Why our way of handling SSL certificate errors is last nail in coffin of WWW security

It’s all supposed to be OK on the big bad Internet, because we have SSL. It’s really our only (first and last?) line of defence when it comes to having *some* degree of trust that we’re indeed talking to the website we think we are.

But:

  • sloppy SSL certificate handling by websites and
  • bad interface design by browser usability experts

kill any credibility the scheme ever had.

SSL has known issues we were prepared to live with, like:

  • the dated crypto behind SSL (the whole MD5 thing)
  • the assumptions of the trust model that are slightly too optimistic (Verisign as a malevolent root of Trust – puh-lease!)

But sloppy handling of certificates by multi-million dollar corporations that can’t be bothered to issue a proper certificate (Facebook?), and the poor handling of such situations by the main browsers in use today (IE8 & Firefox 3) put Internet users in impossible dilemmas.

Let’s say one wishes to securely connect to the regional website of Facebook in the United Kingdom.

Internet Explorer 8

Try visiting https://en-gb.facebook.com with IE8 and you get the following:

Internet Explorer 8 SSL cert handling

Do you see any information anywhere that helps you understand what’s going on? I don’t. And I call myself an IT professional.

So what is the poor user supposed to do?

  • Clicking on “the green thing” closes the window. Hurray.
  • You are strongly advised to NOT continue to this website, so that’s the “don’t click me” link.
  • Clicking “More information” does not give you any information that helps you make a security decision.
  • The result:
    • Frustrated users who feel stupid and intimidated by “all this techie stuff”.
    • Users who are trained to find having to make random decisions for incomprehensible dilemmas posed to them by a capricious computer completely normal.
    • Worse security for me, you, them. Everybody.

Firefox 3

Visiting https://en-gb.facebook.com with Firefox 3 is slightly better:

Firefox SSL cert handling

  • You are told there is something wrong without being too scared and without using fancy words like “security certificate”
  • By default you have one button available – the “Get me out of here!” button.
  • For the enquiring minds, there is the “technical details” collapsible thingy that actually tells you what the problem is.
  • Once you’ve seen what the problem is, you can choose to bypass the browser’s something’s-dodgy-here reaction

In this case Firefox is doing better than Internet Explorer because unlike IE8, Firefox allows the user to make an informed security decision.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s