Blaming “computers” because they can’t talk back

I was unintentionally shoulder-surfing on the Tube the other day when I noticed this:

As usual, blaming it on a “software glitch” / “computer malfunction”.

Whatever.

If only those poor systems (or their developers) had a voice…

Today’s PINcode (sic)

The Personal Identification Number Code du jour for the wireless network of this Beirut restaurant is:

This is quite user-friendly, but is it good security?

It’s written with chalk, so presumably they change it every few days. That’s smart – it would require freeloaders to enter the restaurant, take a peek and then leave, every time the PIN changed – a pattern which would soon become obvious and get them caught.

There is no reason to hide the PIN from patrons, since they’re all on the same network anyway.

Sometimes simple solutions are perfectly adequate.

Free browser vulnerability scanners

Not having the latest security updates for your web browser or plugins is detrimental to your online privacy and security.

Using Internet Explorer? Click the following link to update your software: https://browsercheck.qualys.com/

Using Firefox? Click the following link to update your plugins: https://www.mozilla.com/en-US/plugincheck/

This is what the web sites look like:

Qualys’ free browser security checker:

Firefox’s own PluginCheck page:

Kudos to Julien who pointed out the Qualys BrowserCheck tool.

Why our way of handling SSL certificate errors is last nail in coffin of WWW security

It’s all supposed to be OK on the big bad Internet, because we have SSL. It’s really our only (first and last?) line of defence when it comes to having *some* degree of trust that we’re indeed talking to the website we think we are.

But:

• sloppy SSL certificate handling by websites and
• bad interface design by browser usability experts

kill any credibility the scheme ever had.

SSL has known issues we were prepared to live with, like:

• the dated crypto behind SSL (the whole MD5 thing)
• the assumptions of the trust model that are slightly too optimistic (Verisign as a malevolent root of Trust – puh-lease!)

But sloppy handling of certificates by multi-million dollar corporations that can’t be bothered to issue a proper certificate (Facebook?), and the poor handling of such situations by the main browsers in use today (IE8 & Firefox 3) put Internet users in impossible dilemmas.

Let’s say one wishes to securely connect to the regional website of Facebook in the United Kingdom.

Internet Explorer 8

Try visiting https://en-gb.facebook.com with IE8 and you get the following:

Do you see any information anywhere that helps you understand what’s going on? I don’t. And I call myself an IT professional.

So what is the poor user supposed to do?

• Clicking on “the green thing” closes the window. Hurray.
• You are strongly advised to NOT continue to this website, so that’s the “don’t click me” link.
• Clicking “More information” does not give you any information that helps you make a security decision.
• The result:
  • Frustrated users who feel stupid and intimidated by “all this techie stuff”.
  • Users who are trained to find having to make random decisions for incomprehensible dilemmas posed to them by a capricious computer completely normal.
  • Worse security for me, you, them. Everybody.

Firefox 3

Visiting https://en-gb.facebook.com with Firefox 3 is slightly better:

• You are told there is something wrong without being too scared and without using fancy words like “security certificate”
• By default you have one button available – the “Get me out of here!” button.
• For the enquiring minds, there is the “technical details” collapsible thingy that actually tells you what the problem is.
• Once you’ve seen what the problem is, you can choose to bypass the browser’s something’s-dodgy-here reaction

In this case Firefox is doing better than Internet Explorer because unlike IE8, Firefox allows the user to make an informed security decision.