johnath in blog form
In the latest nightly builds of FF3, and in the upcoming Beta 5, we let users choose to ignore our phishing warning, and click through to the site, just like they could in Firefox 2:
But that same spot is empty in the malware case (unless you install my magic extension.) Should it be? It’s a harder question than it seems, on first blush.
Continue reading “Should Malware Warnings have a Clickthrough?”
As of today’s nightly firefox build, we’ve turned on EV support and activated the Verisign EV root for testing purposes. What this means is that when you go to sites that have Verisign-issued EV certificates like, say, British Airways, the site-identity button (shall we call it Larry? Yes. Let’s.) will pick up the name of the site owner, all green-like.
I rather suspect this might startle a few of you.
I’ve talked a lot about identity and security in Firefox 3, but some of the actual changes were easy to ignore if you weren’t looking for them. The site button has been around for a while, with Larry telling you what he knows about a site, but you could choose not to click on him, not to get that information. A while ago, I mentioned a way to get the EV behaviour ahead of schedule, if you wanted to test, but now those steps are no longer necessary.
So things are going to feel a little weird for a few days. There are about 4000 EV sites these days (the AOTA has a pretty long list) so you will probably hit a few, and it will probably feel weird. By all means, open bugs. The whole reason we’re doing this is to get more sunlight on the code, because it’s required weird custom builds and secret handshakes for too long.
The story goes that when London first introduced street signs, there was significant protest. They were gaudy, the argument went, and anyhow the locals already knew where they were going. Many streets in London still don’t have them. I’m excited about getting feedback into the UI to help users know better who they’re dealing with online, help them orient themselves, and rebuild some of the cues that we all take for granted in the real world. But like the London signposts, I suspect it’ll take some getting used to. Especially on Proto. Where it currently looks, as Shaver so eloquently puts it, like the South end of a North-facing horse.
Standards make the web go ’round. I hope it doesn’t come as too much of a surprise that Mozilla cares a lot about standards, or that a significant percentage of the community, myself included, participate in active standards groups, be they W3C, WHATWG, industry consortia, or other.
They are often, to be honest, a slog. Anything important enough to be standardized is important enough to attract a variety of interests and motivations, and being in the middle of multiple, divergent forces can be just as fun as it sounds. They are usually noble slogs, though. An open web needs a set of linguas franca. As it matures, people invent new creoles to express new ideas, and so our standards need to constantly evolve and add that new wealth to the growing lexicon of awesome.
A little while ago though, the W3C decided to try something sort of odd. They formed up a working group to look at standardizing security UI.
Standardizing. UI.
To anyone who has designed a user interface, that sort of feels like standardizing art. Not that we are quite so full of hubris as to imagine ourselves Caravaggios, but UI design is a complex interplay of functionality, ergonomics, and subjective experience. There are general principles, sure, but it’s a very different beast from, say, CSS2 margin properties, where everyone can at least agree that there ought to be a single correct result, even if they disagree about what that result should be or how to obtain it.
Nevertheless, boldly forth they have gone and established the Web Security Context working group with a pretty broad charter. Capturing current best practice is certainly fair game, but it is equally permissible for the group to try to move the state of the art forward. We’re active members, as are Opera and Konqueror (though not Apple or MS), but like most standards bodies, the group includes folks from academia, from other companies, and from various interested groups as well.
This workgroup has put out its First Public Working Draft (FPWD), which means I have two things to ask you, or maybe ask of you. In marketing, I believe they call this the Call to Action, so if you were looking for it, here it is!
The first thing I would ask, if you are at all interested, is that you to read it and remark upon it. The group needs public comment, and you fabulous people are ably placed to provide it.
This first draft was kept deliberately inclusive, to make sure that the majority of recommendation proposals got public airings. So if your main criticism is just “too much,” that is unsurprising, but still welcome, feedback.
The second thing is harder.
We participate in this group for all the reasons mentioned above, and I personally take that participation seriously. Even on the sketchy topic of standardized UI, I think there’s potential. A document which all browsers conform to as a baseline guide, which says things like “Don’t let javascript arbitrarily resize windows, because it lets this spoofing attack happen,” is a valuable one. At Mozilla, we talk about things like making the mobile web a better place, for example. One thing we can do right up front in that world is spare this new generation of browser implementors (and their users!) from rediscovering our mistakes the hard way. This standard could help do that.
But this draft is also defining new UIs, new interactions, new metaphors for online browsing. The academics in the group have offered to gather usability data on several proposed recommendations, but at a fundamental level, I have asked the group a couple times whether it’s right to use a standard to do this kind of work at all. I think several of the proposed requirements sound like interesting, probably fruitful UI experiments. But that’s not the same as “Standards-compliant user agents MUST …”
My second question is this: as members of the Mozilla community, is this an effort that you want me (or people like me) participating in, and helping drive to final publication?
I’m still engaged on the calls and the mailing list – I still see good things coming out of the group, and I have my own opinions about how to best contribute. But as an employee of Mozilla, I feel an obligation to steward my own resources responsibly, and to expend them on things that the community finds valuable, so it’s important for me to hear how people feel about the value of this work.
Opinions? Suggestions? Funny anecdotes?
I want you to know that I’m sleeping again.
It’s not that I wasn’t before, I was. But when you break the internet, you take on certain moral obligations vis a vis its restoration. We landed bug 401575 today which gives our users a chance to override security warnings if they think they know what they’re doing. There are people who will dislike this version just as much as the other people who disliked the first thing that landed, but that’s okay, because no one said we were finished yet. Just like no one said we were finished last time.
I’d like to see us continuing to do better with giving users useful options when they run into a security problem. Things that keep them away from the whatever button, whenever possible. If we can redirect our users’ energies, judo-style, in directions that protect them from harm instead of stubbornly stopping them in their tracks, I think we can keep them safe, and happy, at the same time. That why we’re still working on bugs like 402210 to help give users safe ways out, and bugs like 402207 to let us make safe choices for normal users without making power users cry.
These things, though, all of them: they are the birth pangs of something pretty amazing.
While I’ve been working on my stuff, everyone else has been working on theirs. And I don’t know about my stuff, but their stuff is good. We’re getting very very close to getting it all out to you; to knock on, and sniff, and generally assess, like a honeydew melon of awesomeness. It’s really hard for me to go back to Firefox 2 now, and that’s not a knock against it – I still think it’s the best browser out there, but this new stuff? Get ready for it.
Location bar auto-complete for example, like Jamaican blue mountain coffee, will change your world if you let it. The new bookmarking system is an amazing platform for extension authors, and I’m pretty keen to see what happens there, but even the bits we ship in our own UI are changing the way I browse. And the performance gains across the product are palpable.
When the beta comes out the door, if you’re brave enough to try it, don’t look for fireworks. Our first, biggest job is to help you get to the web sites you want, so we’re not going to go to great lengths to jump up and down and grab your attention away. But in a hundred subtle ways, things will just be nicer.
And we’re not done yet.
Postscript
I really should have just let the post end there, it was sort of a dramatic finish, but this needs saying:
I used the analogy “birth pangs” up there because it was what good analogies are: a way of situating facts or events which may be unfamiliar to readers within a context that is somehow more so. “Honeydew melon of awesomeness” was maybe less apt, but nevertheless. Recently Tyla (and, in all fairness, Mike too) went through actual birth pangs. The kind where you have an extra human at the end. As analogies go, I’m not sure I do understand that context all that well. Firefox 3 is going to be pretty awesome, but let me tell you, Claire is stiff competition for any would-be miracle. Congratulations guys. I promise never to mention my own sleep schedule again.
So there’s this thing at Mozilla where we try not to break the internet. Call us wacky, but it seems like a bad play. And so Rob Sayre is right to be a little miffed when it looks like we’ve done exactly that. Sayre is often right, in fact, it’s his thing that he does.
Backstory
The web has this technology called SSL that lets you do two important things:
As I said, only two of them are important.
Because SSL makes these relatively useful promises, it is sort of a popular technology. Because it’s generally important to get security things *precisely right* though, and because humans are people, there’s a lot of broken SSL out there too.
What’s “broken”? Sometimes it means using the identification for one site on another site (because it’s cheapereasierfaster than getting a second one). Sometimes it means using it after it has expired. Sometimes “broken” isn’t actually broken at all, it’s just that the site is using SSL with identification they wrote themselves, so that they’re getting promise 2 (encrypted, validated), but not promise 1 (knowing who you’re talking to).
In the past, most browsers did a very dumb thing here:
This dialog, in the hands of normal people, feels like it basically amounts to:
Why change such a fun and exciting system, I hear you ask? The real problem here is that once in a while, when this kind of dialog appears, it actually might represent an actual attack. Most of the time it’s site administrator laziness, but it’s hard to tell, and it could be a real problem; it could mean that someone has hacked your internet connection (or more likely totally controls it because you connected in some public WiFi spot like a coffee shop) and is redirecting you from your bank’s web site to their own. When that happens, the fact that we’ve taught everyone to click OK blindly is a really bad thing, because we need you to stop and ask yourself what’s going on.
