Re: clarifications needed re safe form editor cert matching algorithm from Serge Egelman on 2007-10-12 (public-wsc-wg@w3.org from October 2007)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Fri, 12 Oct 2007 14:42:32 -0400
To: Ian Fette <ifette@google.com>
CC: yngve@opera.com, Johnathan Nightingale <johnath@mozilla.com>, W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <470FC018.1050300@cs.cmu.edu>
No, you're missing a key point: habituation.  If the warning is
presented in situations where average users do not care and are willing
to take risks, similar looking warnings will be ignored by these users
in the future.  For instance, if we warn on this case and 90% of users
ignore them all the time, when they receive a similar-looking warning
about a very serious threat (e.g. MITM attack where the domain
mismatches) they are then significantly more likely to ignore it.

The issue is not about making warnings that only some users find useful,
the issue is about training users to ignore *all* warnings.

I have very strong data on this showing that the reason why many users
ignore the IE7 phishing warnings is because they're similar to the IE7
SSL warnings.  Both CMU and Pitt have used self-signed certificates for
webmail, IE7 displays a warning on these sites which is nearly identical
to the phishing warnings.  When users encountered the phishing messages
many of them said "oh, I see this all the time when I check my email, so
I know it's okay."  They do not understand that it's a very different
situation and much more serious, nor should they be expected to.

The naive answer is to say "well those websites shouldn't use
self-signed certificates."  (Or, "those sites should buy a certificate
for each subdomain.")  But this isn't practical.  By ignoring the
reality of the situation we are in effect punishing the users and
wasting our own time by creating recommendations that have no hope of
succeeding.  If you believe that recommending stopping these sort of
practices and continuing to warn in every conceivable situation
(regardless of actual risk) is going to be effective, you are living in
a fantasy world.


serge

Ian Fette wrote:
> I think that where we disagree is on this point: You seem to be of the
> opinion that if a warning is deficient (where we can define deficient
> later, perhaps majority of people ignore it / whatever), then it should
> be pulled out. What I am saying is that a warning, even if deficient,
> can still help a large number of users who do pay attention to warnings
> (even if they are a minority of users), and that you are probably going
> to face a tough sell to vendors in that you are asking them to
> potentially take on liability for little benefit. I think this point has
> come up in other threads of conversation as well.
> 
> On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu
> <mailto:egelman@cs.cmu.edu>> wrote:
> 
>     But if you concede that existing warnings are failing, this isn't a new
>     attack vector.  At worst it maintains the status quo, and at best it
>     makes more serious SSL warnings more effective.
> 
>     serge
> 
>     Ian Fette wrote:
>     > LOL... all I'm saying is this. For the case of www vs bare hostname, I
>     > can see this being common enough to warrant investigation. For the
>     other
>     > cases, I see a lot of risk in terms of opening up new attack vectors,
>     > changing defaults, breaking standards etc, but I'm not sure I
>     really see
>     > the benefit.
>     >
>     > On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu
>     <mailto:egelman@cs.cmu.edu>
>     > <mailto: egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>>> wrote:
>     >
>     >     Are you trying to use the Nuremberg defense now?
>     >
>     >     Though I'm not convinced that this would be breaking the
>     standard.  The
>     >     standard specifies errors, but not how to display them.  In this
>     >     instance we choose not to display anything.
>     >
>     >     serge
>     >
>     >     Ian Fette wrote:
>     >     > I notice you didn't comment on the liability implications at
>     the
>     >     end of
>     >     > my reply ;-) I don't see a huge upside to breaking
>     standards, I do
>     >     see a
>     >     > huge potential downside. I would be willing to consider it if it
>     >     helped
>     >     > in the common case - which I think it might for the example of
>     >     > https://example.com and https://www.example.com - i.e . maybe we
>     >     special
>     >     > case www. But beyond that, I don't know if it's common enough to
>     >     provide
>     >     > any real upside, and I am fairly certain that there's a huge
>     risk in
>     >     > breaking a spec like SSL...
>     >     >
>     >     > -Ian
>     >     >
>     >     > On 10/12/07, *Thomas Roessler* <tlr@w3.org
>     <mailto:tlr@w3.org> <mailto: tlr@w3.org <mailto:tlr@w3.org>>
>     >     <mailto:tlr@w3.org <mailto:tlr@w3.org> <mailto:tlr@w3.org
>     <mailto:tlr@w3.org>>>> wrote:
>     >     >
>     >     >     On 2007-10-12 09:29:56 -0700, Ian Fette wrote:
>     >     >
>     >     >     >> Of the number of sites that yield warnings for this
>     (where the
>     >     >     >> certificate was granted for the domain, but the subdomain
>     >     >     >> doesn't match), how many are malicious?  How many
>     times is it
>     >     >     >> benign when this warning appears?
>     >     >
>     >     >     > The point isn't how many of these such sites are currently
>     >     >     > malicious.
>     >     >
>     >     >     Well, if you want to consider the habituation effect that
>     >     occurs, a
>     >     >     warning that mostly cries wolf is significantly worse
>     than one
>     >     >     that's mostly right.
>     >     >
>     >     >     In particular, if a warning mostly occurs under legitimate
>     >     >     circumstances, the attack vector might not even be new.
>     >     >
>     >     >     The question is really whether the survey that Johnathan
>     was
>     >     citing
>     >     >     (i.e., current warnings have an effect in something like 40%
>     >     of all
>     >     >     cases) is right, or whether the assumption is right that the
>     >     current
>     >     >     warnings are largely ignored.
>     >     >
>     >     >     --
>     >     >     Thomas Roessler, W3C  < tlr@w3.org <mailto:tlr@w3.org>
>     <mailto: tlr@w3.org <mailto:tlr@w3.org>>
>     >     <mailto:tlr@w3.org <mailto:tlr@w3.org> <mailto:tlr@w3.org
>     <mailto:tlr@w3.org>>>>
>     >     >
>     >     >
>     >
>     >     --
>     >     /*
>     >     Serge Egelman
>     >
>     >     PhD Candidate
>     >     Vice President for External Affairs, Graduate Student Assembly
>     >     Carnegie Mellon University
>     >
>     >     Legislative Concerns Chair
>     >     National Association of Graduate-Professional Students
>     >     */
>     >
>     >
> 
>     --
>     /*
>     Serge Egelman
> 
>     PhD Candidate
>     Vice President for External Affairs, Graduate Student Assembly
>     Carnegie Mellon University
> 
>     Legislative Concerns Chair
>     National Association of Graduate-Professional Students
>     */
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Friday, 12 October 2007 18:43:30 UTC