Re: Trusted proxy UI strawman from Barry Leiba on 2014-06-18 (ietf-http-wg@w3.org from April to June 2014)

From: Barry Leiba <barryleiba@computer.org>
Date: Wed, 18 Jun 2014 13:59:37 -0400
To: bizzbyster@gmail.com
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAC4RtVC1CBp0c4381ZtX7U4Mdh4XT=epSjq9=XQnAc8Y0PO=Og@mail.gmail.com>

The biggest problem with all of this is that you're making an
unreasonable assumption at the start: that users can reasonably "opt
out" of a <strike>privacy-invading</strike> "trusted" proxy.  (And,
yes, we have to call it something else: the *user* certainly does not
trust the proxy.)

1. If such a thing were to be deployed, it would immediately be
deployed in a way where the option to accept the proxy's intervention
becomes a Hobson's choice: either you accept the proxy or you don't
get to the web site you're trying to get to.  What do you think a user
(see below) will do in that situation?

2. It's simply unreasonable to imagine that users -- real users out
there, not "users" that really means operators, or content providers,
or browser makers, or whatever -- will have the first idea what
they're really giving up by accepting the proxy, nor that they will
have any understanding of what your UI markers (a "trusted proxy logo"
or any such thing) mean.  They will not have a clue, and they will not
be making an informed decision to put themselves in a position where,
for example, this proxy that they don't really trust now has their
username and password for their bank.

To believe otherwise is to ignore all research that's been done on this stuff.

Barry

On Mon, Jun 16, 2014 at 11:12 PM,  <bizzbyster@gmail.com> wrote:
> Thinking about this some more. In particular this:
>
> "It's probably worse. It's risky to take the approach of "better to show
> something than nothing at all" if the something just trains users to ignore
> your signals. Maybe later we will come up with a better heuristic, but we've
> already trained people to ignore our UI warnings. A better way would perhaps
> be something like suggested in
> https://code.google.com/p/chromium/issues/detail?id=81623. But
> unfortunately, due to the technical issue I referenced earlier with tainting
> web resources that were MITM'd, we can't provide a meaningful UI indicator."
>
> To avoid warning fatigue, maybe it's better to not do the UI warning via the
> infobar but just show the user the trusted proxy logo to the left of the
> lock. This is a constant reminder that the trusted proxy is seeing the
> encrypted traffic without presenting as a warning to learn to be ignored.
>
> Peter

Received on Wednesday, 18 June 2014 18:00:04 UTC