Gervase Markham wrote:
It's not that simple. You have to demonstrate an attack which causes the UI to be wrong - and clicking through a "Whoa! There's something wrong with your SSL connection!" dialog does not count. If the user ignores such dialogs, they have no hope.
I think we (all browser vendors) need to mount an education campaign educating users that these warning dialogs are their first and best line of defense, not merely a hoop put there for them to jump through.
I think many users genuinely don't understand that they can AND SHOULD say NO to some of these security requests. Many users seem to think that these dialogs are just there to get them to click a button.
Let me tell you a little story in support of that point. I know someone
whose windows computer was "owned" by trojans that made her computer do
things she did not want, and caused it to be slow and frequently crash.
I helped her get the computer completely restored from a clean backup, and
then we installed ZoneAlarm on it. Zone alarm stops programs from using
the TCP stack without the user's explicit permission. I instructed her
that from time to time she would see pop-ups asking whether or not to allow
some program to use the internet, and that she should reply yes when the
pop-up occurred immediately after she tried to start to use the internet
(such as when starting her browser, or her email program), and reply NO otherwise. A few weeks went by and once again her computer was owned by
trojans who were using the net. She couldn't understand how this happened.
I asked her if she had used Zone Alarm to stop unwanted programs from using
the internet. She explained that every time the zoneAlarm pop-up occurred,
she answered yes, apparently thinking this is what she was expected to do!
She had obediently clicked yes when she thought she was being asked to do so.
I explained to her that SAYING NO to unwanted programs was her first, best, and perhaps ONLY defense to unwanted programs running on her computer. I explained that these dialogs were there to give her a chance to be in control of her own computer, and stop unwanted programs from using her computer. I think she finally "got it". We restored her computer from the clean backup AGAIN and since then she's had no more problems. I think she finally learned to say no.
This story tells me that users CAN be educated to learn to say NO at the right times, but they have to first understand that there are consequences to their computer of saying yes to everything, and that the responsibility for keeping the bad guys out (or in this case, for not falling victim to fraudulent web sites) rest upon them not saying yes to every request that comes along.
I don't think the browser vendor community has done a good job (or perhaps ANY job) of educating users about that. I've never seen anything that tells user not to be fooled by web pages that show them how to override security warnings. We can do better.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
