BillX (307153) | about 5 years ago | (#28833131)

It seems that for the past few years, more and more "average" sites (blogs, web forums, straight HTML pages) have SSL turned on for no particular reason. They're not banking sites, and some do not require/use any kind of authentication whatsoever. Most likely they have it on simply because they read somewhere "it's more secure", or because it's a 1-line edit in httpd.conf so why not, or to proactively opt out of all current and future mid-pipe page-rewriting shenanigans (BT/Phorm [wikipedia.org] and alikes), not realizing how many clicks of busywork and Dire Warning desensitization this is causing for Firefox users everytime they want to read some guy's anonymous blog post.

Thus, I have no doubt people have become used to clicking away all these warnings, even to the point of getting themselves into trouble when a legitimate one appears on a site where they might actually enter confidential information.

Maybe they need to simply start treating self-signed sites as indistinguishable from plain HTTP (no Dire Warnings, no padlock symbols, broken or not, etc.), or save the Dire Warning dance until the first time the user attempts to submit data (e.g. clicks to type in a textbox). If they're not submitting *any* data, they're not submitting their financial data...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>