Should Malware Warnings have a Clickthrough?

In the latest nightly builds of FF3, and in the upcoming Beta 5, we let users choose to ignore our phishing warning, and click through to the site, just like they could in Firefox 2:

Ignore this Warning

But that same spot is empty in the malware case (unless you install my magic extension.)  Should it be?  It’s a harder question than it seems, on first blush.

My gut reaction is “No click-through for malware.”  I’ve spoken before about how we, as the experts, have an obligation to make certain decisions, rather than leave them to our users who are less well-equipped to make good ones.  That’s a hard position to hold, we very much want our users to have the power, but a malware click-through is a perfect example.  We know that “I’ll just take a quick look” or “It looks fine to me” are not safe behaviours with malware sites, that the very act of loading the page may have already pwned you.  It feels like we should make this call.

But people are curious. When they encounter a blocked page, some number of them are going to want to see the trainwreck for themselves, and without a click-through, they have two options:

  1. Disable malware protection
  2. Use a different browser

In terms of keeping our users safe, these are both really terrible options.  Allowing a click-through is arguably far better for these users, since it keeps them in a safer browser, and since it still leaves malware protection running.  Even a user who will persistently click through every single warning page is still helped by malware protection running in frames, and maybe even decides to stop clicking through at some future point.  A user who turns it off probably never turns it back on again.

It is wholly unsatisfying to me to argue “Well, if they turned it off, they deserve what’s coming to them,” because these are our users, and they deserve protection no matter what.  Sure, some of them will click things they shouldn’t click, but our interface should keep the most users safe the highest percentage of the time with the minimum limitations imposed on their browsing experience.

Straightjacket by kimblahgAren’t conflicting constraints fun?!

So what to do?  I said before that in cases where we can make a substantially more informed decision than our users can, we should do it.  But I don’t know if that’s the case here.  I’ve talked to a lot of smart people about it, and most of them seem to end up somewhere in the middle.  If we can’t make smarter or safer decisions than our users, then I think we have to bring the choice to them after all.  I think that if we can’t find a convincing argument that totally blocking click-through is viable, then we need to make one available.

But I don’t like that one little bit.

If you have new information to contribute to the debate, it rages on in Bug 422410, but I would encourage you not to jump in at the bottom without first reading the conversation that has come before.  Nobody here needs reminding that malware is bad juju, or that we shouldn’t be in the business of creating “Shoot me in the face” buttons.  With that disclaimer in mind though, any suggestions for resolving it are welcome.  The bug’s not a blocker, but it’s still an important thing to get right.

As right as possible, anyhow.

23 comments

  1. I’d say yes, but make it a multiple step process, or use a timer to make that link active (so no accidental clicks).

    Should always let the user decide their own fate. The software’s job is to help them make the best choice.

  2. It’d be nice if any “ignore” option for malware sites automatically disabled scripting and other features for that site.

  3. I don’t know how specific the malware information is that you get.

    If you positively know that this version of this browser will be affected by a malware site, don’t provide a click-through — don’t let people go to a place of which you *know* that their browser will be pwned.

    If you know there’s malware involved which is positively known to not affect FFvX (or not on the given platform), then provide a click-through.

    (At least that’s the behavior that this particular Firefox user would want his browser to show.)

  4. A clickthrough should always be present. ALWAYS. I for one would be one of those deactivating the feature if it doesn’t allow me to perform what I want to do. What’s next? Firefox not allowing you to download .exe files because “they might contain potentially unsafe code”? Don’t become Microsoft.
    A timer is a great idea, though.

  5. Warning a user is one thing.

    Blocking a user is evil.

    So please keep/add a “ignore this warning” on those screens.

  6. Yes, you should really implement some way to click through. It’s too hitlerish right now.

  7. Hmm – 0 to Hitler in 6 comments, eh? Not a Godwin’s Law record, but close!

  8. Jeremy Fujimoto-Johnson

    Perhaps a bit of analysis would be useful. Users will (in general terms) fall into one of four quadrants:
    ————–
    | A1 | A2 |
    ————–
    | B1 | B2 |
    ————–
    A1) Users in this quadrant will avoid any site that they are warned has malware. Users in this quadrant would never disable malware protection, nor would they click through if a click through link is provided.
    B1) Users in this quadrant would disable malware protection to get to sites they are warned about in at least some situations if there is no click through. However, if there is a click through they will not disable malware protection.
    A2) These users will readily click a click through link on a malware site (perhaps reasoning, there wouldn’t be a click through link if it was really that dangerous), but would not disable malware protection if there were no click through link.
    B2) These users will ignore and/or disable malware protection regularly.

    Obviously these are imperfect descriptions of user behavior and users may move from one quadrant to another by education, experience or some other factor. However, in broad strokes I think it helps define the playing field.

