Hacker News new | comments | show | ask | jobs | submit login

"do you think people would ignore the warning and continue to use the site?"

I actually made this demo back in April but just got around to posting about it now. In the meantime, Firefox and Chrome have made their warning messages more prominent. Still, I think it's a pretty major issue.

Experienced web users won't be fooled by something like this. But, even if 1% of users are fooled by this technique, that's still potentially thousands of innocent web users, which I think is unacceptable.

Exactly, and the dumbness to smartness ration in this world is very high, so a serious attack is likely to affect far more than 1% of the visitors :O

The words 'dumb' and 'smart' are inflammatory and useless in this context. A substantial portion of desktop Internet users will click anything that comes up in order to get to their destination.

This attack triggers no 'warning' that would cause the user unease. The most obnoxious case is Firefox presenting "Allow or Deny Fullscreen?" a question that doesn't imply any danger or downside. A number of victims might even see it as a new kind of convenience, since their phone and tablet already do everything in fullscreen.

To corroborate your point, one of the Chromium developers spoke about this sort of problem, but in the context of invalid SSL certificates and the associated warning that Chrome displays. A ridiculous percentage of users ignored the warning that the site they were visiting wasn't verified and simply clicked 'Visit this site anyway.' Most users don't understand that there are potentially serious costs to ignoring security warnings.

The Firefox "untrusted connection" screen (https://support.mozilla.org/en-US/kb/connection-untrusted-er...) is much better designed.

"Get me out of here!" is the only visible button and the obvious action. To override the SSL check, you have to click "I Understand the Risks" to expand the page, revealing both an "Add Exception..." button and a further warning (in bold). "Add Exception..." brings up a dialog which again warns you in bold: "Legitimate banks, stores, and other public sites will not ask you to do this." And finally "Confirm Security Exception".

Firefox steers you toward the safe choice and makes you very, very aware of the gravity of the situation before doing something dangerous. That's good UI.

Chrome on the other hand has a "Proceed anyway" button right there that within less than a second you've clicked on and now the warning is gone. Developers who would blame dumb users for this are mistaken. People are busy, they're distracted, and Chrome makes it way too easy to do the wrong thing while Firefox gets this right.

I also prefer Firefox's handling of SSL issues. Allowing permanent whitelisting of sites reduces the number of times a user will see the warning, reducing the muscle memory around clicking proceed anyway.

That's a great point. I didn't even think of the muscle memory issue, but by having the exception be permanent by default, they got that right too.

The point about "muscle memory" is great and definitely not discussed enough.

I agree that Firefox's certificate warning page is much better designed. I'm not blaming 'dumb' users for anything, I was providing supporting evidence of the fact that when browsers make warnings easy to bypass, users will simply click right through them.

Absolutely. If I took issue with anything in your post specifically it was "Most users don't understand that there are potentially serious costs". This to me seems to implicitly blame the users for not understanding, whereas I'd blame Chrome for a UI that makes it easy for a distracted user not to understand. As developers we have a responsibility not to lead users into doing something dangerous just because we don't have their full, undivided attention.

I was mostly disagreeing with the general "blame the users" mentality apparent upthread and among developers in general, not with you specifically. I've edited my post to make that clearer.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact