'Re: ssl auth failure gui: does "continue" do what I think it does?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List: kde-devel
Subject: Re: ssl auth failure gui: does "continue" do what I think it does?
From: Nicholas Tung <gatoatigrado () gmail ! com>
Date: 2009-06-05 17:29:06
Message-ID: fa81b0d10906051029g6e40c3qe45ae83f3cfa3420 () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

On Fri, Jun 5, 2009 at 04:55, Jeff Mitchell <mitchell@kde.org> wrote:

> Nicholas Tung wrote:
> > On Thu, Jun 4, 2009 at 23:56, Thiago Macieira <thiago@kde.org
> > <mailto:thiago@kde.org>> wrote:
> >
> >     Nicholas Tung wrote:
> >     >Hi all,
> >     >
> >     >    If the "continue" button on the attached GUI screenshot does
> what I
> >     >think it does (submits information after a certificate failure),
> please
> >     >remove the option, or make it *very* clear that this is not a good
> >     > choice. Firefox, by contast, has only a failure message and an
> "okay"
> >     > button. [The gui came up for me because I connect via a wifi
> network
> >     > that requires authentication, and it presents a redirect page for
> http
> >     > and https].
> >
> >     Firefox makes it very annoying to accept an invalid certificate. You
> >     have
> >     to add an exception to the SSL rules and you need to fetch the
> >     certificate
> >     first. That's after the failure message.
> >
> >
> > I would assume it's purposefully annoying, and I like it that way. One
> > click to give away information is not good, and I think invalid
> > certificates should be discouraged.
>
> Unfortunately, "invalid" is not up to the user to decide, it's whatever
> the web browser maker decides is "invalid".  Self-signed certificates
> serve perfectly well for encryption, which is entirely suitable for many
> web sites where authentication of the site isn't important, only the
> encryption itself.

Exactly, you get encryption without authentication, which is useless for
security unless you've accepted it before via a secure connection to the
machine. In which case, see comment below...

> Not everyone wants to or can spend $$$ to encrypt
> personal web sites, or wants to be beholden to outside authorities.  But
> these are treated as "invalid" with a big scary warning to users.
>

It's more like "$" instead of "$$$" for cheaper certificates, but this is a
separate discussion...

For those that *are* savvy, Firefox went from one click to get past a
> self-signed cert to four.  You may like that annoyance, but there are a
> large number of people (like myself) that don't, or would like the
> option to change that.
>

Yes, *but once you've confirmed it, it won't bother you about it*. How many
*new* unconfirmed sites do you come across for the four clicks to be an
annoyance?

And, if you consider "ssh" to be a "savvy user thing", then what do you say
about the "IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!" when the
same situation occurs (i.e. the public key changes)?

I really hate for this to get into such an argument about self-signed
certificates. I think the more relevant discussion is that "continue" is a
phrase far too often used in wizard-like GUI's, and something like "confirm
security exception", or "accept permanently", "accept temporarily", or
"reject" (as with SSH) would be *much* more appropriate. Plus, a better icon
(oxygen's security-low.png -- the red shield with an "x") wouldn't make it
any slower for the savvy users (I get the feeling you're presuming I'm not
one...).

regards,
Nicholas

[Attachment #5 (text/html)]

<div class="gmail_quote">On Fri, Jun 5, 2009 at 04:55, Jeff Mitchell &lt;<a \
href="mailto:mitchell@kde.org">mitchell@kde.org</a>&gt; wrote: <blockquote class="gmail_quote" \
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div \
class="im">Nicholas Tung wrote: &gt; On Thu, Jun 4, 2009 at 23:56, Thiago Macieira &lt;<a \
href="mailto:thiago@kde.org">thiago@kde.org</a> </div><div class="im">&gt; &lt;mailto:<a \
href="mailto:thiago@kde.org">thiago@kde.org</a>&gt;&gt; wrote: &gt; 
&gt; Nicholas Tung wrote: 
&gt; &gt;Hi all, 
&gt; &gt; 
&gt; &gt; If the &quot;continue&quot; button on the attached GUI screenshot does what I 
&gt; &gt;think it does (submits information after a certificate failure), please 
&gt; &gt;remove the option, or make it *very* clear that this is not a good 
&gt; &gt; choice. Firefox, by contast, has only a failure message and an &quot;okay&quot; 
&gt; &gt; button. [The gui came up for me because I connect via a wifi network 
&gt; &gt; that requires authentication, and it presents a redirect page for http 
&gt; &gt; and https]. 
&gt; 
&gt; Firefox makes it very annoying to accept an invalid certificate. You 
&gt; have 
&gt; to add an exception to the SSL rules and you need to fetch the 
&gt; certificate 
&gt; first. That&#39;s after the failure message. 
&gt; 
&gt; 
&gt; I would assume it&#39;s purposefully annoying, and I like it that way. One 
&gt; click to give away information is not good, and I think invalid 
&gt; certificates should be discouraged. 
 
</div>Unfortunately, &quot;invalid&quot; is not up to the user to decide, it&#39;s whatever 
the web browser maker decides is &quot;invalid&quot;. Self-signed certificates 
serve perfectly well for encryption, which is entirely suitable for many 
web sites where authentication of the site isn&#39;t important, only the 
encryption itself.</blockquote><div> Exactly, you get encryption without authentication, which is \
useless for security unless you&#39;ve accepted it before via a secure connection to the machine. In \
which case, see comment below... </div><blockquote class="gmail_quote" style="border-left: 1px solid \
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Not everyone wants to or can spend $$$ \
to encrypt personal web sites, or wants to be beholden to outside authorities. But 
these are treated as &quot;invalid&quot; with a big scary warning to users. </blockquote><div> \
 It&#39;s more like &quot;$&quot; instead of &quot;$$$&quot; for cheaper certificates, but this is a \
separate discussion... </div><blockquote class="gmail_quote" style="border-left: 1px solid \
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> For those that *are* savvy, Firefox \
went from one click to get past a self-signed cert to four. You may like that annoyance, but there \
are a large number of people (like myself) that don&#39;t, or would like the 
option to change that. </blockquote></div> Yes, but once you&#39;ve confirmed it, it won&#39;t \
bother you about it. How many new unconfirmed sites do you come across for the four clicks to \
be an annoyance? And, if you consider &quot;ssh&quot; to be a &quot;savvy user thing&quot;, then \
what do you say about the &quot;IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!&quot; when the same \
situation occurs (i.e. the public key changes)? I really hate for this to get into such an \
argument about self-signed certificates. I think the more relevant discussion is that \
&quot;continue&quot; is a phrase far too often used in wizard-like GUI&#39;s, and something like \
&quot;confirm security exception&quot;, or &quot;accept permanently&quot;, &quot;accept \
temporarily&quot;, or &quot;reject&quot; (as with SSH) would be much more appropriate. Plus, a \
better icon (oxygen&#39;s security-low.png -- the red shield with an &quot;x&quot;) wouldn&#39;t make it \
any slower for the savvy users (I get the feeling you&#39;re presuming I&#39;m not one...). \
 regards, Nicholas

>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

[prev in list] [next in list] [prev in thread] [next in thread] 