- From: Ian Fette <ifette@google.com>
- Date: Fri, 12 Oct 2007 11:48:27 -0700
- To: "Serge Egelman" <egelman@cs.cmu.edu>
- Cc: yngve@opera.com, "Johnathan Nightingale" <johnath@mozilla.com>, "W3C WSC Public" <public-wsc-wg@w3.org>
- Message-ID: <bbeaa26f0710121148v2678c8cdx2d1a85163bb4425@mail.gmail.com>
I agree that we should try to avoid habituation on a bad thing. But OTOH it's hard to go to a legal department and say "We're going to not display warnings on an error, because we think doing so may lead to habituation." That may be a hard sell for a lot of vendors. There's a reason that everything sold in the U.S. has millions of warning stickers, habituation or no. I think we need to focus on how to present warnings in a more effective manner. Maybe for these cases it's a more gentile warning that you're comfortable with users dismissing, distinct from "hard" SSL errors? (Not just talking about warning text, but also visual treatment, whether it's a modal warning that the user has to act upon vs. a warning somewhere in the chrome, etc.) -Ian On 10/12/07, Serge Egelman <egelman@cs.cmu.edu> wrote: > > No, you're missing a key point: habituation. If the warning is > presented in situations where average users do not care and are willing > to take risks, similar looking warnings will be ignored by these users > in the future. For instance, if we warn on this case and 90% of users > ignore them all the time, when they receive a similar-looking warning > about a very serious threat (e.g. MITM attack where the domain > mismatches) they are then significantly more likely to ignore it. > > The issue is not about making warnings that only some users find useful, > the issue is about training users to ignore *all* warnings. > > I have very strong data on this showing that the reason why many users > ignore the IE7 phishing warnings is because they're similar to the IE7 > SSL warnings. Both CMU and Pitt have used self-signed certificates for > webmail, IE7 displays a warning on these sites which is nearly identical > to the phishing warnings. When users encountered the phishing messages > many of them said "oh, I see this all the time when I check my email, so > I know it's okay." They do not understand that it's a very different > situation and much more serious, nor should they be expected to. > > The naive answer is to say "well those websites shouldn't use > self-signed certificates." (Or, "those sites should buy a certificate > for each subdomain.") But this isn't practical. By ignoring the > reality of the situation we are in effect punishing the users and > wasting our own time by creating recommendations that have no hope of > succeeding. If you believe that recommending stopping these sort of > practices and continuing to warn in every conceivable situation > (regardless of actual risk) is going to be effective, you are living in > a fantasy world. > > > serge > > Ian Fette wrote: > > I think that where we disagree is on this point: You seem to be of the > > opinion that if a warning is deficient (where we can define deficient > > later, perhaps majority of people ignore it / whatever), then it should > > be pulled out. What I am saying is that a warning, even if deficient, > > can still help a large number of users who do pay attention to warnings > > (even if they are a minority of users), and that you are probably going > > to face a tough sell to vendors in that you are asking them to > > potentially take on liability for little benefit. I think this point has > > come up in other threads of conversation as well. > > > > On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu > > <mailto:egelman@cs.cmu.edu>> wrote: > > > > But if you concede that existing warnings are failing, this isn't a > new > > attack vector. At worst it maintains the status quo, and at best it > > makes more serious SSL warnings more effective. > > > > serge > > > > Ian Fette wrote: > > > LOL... all I'm saying is this. For the case of www vs bare > hostname, I > > > can see this being common enough to warrant investigation. For the > > other > > > cases, I see a lot of risk in terms of opening up new attack > vectors, > > > changing defaults, breaking standards etc, but I'm not sure I > > really see > > > the benefit. > > > > > > On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu > > <mailto:egelman@cs.cmu.edu> > > > <mailto: egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>>> wrote: > > > > > > Are you trying to use the Nuremberg defense now? > > > > > > Though I'm not convinced that this would be breaking the > > standard. The > > > standard specifies errors, but not how to display them. In > this > > > instance we choose not to display anything. > > > > > > serge > > > > > > Ian Fette wrote: > > > > I notice you didn't comment on the liability implications at > > the > > > end of > > > > my reply ;-) I don't see a huge upside to breaking > > standards, I do > > > see a > > > > huge potential downside. I would be willing to consider it > if it > > > helped > > > > in the common case - which I think it might for the example > of > > > > https://example.com and https://www.example.com - i.e . > maybe we > > > special > > > > case www. But beyond that, I don't know if it's common > enough to > > > provide > > > > any real upside, and I am fairly certain that there's a huge > > risk in > > > > breaking a spec like SSL... > > > > > > > > -Ian > > > > > > > > On 10/12/07, *Thomas Roessler* <tlr@w3.org > > <mailto:tlr@w3.org> <mailto: tlr@w3.org <mailto:tlr@w3.org>> > > > <mailto:tlr@w3.org <mailto:tlr@w3.org> <mailto:tlr@w3.org > > <mailto:tlr@w3.org>>>> wrote: > > > > > > > > On 2007-10-12 09:29:56 -0700, Ian Fette wrote: > > > > > > > > >> Of the number of sites that yield warnings for this > > (where the > > > > >> certificate was granted for the domain, but the > subdomain > > > > >> doesn't match), how many are malicious? How many > > times is it > > > > >> benign when this warning appears? > > > > > > > > > The point isn't how many of these such sites are > currently > > > > > malicious. > > > > > > > > Well, if you want to consider the habituation effect > that > > > occurs, a > > > > warning that mostly cries wolf is significantly worse > > than one > > > > that's mostly right. > > > > > > > > In particular, if a warning mostly occurs under > legitimate > > > > circumstances, the attack vector might not even be new. > > > > > > > > The question is really whether the survey that Johnathan > > was > > > citing > > > > (i.e., current warnings have an effect in something like > 40% > > > of all > > > > cases) is right, or whether the assumption is right that > the > > > current > > > > warnings are largely ignored. > > > > > > > > -- > > > > Thomas Roessler, W3C < tlr@w3.org <mailto:tlr@w3.org> > > <mailto: tlr@w3.org <mailto:tlr@w3.org>> > > > <mailto:tlr@w3.org <mailto:tlr@w3.org> <mailto:tlr@w3.org > > <mailto:tlr@w3.org>>>> > > > > > > > > > > > > > > -- > > > /* > > > Serge Egelman > > > > > > PhD Candidate > > > Vice President for External Affairs, Graduate Student Assembly > > > Carnegie Mellon University > > > > > > Legislative Concerns Chair > > > National Association of Graduate-Professional Students > > > */ > > > > > > > > > > -- > > /* > > Serge Egelman > > > > PhD Candidate > > Vice President for External Affairs, Graduate Student Assembly > > Carnegie Mellon University > > > > Legislative Concerns Chair > > National Association of Graduate-Professional Students > > */ > > > > > > -- > /* > Serge Egelman > > PhD Candidate > Vice President for External Affairs, Graduate Student Assembly > Carnegie Mellon University > > Legislative Concerns Chair > National Association of Graduate-Professional Students > */ >
Received on Friday, 12 October 2007 18:48:48 UTC