That’s a lot of backstory, if it was new to you, take a break here. Have a cookie.
The State of Things
In Firefox 3, one of the things a lot of people were really pushing on was that we dump these dialogs, and we have. Â Rob has a screenshot of what the current code does, and in case you missed it the first time, here’s another link.
Before we start talking about changing it, I want to give the crypto dudes, and particular Kai Engert from RedHat a shout-out here, because (believe it or not) I think this is actually a good first step, and was a lot of work to get implemented.
So now instead of a little, cryptic dialog box with an OK button, there’s a big, cryptic error page with no OK button.  Hmm.
People are seeing that error page, and making a couple really important points:
Security and ease of use are not intrinsically a tradeoff. Indeed, a lot of the time, good security comes from a better understanding of how people naturally work. But there are times, and this feels like one of them, where doing the safer thing for users means annoying them more, and annoying them less means failing to honour our obligation to keep them safe. Boo.
Walking and Chewing Gum
The thing is, we don’t get to just throw up our hands and say “well, better safe than sorry” nor do I think we get to say “Too annoying, let’s revert.” Â That slider has middle positions, where annoyance and safety are in better balance, let’s get there.
Fixing the text is important. It needs to speak in human terms about why this is a problem, and about what you can do to fix it. I do think, though, that we need to consider giving people a path from the error page to the override UI. I can already hear the furious head-smashing of anyone who understands PKI and has read the relevant literature.  Click-throughs beget bad security habits, which is why I think it should still be a multi-step process that hammers home the fact that you’re doing something aggressive.  But full-stop blocking our users is something that’s contentious even for known malware sites; here it feels like too much.
IE7 does this. I think they win big points for human readability there – even though they still have a click-through. I don’t know how much the red shield scares users off, maybe it does, but one-click override still turns my stomach a little. What I’d like to see from us is an action like that, but which, rather than automatically extending trust, simply shortcuts you to the exception adding dialog. The argument will be made that it’s just a longer click-through, I understand that, but my feeling is that it’s long enough, and scary enough, to get more of users’ attention. My feeling is also that we might have to eat that possibility anyhow, because if we make it sufficiently annoying for users to browse the web, they really will decide it’s a Firefox problem, since other browsers let them through. At that point we not only fail our users on the security front, we also go back to the bad old days of “only works on IE.”
Why Don’t You Just…
I love it when people have alternate suggestions, but some of the frequently recurring ones have pretty big problems. I’ll call out a few here to save re-treading (unless I’m getting them wrong, in which case we should totally retread, since they’re often held up as much simpler than this other thing we’re doing).
“Why don’t you just let the connections through quietly, and just remove any indicators of security, like the padlock, yellow address bar, verified identity, etc?”  The argument here being that rather than blocking the load, why not serve the content, but not let users think it’s a secure site? Compelling, no?
Approaches like this have the really unpleasant side effect of subverting whatever good security practices our users have developed. Banks tell their customers to go to the website via a saved bookmark, rather than clicking on links in email or other web pages. That’s a good practice. Some even tell users to look for the “https” in the URL. In the case where you’re being attacked, where the cert presented is a forgery (since only the legit site can present the real one) all of these habits will tell you you’re safe. The URL says https, and you clicked on the same bookmark you always click on to get to your bank. This would be a present gift-wrapped for attackers.
“Why don’t you treat self-signed certs, which legitimate sites use when they want encryption but not identity, differently from actual breakages?”
The thing is that self-signed is no more or less trustworthy than, say, a domain-mismatched cert. Likewise for the argument about treating a self-signed cert differently from one that is signed, but by an unknown signer. I did open bug 398721 about the idea of using “Key Continuity Management” as a way to mitigate the hurt in the self-signed case while still getting the basics right, but in any event that wouldn’t make it in for Firefox 3.
Closing
To my friends and family using Firefox, don’t panic, none of this is happening in the currently released browser, you’re not going to see this debate enacting itself on a desktop near you anytime soon. We are extremely cautious about changing the experience in released products after shipping. This is happening purely among those running the up-to-the-minute versions under active development.
It will get better. Bug 398718 (my fingers have already learned how to type that one automatically) will land, and the error pages will be things that make sense, and explain your options. Bug 399275 will morph into a general discussion of what kind of path we want to create to add exceptions, or if it doesn’t, I’ll create a new one which does. We’re not going to ship a browser you can’t use. Even on sites that are doing it wrong, we put the choice in your hands, because it’s your browser. And we like you very much.