    Note that users in A1 are essentially unaffected by the choice of whether to have a click through. Users in B2 are likewise unaffected, unless they move to row A at some point in the future.
    Having a click through provides the best protection for users in column 1 while not having a click through provides the best protection for users in row A. Which population is bigger, A2 or B1? Which users need the most carefully provided protection? Would coming up with user stories help present an understanding that (generally speaking) users in one or more of these quadrants are in greater need of malware protection?

  9. Abdulkadir Topal

    Funny, I actually experienced this myself today, when I just typed in an URL which seemed to be intuitive. After reading, what I’ve had written some weeks ago (I’m a localizer ;), I felt pretty much helpless, because there was no way to see the acutal site, not even a link to the preferences. And still I was not sure, if that was a good thing or not. Because if there would have been a link, I would defiitely have clicked it, without thinking twice. So maybe a multi level scheme, like it is/was with extension intalls from other sources than mozilla, would fit in here: Not easy, but still possible if the user demands to do it.

  10. i think the current situation is excellent — no click through but if you’re hard core enough, you can install an extension that provides it.

  11. i have been through probably a dozen websites where i have had this warning before, and i know it shouldn’t have been there. i was forced to go to OPERA just to visit the site. you DEFINITELY need to have an ignore this button

  12. Hmm… I think you need to have the bypass, but you should warn the user that loading the page may be enough for the computer to be infected.

  13. For the default settings, I think Firefox should not have a click through. If advanced users want to click through they could download an extension like the one available now. (Host the extension at AMO.) That way Ma and Pop users will still be safe and the advanced users can still get around the malware warnings by installing the extension. Instead of having “Ignore this warning” you could have a link to install the extension to enable the “Ignore this warning” link. I think this method, because of the multistep process, would deter most users from just clicking through anyways.

    If you don’t like that idea I would support Robert Accettura’s idea of implementing a timer.

  14. try offering a version where all features are disabled:
    (frames, plugins, scripts, animation) [bonus points for disabling links]

    this would let people “see” the malware page and view its source without entailing much risk. I suppose the proper version would be to disable the features and then flip into print preview mode (that’d disable links), but you’d still need to somehow expose view-source.

  15. Ideal would be if we could disable scripts and anything else harmful. We do have code for that in the tree (several copies even) though it’d be hard to hook that up in time for release.

    At the very least disable scripts would go a long way.

    Another solution would be the multi-step click-through. Especially if one of those steps showed a screenshot of the site as that would likely satisfy many users curiosity.

  16. I think that hiding the “ignore” option behind the “Why?” button would be a good compromise. Really, you shouldn’t go to the page without knowing why it’s flagged anyway. Also, a good explanation page could satisfy users’ curiosity, warn the stubborn ones more thoroughly, and prevent dangerous click-throughs. Once you’ve seen why the page was blocked, you’re in a better position to make an informed decision.

    This would probably be a lot of work, though, since (last time I checked) the Why button took you to some not-very-informative, non-chrome page.

  17. Once again, the warnings need to be specific to my OS and browser version.

    Otherwise, I’ll assume that Google are only blocking the site because it affects users of IE on Windows; I’ll then do a backflip and drive straight into it.

  18. Tell me _why_ (as in, specific names of malware) and _when_ it is blocked (clickthrough or not). This will not help the users that would try anyway, but if I see an explanation of some sort I’m more likely to trust you.

    Putting the information on a separate page is not useful, because it’s about the same amount of work for me to just go check out the blocked site. I’m a big boy and I know what I’m doing, right? 😉

  19. I agree with Peter in that the best solution may be to hide the “ignore” button behind the “why” button.

    Unfortunately, at the moment the “why” seems to be mostly overly generic information thats of no use at all (eg, “has malware” when it should be saying “utilizes a flash exploit to gain root access”).

    And of course, the “ignore” button should be in a different position to the “why” button, so the user must move their mouse to get to it. Otherwise they’ll just double click, and we’re back to square one.

  20. […] pages (mmmm, maybe the page has been reported as an attack site, and it doesn’t), we can use this useful extension to add a little text at the bottom of the warning that provide us a form to bypass this […]

  21. Create a virtual temp area for the site and don’t let it mess with the rest of the computer or firefox sites?

    Don’t let it install anything without a dialouge.

    That’s the best solution if it can be coded correctly.

  22. Thanks for that plugin for the click-through. Talk about an annoying feature-change from the Mozilla guys!

  23. Corey Farwell: Oh boohoo, you poor poor baby. It must have been just AWFUL having to open a browser with malware protection that lets the user take control and responsibility of his own actions. Imagine having to do that every day! I can’t begin to imagine the suffering and anguish!