It’s all supposed to be OK on the big bad Internet, because we have SSL. It’s really our only (first and last?) line of defence when it comes to having *some* degree of trust that we’re indeed talking to the website we think we are.
- sloppy SSL certificate handling by websites and
- bad interface design by browser usability experts
kill any credibility the scheme ever had.
SSL has known issues we were prepared to live with, like:
- the dated crypto behind SSL (the whole MD5 thing)
- the assumptions of the trust model that are slightly too optimistic (Verisign as a malevolent root of Trust – puh-lease!)
But sloppy handling of certificates by multi-million dollar corporations that can’t be bothered to issue a proper certificate (Facebook?), and the poor handling of such situations by the main browsers in use today (IE8 & Firefox 3) put Internet users in impossible dilemmas.
Let’s say one wishes to securely connect to the regional website of Facebook in the United Kingdom.
Internet Explorer 8
Try visiting https://en-gb.facebook.com with IE8 and you get the following:
Do you see any information anywhere that helps you understand what’s going on? I don’t. And I call myself an IT professional.
So what is the poor user supposed to do?
- Clicking on “the green thing” closes the window. Hurray.
- You are strongly advised to NOT continue to this website, so that’s the “don’t click me” link.
- Clicking “More information” does not give you any information that helps you make a security decision.
- The result:
- Frustrated users who feel stupid and intimidated by “all this techie stuff”.
- Users who are trained to find having to make random decisions for incomprehensible dilemmas posed to them by a capricious computer completely normal.
- Worse security for me, you, them. Everybody.
Visiting https://en-gb.facebook.com with Firefox 3 is slightly better:
- You are told there is something wrong without being too scared and without using fancy words like “security certificate”
- By default you have one button available – the “Get me out of here!” button.
- For the enquiring minds, there is the “technical details” collapsible thingy that actually tells you what the problem is.
- Once you’ve seen what the problem is, you can choose to bypass the browser’s something’s-dodgy-here reaction
In this case Firefox is doing better than Internet Explorer because unlike IE8, Firefox allows the user to make an informed security decision.