Ben Laurie blathering

Users Are Stupid…

… and they won’t take sensible security decisions, so we have to dumb everything down for them. Or at least, that’s what we whine. So, I have to ask, WTF is this all about?

Stupid Dialog

How is anyone supposed to figure out what to do now? Surely we know which of those three errors it was? So why are we giving the user such appallingly crap feeback?

And I can totally imagine how the conversation with Majestic’s webmaster is going to go…

Me: Hey, I got this error. Apparently you’re either using a CA that’s not in a list I’m not going to give to you, or you screwed up your server config so your certificate is incomplete, or you are a phisher and I’ve just given you my password, or you aren’t a phisher but your cert and website don’t match. Please fix it.

Webmaster: O RLY? Well, I’ve got this email that says your wine order is either in the post, not in the post, cancelled or coming to me instead. Laugh it up, big boy.


  1. Internet Explorer handles this much better by issuing a warning box that actually tells the user what the problem is with the certificate chain. This isn’t something new, it’s done it in previous versions going back as far as I can remember. Why shiny new Firefox issues such a vague warning is a mystery to me.

    Comment by Steve Crook — 2 Mar 2008 @ 19:34

  2. I think the browser should just completely deny the page: “Untrusted Site.” The ability to get around this problem should be more of a “configure your OS ahead of time” deal.

    That’s really the only option I can imagine. I can’t think of any other acceptable way around this. If SSL is to be taken seriously, the socket must not be established in this situation.

    In the enterprise this would be very welcome. The MS admins can push out trusted CA’s to the entire org using group policy and system images. But in the home environment it’s a bit unpleasant.

    The funny thing is the problem is essentially irrelevant, since non-ssl (plain http) phishing is still so lucrative.

    Comment by Julius Davies — 2 Mar 2008 @ 21:43

  3. To continue the conversation more on topic: if the site was just completely denied by the browser, that would push the problem (and its solution) out to the Wine website and webmaster. If the Wine site wanted to block 20% of their users by using an IE-only CA, all the power to them.

    Leaving the solution up to the user (by choosing one of the radios) is just wrong.

    Comment by Julius Davies — 2 Mar 2008 @ 21:46

  4. But but …

    Comment by Ben Hyde — 18 Mar 2008 @ 15:06

  5. Opps, link got eatten

    Comment by Ben Hyde — 18 Mar 2008 @ 15:07

  6. Maybe Majestic’s webmeister’d been at their product whilst configuring the cert. And who could blame him?

    Comment by Barney — 20 Mar 2008 @ 14:44

  7. Check out the beta builds of Firefox 3. The UI is completely different in cases like this.

    Comment by Bob Lord — 22 Mar 2008 @ 17:54

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress