Security Certificate Message do actually mean something
There was an interesting article out on the web today. It was talking about how the majority of users simply click through any certificate error message without really reading or understanding the error message that they have been presented with.What I find most concerning is that “They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites”. How I’m reading this is that the more the people trust the site they are going to, the less they are concerned about the error message.
Think about the web sites that you use. Which sites do you trust the most, probably your bank and your credit card companies. So based on the information from this study, those would be the sites that people are ignoring the errors the most, when those are the sites that people need to be the most suspicious of when getting certificate errors. Especially when these are the sites which are most likely to have a man in the middle attack performed against them which is one of the places you are most likely to see a certificate problem because of unauthorized content.
I disagree with the conclusion in the article that there should be a system that analyzes the error from the certificate and simply blocks access to the site. The last thing people will want is a system telling them they can’t do something, even if it’s for its own good. All that will happen is people will disable the system, and have the same dangerous behavior that they have now.
What we need to do instead, is better educate the users as to what the errors mean, when they are safe to ignore, and when there’s a major problem and the site shouldn’t be used until the problem has been fixed.
I know that being uninformed is in vogue in the US these days, but people need to understand that if they don’t protect there confidential information, then no one else is going to, and there information will be stolen; as will there money. I for one don’t feel all that sorry for people who ignore the security warnings that flat out tell you there is a problem with they site but still hand over there information anyway because they didn’t know what the error meant, but proceed anyway. A quick search on your favorite search engine can tell you what the error message actually means and if it’s save to proceed or not.
I’m not sure how to fix this education gap that we are seeing. People have become so trusting of the Internet that it is at this point going to do them harm. There has to be some way to better educate the users about this issue. Unfortunately I don’t have the answer to this. You can’t force people to learn (no matter how badly you want to sometimes), so people simply remain ignorant of the issues putting them selves at risk without a second thought.
I welcome your comments.
Denny
