I’ve just spent 5 minutes paying my mobile phone bill online, and every page I loaded in the process, IE8 came up with a warning saying “Do you want to view only the webpage content that was delivered securely?”. I’d consider myself more informed than the average user; I’m aware of the nature of security threats via a web browser, I keep my operating system and applications patched, I run up to date anti-virus and I am careful about which web pages I visit. But I didn’t feel qualified to answer that question, so how is everyone else reacting to it? Most people who be stumped, and even I was turn between security (rendering the page only with content provided via an SSL connection) and usability (the page rendering correctly, as I assumed it was graphic elements that were being loaded by HTTP instead of HTTPS).
A quick look at the page source showed various JavaScript elements and CSS stylesheets being loaded via unencrypted HTTP connections, which is what IE was warning me about, but if I don’t load those elements the page renders very badly. I can still find what I was after but the layout is appalling (as you’d expect with no CSS loaded) and some parts are unreadable. So what did I do? I loaded the page regardless, including the insecure elements.
So is this warning of any use? Should I be able to add exceptions so it only warns for sites I don’t trust? Firefox 3.5.5 doesn’t popup any warning at all, it just highlights an alert icon on the bottom right of the screen (which 99% of people won’t even notice). So which approach is right?
I’m stumped. The UAC debacle (which Microsoft now admit was about encouraging proper coding practise, not preventing malware infection) didn’t help the security/usability issue at all, it alienated and confused a large number of users, but when behaviour which could compromise a users system is spotted by the operating system or application, how should it approach the problem? The vast majority of users aren’t qualified to make a decision about whether a certain practise is safe or not, and constant intervention by the application or operating system is more likely to encourage them to bypass or downgrade security functionality than protect them. So what can developers do? Obviously good coding practise, better code review and quick response to reported vulnerabilities will protect users against malware which manipulates a fault in the software, but nothing seems to be able to stop malware which manipulates a fault in the user. If this IS the case, then is user education the only answer? People have to learn to drive a car, they have to learn about basic household finance, and most of them have to learn how to bring up a child, so why shouldn’t they learn how to safely use a computer? Worth thinking about, but I can’t see how conventional education systems (compulsory and further/higher education) can deliver more informed users, so who can deliver?
Answers on a very large postcard please!
