Re: clarifications needed re safe form editor cert matching algorithm

I agree that we should try to avoid habituation on a bad thing. But OTOH
it's hard to go to a legal department and say "We're going to not display
warnings on an error, because we think doing so may lead to habituation."
That may be a hard sell for a lot of vendors. There's a reason that
everything sold in the U.S. has millions of warning stickers, habituation or
no. I think we need to focus on how to present warnings in a more effective
manner. Maybe for these cases it's a more gentile warning that you're
comfortable with users dismissing, distinct from "hard" SSL errors?  (Not
just talking about warning text, but also visual treatment, whether it's a
modal warning that the user has to act upon vs. a warning somewhere in the
chrome, etc.)

-Ian

On 10/12/07, Serge Egelman <egelman@cs.cmu.edu> wrote:
>
> No, you're missing a key point: habituation.  If the warning is
> presented in situations where average users do not care and are willing
> to take risks, similar looking warnings will be ignored by these users
> in the future.  For instance, if we warn on this case and 90% of users
> ignore them all the time, when they receive a similar-looking warning
> about a very serious threat (e.g. MITM attack where the domain
> mismatches) they are then significantly more likely to ignore it.
>
> The issue is not about making warnings that only some users find useful,
> the issue is about training users to ignore *all* warnings.
>
> I have very strong data on this showing that the reason why many users
> ignore the IE7 phishing warnings is because they're similar to the IE7
> SSL warnings.  Both CMU and Pitt have used self-signed certificates for
> webmail, IE7 displays a warning on these sites which is nearly identical
> to the phishing warnings.  When users encountered the phishing messages
> many of them said "oh, I see this all the time when I check my email, so
> I know it's okay."  They do not understand that it's a very different
> situation and much more serious, nor should they be expected to.
>
> The naive answer is to say "well those websites shouldn't use
> self-signed certificates."  (Or, "those sites should buy a certificate
> for each subdomain.")  But this isn't practical.  By ignoring the
> reality of the situation we are in effect punishing the users and
> wasting our own time by creating recommendations that have no hope of
> succeeding.  If you believe that recommending stopping these sort of
> practices and continuing to warn in every conceivable situation
> (regardless of actual risk) is going to be effective, you are living in
> a fantasy world.
>
>
> serge
>
> Ian Fette wrote:
> > I think that where we disagree is on this point: You seem to be of the
> > opinion that if a warning is deficient (where we can define deficient
> > later, perhaps majority of people ignore it / whatever), then it should
> > be pulled out. What I am saying is that a warning, even if deficient,
> > can still help a large number of users who do pay attention to warnings
> > (even if they are a minority of users), and that you are probably going
> > to face a tough sell to vendors in that you are asking them to
> > potentially take on liability for little benefit. I think this point has
> > come up in other threads of conversation as well.
> >
> > On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu
> > <mailto:egelman@cs.cmu.edu>> wrote:
> >
> >     But if you concede that existing warnings are failing, this isn't a
> new
> >     attack vector.  At worst it maintains the status quo, and at best it
> >     makes more serious SSL warnings more effective.
> >
> >     serge
> >
> >     Ian Fette wrote:
> >     > LOL... all I'm saying is this. For the case of www vs bare
> hostname, I
> >     > can see this being common enough to warrant investigation. For the
> >     other
> >     > cases, I see a lot of risk in terms of opening up new attack
> vectors,
> >     > changing defaults, breaking standards etc, but I'm not sure I
> >     really see
> >     > the benefit.
> >     >
> >     > On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu
> >     <mailto:egelman@cs.cmu.edu>
> >     > <mailto: egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>>> wrote:
> >     >
> >     >     Are you trying to use the Nuremberg defense now?
> >     >
> >     >     Though I'm not convinced that this would be breaking the
> >     standard.  The
> >     >     standard specifies errors, but not how to display them.  In
> this
> >     >     instance we choose not to display anything.
> >     >
> >     >     serge
> >     >
> >     >     Ian Fette wrote:
> >     >     > I notice you didn't comment on the liability implications at
> >     the
> >     >     end of
> >     >     > my reply ;-) I don't see a huge upside to breaking
> >     standards, I do
> >     >     see a
> >     >     > huge potential downside. I would be willing to consider it
> if it
> >     >     helped
> >     >     > in the common case - which I think it might for the example
> of
> >     >     > https://example.com and https://www.example.com - i.e .
> maybe we
> >     >     special
> >     >     > case www. But beyond that, I don't know if it's common
> enough to
> >     >     provide
> >     >     > any real upside, and I am fairly certain that there's a huge
> >     risk in
> >     >     > breaking a spec like SSL...
> >     >     >
> >     >     > -Ian
> >     >     >
> >     >     > On 10/12/07, *Thomas Roessler* <tlr@w3.org
> >     <mailto:tlr@w3.org> <mailto: tlr@w3.org <mailto:tlr@w3.org>>
> >     >     <mailto:tlr@w3.org <mailto:tlr@w3.org> <mailto:tlr@w3.org
> >     <mailto:tlr@w3.org>>>> wrote:
> >     >     >
> >     >     >     On 2007-10-12 09:29:56 -0700, Ian Fette wrote:
> >     >     >
> >     >     >     >> Of the number of sites that yield warnings for this
> >     (where the
> >     >     >     >> certificate was granted for the domain, but the
> subdomain
> >     >     >     >> doesn't match), how many are malicious?  How many
> >     times is it
> >     >     >     >> benign when this warning appears?
> >     >     >
> >     >     >     > The point isn't how many of these such sites are
> currently
> >     >     >     > malicious.
> >     >     >
> >     >     >     Well, if you want to consider the habituation effect
> that
> >     >     occurs, a
> >     >     >     warning that mostly cries wolf is significantly worse
> >     than one
> >     >     >     that's mostly right.
> >     >     >
> >     >     >     In particular, if a warning mostly occurs under
> legitimate
> >     >     >     circumstances, the attack vector might not even be new.
> >     >     >
> >     >     >     The question is really whether the survey that Johnathan
> >     was
> >     >     citing
> >     >     >     (i.e., current warnings have an effect in something like
> 40%
> >     >     of all
> >     >     >     cases) is right, or whether the assumption is right that
> the
> >     >     current
> >     >     >     warnings are largely ignored.
> >     >     >
> >     >     >     --
> >     >     >     Thomas Roessler, W3C  < tlr@w3.org <mailto:tlr@w3.org>
> >     <mailto: tlr@w3.org <mailto:tlr@w3.org>>
> >     >     <mailto:tlr@w3.org <mailto:tlr@w3.org> <mailto:tlr@w3.org
> >     <mailto:tlr@w3.org>>>>
> >     >     >
> >     >     >
> >     >
> >     >     --
> >     >     /*
> >     >     Serge Egelman
> >     >
> >     >     PhD Candidate
> >     >     Vice President for External Affairs, Graduate Student Assembly
> >     >     Carnegie Mellon University
> >     >
> >     >     Legislative Concerns Chair
> >     >     National Association of Graduate-Professional Students
> >     >     */
> >     >
> >     >
> >
> >     --
> >     /*
> >     Serge Egelman
> >
> >     PhD Candidate
> >     Vice President for External Affairs, Graduate Student Assembly
> >     Carnegie Mellon University
> >
> >     Legislative Concerns Chair
> >     National Association of Graduate-Professional Students
> >     */
> >
> >
>
> --
> /*
> Serge Egelman
>
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly
> Carnegie Mellon University
>
> Legislative Concerns Chair
> National Association of Graduate-Professional Students
> */
>

Received on Friday, 12 October 2007 18:48:48 UTC