October 28, 2004
AlertBox, the soapbox of one Jakob Nielsen, has had enough with nonsense security prescriptions. Its 25th October entry says:
"Internet scams cannot be thwarted by placing the burden on users to defend themselves at all times. Beleaguered users need protection, and the technology must change to provide this."
Sacrilege! Infamy! How can this rebel break ranks to suggest anything other than selling more crypto and certs and solutions to the users?
Yet, others agree. Cory Doctorow says Nielsen is cranky, but educating the users is not going to solve security issues, and "our tools conspire against us to make us less secure...." Mitch Wagner agrees, saying that "much security is also too complicated for most users to understand."
And they all three agree on Nielsen's first recommendation:
"Encrypt all information at all times, except when it's displayed on the screen. In particular, never send plaintext email or other information across the Internet: anything that leaves your machine should be encrypted."
Welcome to the movement.
Posted by iang at October 28, 2004 08:32 AM
User based solutions are a viable way of dealing with the inconvenience of spam, but manifestly useless for dealing with the dangers of scams, because the nieve and gullible which are the scammers intended audience are the very people that lack the skills to understand how to employ any user based protection. So user based protection could actually help scammers target their desired audience.
Seen this? it offers some interesting insights:
Ever tried tapping in to one of these spammers IRC channels to see what sort of things are being talked about?
The idea is that the user-based solutions do the work. It's pretty clear that users can't cope with anything but the most basic displays, and the old historical notions of the security model (the padlock and the popup) are as dead as a hooked account.
But, users respond to brand and consistency. Especially the nieve and gullible - that's what TV is all about. There are some fairly simple things that can be done to browsers to show whether one has been there before, and to relate those visits to some persisitent contexts.
Specifically, browsers should list more of the cert information on their chrome, they should list information like past visits counts and times, and also (very important) show which certificate provider is involved. This information needs to be rather prominent, and colourful. Imagine something like Intel Inside, but using Verisign instead.
Whether this gets done or not is an open question. Oddly enough, I just discovered that FireFox has included some changes - an extra padlock (bad) and the name of the website connected to (good).
(Oh, and encrypting everything is not going to do a jot towards or against phishing. But, crypto everything, yes. That includes setting up cert-authorised communications, and those certs can be used to do visit statistics which are meaningful to the user. But not the phisher. It's just a shame that the crypto in browsers is "intended for paying merchants" and not oriented to securing the sessions. That's what we mean by "encrypt everything" ... including forcing the scammer to start identifying himself.)
If the companies that manufacturer browsers where to adopt a standard that envisioned the protection of the users then that standard might grow to include other unsafe applications. Of course this would be the death of MicroNazi and their buddies. So encrypting everything seems like a nice idea but not practical in the everyday usage. Ease of use while remaining safe is like taking a shower in a raincoat. I have taken damage and now try not to use MicroNazi applications.