On 5/18/2010 9:08 AM, Marsh Ray wrote:
On 5/18/2010 9:54 AM, johnjbarton wrote:
I mean that starting a design from the point of view that the users have
faulty judgment will almost certainly lead to software that fails.
The judgment starts when the user chooses the app. In effect the
designer is saying "The user, by selecting my app, is validating the way
my app handles the security-convenience tradeoff." If users actually
preferred and selected apps on the basis of security first, we might be
having a different conversation.
Marsh,
The designer here is asserting a false, one-dimensional design space and
insisting that users make a choice along this false dimension.
As long as your designer views the problem of security as a tradeoff
with convenience, you are not going to improve security. You will just
create higher and more obscure barriers along that one dimension, trying
to herd users to the other end. They will work around your efforts.
It
positions the designer as a superior being and the users as cattle to be
herded in directions deemed important by the designer.
As I see it, there are (broadly) two classes of users with competing
interests:
1. "The unwashed masses". I think a large mass of research shows that
the great majority of users, in fact, do not have the same ability to
judge the relative risk and security implication of such things as
bypassing a cert warning page. This is not to demean them. More than
likely they are experts in some other, perhaps more useful, area.
B. "The careful and competent admin". I believe that there is a group of
users who understand PKI and network security and are quite concerned
with maintaining security of their connection. For example, I have been
told that newer networking equipment is moving away from
SSH-to-command-line to web-based configuration. I would hope that admins
of core internet routers are not now subject to phishing! However, I
have also been repeatedly assured that this person doesn't exist.
In fact, both the
security system designer and the users are humans with entirely
equivalent ability to make judgments.
Is there evidence for this or are you perhaps being a bit of a romantic
idealist?
I, for one, would like my security systems designed by those who know
more about it than I do.
I do not believe that users should be asked to make choices based on
poorly presented and biased information. When the security system UI
presents the user with a choice that can expose them to security
failures and they make a choice that leads to the security failure,
where is the problem? Poor judgment by users or poor judgment by
security system designers?
The concluding sentence citing Felten gets right to the heart of the
problem. Felten poses a false choice, then revels in the forgone
conclusion: stupid users, they would pick dancing pigs because they are
so stupid, while we, sage security folk, would know to pick security.
It's more complicated.
I would choose to view the dancing pigs, because the technology is
supposed to make that a safe thing for me to do. I would not, however,
enter any important credentials after clicking through the cert warning.
I would find it hard to explain the reasoning to my grandmother.
Exactly my point. The entire cert warning is pointless, because the
users are faced with choices they cannot assess properly.
But this is becoming increasingly confused as well. Viewing "documents"
with Adobe software clearly carries risk as well. Ensuring the identity
of the site you're connecting to doesn't do much to protect you from
this risk since the site itself may be compromised.
If users choose to disregard or subvert security systems, the problem is
with the system. It is irrational to think that the problem is user's
faulty judgment.
The fundamental problem is that it's inherently a hard problem.
Biological systems have had billions of years to work out this
"identity" thing and they still do it imperfectly.
If you've got a better model for any identifiable subset of users, don't
keep it to yourself.
The better model begins by abandoning the "security-vs-convenience"
mindset. Security should be about the maximum actually and effective
security experienced by users. Our reaction to users clicking through
the cert dialogs and being exposed to attack should be "we failed", not
"users have poor judgment".
jjb
- Marsh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
