So PC World is running an article by Robert McMillan about phishing. It’s not a bad article or anything, it cites the antiphishing workgroup and various Gartner research in non-inflammatory ways (phishing is up 700% year over year, losses for 2006 estimated at $2.8B USD), and basically concludes that the current state of the internet, vis a vis your financial information, is somewhere towards the “festering cesspool of thievery from which no good thing can escape unscathed” end of the spectrum. Pretty standard stuff.
If Robert McMillan should be chastised for any part of it, it is his closing sentence, wherein he takes the too-obvious way out, no doubt because he was reaching his wordcount ceiling, and what the hell else is he going to say:
But to combat ever-adapting phishers, your best protection remains…you.
It’s not Bob’s fault, but this is a pretty awful way to leave things. How on earth are people supposed to do what he asks, particularly when all the evidence he’s just cited points to how profoundly they can’t?
People, and this is a statement with so few exceptions as to be nigh-on universal for our purposes, don’t give a damn about SSL and don’t even, for that matter, know that it’s a thing about which damns can be given.
Contrary to the frustrated complaints of some in the security community, people do care about the safety of their personal information, they do care about whether or not they can trust the people they do business with. And given information which makes any damned sense at all to them, they are able to make judgements about risk in various situations. The problem is that even with all of this caring and willingness to participate, they are not computer scientists, they don’t want to be computer scientists, and so a lot of the time what seems obvious to security developers is absolute jibberish to end users, even relatively sophisticated ones.
It should be noted that a lot of people in the development community recognize and embrace what I’m saying here, indeed they are rolling their eyes because this mantra, while relevant and valid and worth revisiting, is old hat to them. We know we have to simplify and put things into familiar metaphors and contexts. Hence, of course, the padlock. Everyone knows what a padlock is, and so all the major browsers have now had for years some version of a padlock icon which is displayed whenever their user is visiting a “secure” site.
What does that actually mean, though? If you’re not already a network security geek, it might shock and alarm you to know that it really doesn’t mean as much as you might think. The padlock symbol means that your connection is encrypted, that the data you transmit cannot be eavesdropped upon. That’s good to know, of course, but what the padlock doesn’t tell you is who you’re sending that data to. If you are sending data to a bunch of Russian mafia types running a scam site, does the fact that you can’t be eavesdropped upon in the process make you feel any safer?
The padlock simplifies a complex conversation about security and trust, but it simplifies it too much. We know this, and so we’re trying (not just Mozilla, there are smart people at Microsoft, Opera, Apple, and others working on it too, not to mention the w3c) to find ways to communicate more of the information you need, while still sparing you from judging the merits of AES encryption with a 256-bit key.
Firefox will tell you, beside the padlock in the status bar, what site you are talking to, because we think it’s information you can use. Microsoft will turn the address bar green when you are visiting a site that provides extended information to prove it is an actual registered business. The problem with both of these approaches is that they rely on you to a) notice them, and understand what they mean, and b) notice when they’re missing, and understand what that means. The absence of a cue is not generally a very strong signal for users, so we are working on building more active ways to help you know where you are on the web, without becoming an annoyance in the process.
How do you decide if an online site is trustworthy right now? Recommendations from friends? Visual appearance? The padlock? The green bar? What could we do to help you make those decisions more confidently (and correctly)? Would it help to know how long the website has existed? Would it help to know whether the Better Business Bureau or resellerratings has a record of it, and if so, what that record says? Firefox will check the sites you visit against a global blacklist of known scam sites, but phishing sites are up and down within hours, so we know that a blacklist like that is not the whole solution. What else would help?
Robert McMillan’s line wasn’t too terrible. The web is still the Wild West, the epitome of caveat emptor, and you can never be positive that everything is kosher, no more so than in the real world. But you’re not alone here either. You can use Firefox’s “Report web forgery” menu item (in the Help menu on Firefox 2) to report any scams you find, and make the internet a safer place for millions of users. You can provide your feedback to the Mozilla project, to help us communicate the right things in the right ways. The criminals are adaptable, but so are we. McMillan’s last line should have read:
But to combat ever-adapting phishers, our best protection remains…us.
 Okay, maybe not your financial information, but lots of other people’s.