I don’t normally blog about my work travel here, because what are you gonna do, come with me? This one’s different though.
I’m flying out to SFO tomorrow morning (oh AC757, we’ve really gotten to know each other, haven’t we?) in anticipation of Mozilla24, a 24-hour all-mozilla, all-the-time conference at which I will be speaking amongst a group of shockingly–more–awesome people. I will be talking about security UI, natch, and I would love to see all your smiling faces (though I’ll forgive the folks who saw the OSCON version for having their laptops open).
One of the many cool things about Mozilla24 is that it’s global – California, Tokyo, Thailand, and Paris, sure, but also online – so that if you are interested in the open web, and the directions we can take it, or if you’re just getting your feet wet, you can get involved.
Go sign up! Why not get into the thick of it? I’ll wait here.
PS – The blog photo here, Foxkeh, and indeed the whole Mozilla24 shebang, comes from Mozilla Japan. They’re trying to make the rest of us look bad, bringing their A game. Their A++++ OMG WOULD DO BUSINESS AGAIN WOW game.
600,000. According to Netcraft, there are about 600,000 SSL sites out there on the public internet, and we just recently tipped over that arbitrary, but pleasantly round, number.
I’m not sure why, but when I tell people this (people, that is, who have any hope of being interested in such things; a small, biased, statistically indefensible sample,) they are surprised. I think mostly they expect the number to be higher. And in actual fact, it probably is, at least a little bit. I am reasonably certain, without even looking into them, that Netcraft’s methods are more prone to type-2 errors – false negatives – than they are to false positives. Nevertheless, it’s probably the right order of magnitude. There are almost certainly less than a million, for instance.
Netcraft doesn’t publish any numbers it may gather about the ratio, in that group, between DV, OV, and EV certs, but the informal vibe I get leads me to believe that there are around 2000 EV certs out there at the moment. Given that several of these have gone to extremely high traffic domains, though, that number probably under-represents their network significance.
I bring these numbers up here because they seem to surprise people, and surprises are generally more instructive than confirmations. In the last couple weeks, a fair number of surprising numbers have flitted across my radar, so I figured I would rehash a couple here, with no particular (conscious) effort to weave a narrative into them beyond, “hey look, infoporn!†Continue reading “SSL Infoporn”
I’m about to go on at OSCON. My talk is titled “Beyond the Padlock: Security UI for the Distracted.” Meanwhile, behind me in the speakers’ lounge, people are teaching one another to juggle. So all in all, so far so good.
For those who couldn’t be here, or for those who could, and want another chance to critique my slides, or for those who just like babies with tinfoil on their heads, I’ve uploaded a copy in PDF format.
Wish me luck! And if you were one of the extremely helpful people who provided reviews and suggestions, thankyouthankyou. I attribute 95% of any success I may enjoy to your help.
The number one question I get asked, in my capacity as Human Shield at Mozilla, is how we make any money. People ask it with a sort of knowing grin, as though they already know we get it from leprechauns, but they want to hear me admit it. That’s not what this blog post is about.
The second most frequent question I get asked, and the one I’m more directly positioned to answer, is whether Firefox 3 will have an IE7-style Green Bar. I’m going to try to answer that here by offering my opinion on the matter, and an update on my coding progress to that end.
The short answer to that question is: no.
So we need to get better. We need to start fixing our messages to users so that we are more accurately communicating security information, while being mindful to not bury them in technicalities they neither want nor need. We need cues that are persistent (not relying on people to notice their absence), that are difficult to spoof, and that don’t mix metaphors.
We also, difficult as it is, need to get out of the “safety” game. We can’t tell users “this site is safe” because we don’t know that. Even ignoring the liabilities that might come with such a claim, there isn’t a good technological way to tell, right now, whether a particular site is safe in the way users care about. Do they handle credit card information properly? Do they ignore angry customers? Are they a front for stolen goods? These kinds of naughty people could get SSL certificates (and accompanying padlocks) and even the extended validation practices being discussed wouldn’t really stop them.
What we can do is equip people to make the safety decision for themselves, just as they often have to in the physical world, because we do have some information. It’s like putting ingredients labels on food. What we can do is change the conversation to be about identity instead of safety. This is important, so pay attention:
We need to change the conversation to be one about identity, not safety.
Identity is something we can verify. The padlock conflated identity with other things like encryption status and security, and while that conflation is almost natural to PKI-veterans, it has proven misleading for users.
meandering wildly 
