Hacker News new | comments | show | ask | jobs | submit login

The demo you've put together is very nice. It even accounts for the different UI styling of individual browsers. However in all cases that the link worked, I received a very large warning that has to be manually dismissed.

This is not a rhetorical question; do you think people would ignore the warning and continue to use the site?

An easier phishing technique would be to manipulate the address to appear legitimate using pushState.

"do you think people would ignore the warning and continue to use the site?"

I actually made this demo back in April but just got around to posting about it now. In the meantime, Firefox and Chrome have made their warning messages more prominent. Still, I think it's a pretty major issue.

Experienced web users won't be fooled by something like this. But, even if 1% of users are fooled by this technique, that's still potentially thousands of innocent web users, which I think is unacceptable.

Exactly, and the dumbness to smartness ration in this world is very high, so a serious attack is likely to affect far more than 1% of the visitors :O

The words 'dumb' and 'smart' are inflammatory and useless in this context. A substantial portion of desktop Internet users will click anything that comes up in order to get to their destination.

This attack triggers no 'warning' that would cause the user unease. The most obnoxious case is Firefox presenting "Allow or Deny Fullscreen?" a question that doesn't imply any danger or downside. A number of victims might even see it as a new kind of convenience, since their phone and tablet already do everything in fullscreen.

To corroborate your point, one of the Chromium developers spoke about this sort of problem, but in the context of invalid SSL certificates and the associated warning that Chrome displays. A ridiculous percentage of users ignored the warning that the site they were visiting wasn't verified and simply clicked 'Visit this site anyway.' Most users don't understand that there are potentially serious costs to ignoring security warnings.

The Firefox "untrusted connection" screen (https://support.mozilla.org/en-US/kb/connection-untrusted-er...) is much better designed.

"Get me out of here!" is the only visible button and the obvious action. To override the SSL check, you have to click "I Understand the Risks" to expand the page, revealing both an "Add Exception..." button and a further warning (in bold). "Add Exception..." brings up a dialog which again warns you in bold: "Legitimate banks, stores, and other public sites will not ask you to do this." And finally "Confirm Security Exception".

Firefox steers you toward the safe choice and makes you very, very aware of the gravity of the situation before doing something dangerous. That's good UI.

Chrome on the other hand has a "Proceed anyway" button right there that within less than a second you've clicked on and now the warning is gone. Developers who would blame dumb users for this are mistaken. People are busy, they're distracted, and Chrome makes it way too easy to do the wrong thing while Firefox gets this right.

I also prefer Firefox's handling of SSL issues. Allowing permanent whitelisting of sites reduces the number of times a user will see the warning, reducing the muscle memory around clicking proceed anyway.

That's a great point. I didn't even think of the muscle memory issue, but by having the exception be permanent by default, they got that right too.

The point about "muscle memory" is great and definitely not discussed enough.

I agree that Firefox's certificate warning page is much better designed. I'm not blaming 'dumb' users for anything, I was providing supporting evidence of the fact that when browsers make warnings easy to bypass, users will simply click right through them.

Absolutely. If I took issue with anything in your post specifically it was "Most users don't understand that there are potentially serious costs". This to me seems to implicitly blame the users for not understanding, whereas I'd blame Chrome for a UI that makes it easy for a distracted user not to understand. As developers we have a responsibility not to lead users into doing something dangerous just because we don't have their full, undivided attention.

I was mostly disagreeing with the general "blame the users" mentality apparent upthread and among developers in general, not with you specifically. I've edited my post to make that clearer.

do you think people would ignore the warning and continue to use the site?

Absolutely. My eyes were opened to that when I was troubleshooting my father's webcam over the phone. It kept not working when everything looked like it should. He just failed to let me know about the alert that kept popping up that said "camera is locked by <foo>". Instead, without reading, he just hit the "X", even though I was asking for every step he was performing. Closing a rogue alert isn't even a "step" to most people.

If you are relying on dialogs to keep your users safe, you are doing it wrong. Unfortunately, I don't know what the right answer here is.

I worked in tech support for a few years, this stuff is very common when doing things over the phone. "A box popped up saying X" , "OK click on Y" , "Oh , I just clicked on Z", "why did you click on Z?" , "I always click on Z".

Indeed. Since message boxes and confirmations are used so frequently and often unnecessary users have trained themselves to just click on the far left or far right button to get rid of it. They don't read it, they don't want to understand what happened, it just interrrupted their flow and they want it to be gone. Pushing decisions to the user in form of confirmations won't ever really work probably due to a Pavlovian urge to close such things as fast as possible.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact