[url=http://en.wikipedia.org/wiki/Dancing_pigs]Dancing Pigs[/url]
Google study finds users ignore Chrome security warnings
You're surfing the 'net when Chrome decides not to bring you the web site of your choice, but instead a page warning that the site you'd hoped to visit might be bogus or contain malware. Do you: (a) Click on “Proceed anyway” because you really want to see the cat picture someone Tweeted to you; (b) Click “Back to safety” …
-
-
-
Monday 15th July 2013 09:16 GMT Anonymous Coward
Re: Not surprising
I am not surprised, either. Over the past 2-3 years, while reading consumer tech blogs, I've noticed a high correlation between self-professed Chrome use and trolling asshatery. Vitriolic hatred of Firefox and a Top Gun-like "need for speed" are common themes. I am pretty confident these are young male idiots we're talking about.
It takes one to know one, but at least I'm aging out of it.
-
-
-
-
Monday 15th July 2013 06:21 GMT Pen-y-gors
It only applies to women - apparently
from the pdf...
"A user clicks through a warning to dismiss it and proceed with her original task. A user
leaves the warning when she navigates away and does not continue with her original task...the user has (1) ignored the warning because she did not read or understand it or (2) made an informed decision to proceed because she believes that the warning is a false positive or her computer is safe against these attack"
Will someone please teach these academics about the idea that 'he/his' refers to specifically male people, 'she/her' refers to specifically female people - and that if it could be referring to either male or female then the tradional usage is to say 'he or she/his or her' or (my preference, although it is frowned on by classic grammar pedants) to use 'they/their'.
-
Monday 15th July 2013 06:40 GMT frank ly
Re: It only applies to women - apparently
I believe this style (quite common in Google sourced text) is intended to address the historic imbalance of written gender representation, because it is felt to be 'a good thing to do'.
My personal preference would be to write, "When one is presented with a warning which advises one that proceeding further will compromise one's computer security ....etc". People always laugh at me when I do that so I've stopped bothering.
-
Monday 15th July 2013 07:44 GMT El Andy
Re: It only applies to women - apparently
Except that "he" is the correct word when gender is unspecified, it also happens to be correct for males. Similarly "she" is the correct word if you're personifying an object, such as a boat, car etc and also just happens to be correct for females.
The ridiculous "political correctness" approach of constantly using he/she, or worse using the feminine variants as some sort of gender redressing, just makes people look unbelievably ignorant of their own language.
-
Monday 15th July 2013 09:23 GMT albaleo
Re: It only applies to women - apparently
'The ridiculous "political correctness" approach of constantly using he/she...'
As opposed to some other form of correctness by using 'he' when gender is unspecified? I tend to use 'he/she' in more formal writing, not for its elegance or its political correctness, but because I find it more accurate. I use 'they' in less formal writing and probably in speech. Perhaps I should use it all the time. It was good enough for Shakespeare. And if it pisses off those who believe there are 'correct' and 'incorrect' forms of grammar, all the better.
-
-
-
Monday 15th July 2013 12:53 GMT Anonymous Coward
Re: It only applies to women - apparently
I hope the new curriculum reintroduces English grammar and literature in some depth.
1. "Man" is the species as well as being used in some contexts to mean a human mail. cf. Dog and dog/bitch.
2. On the same principal, "He" is sexless in the generic sense. "She" is not.
3. Even the Oxford dictionary lists one usage of "they" as the sexless pronoun that can be used when the gender if not known or is irrelevant.
4. "One" is another neutral term, with the added advantage of putting a disinterested distance between the writer or speaker and the subject matter.
I suppose men should complain that their gender is not treated with the respect accorded by a unique indicator.
Pet hates:
Chair or chairperson, showing ignorance and disrespect in one go (can you not see if the person is male or female?).
Unmarried woman using, "Ms", that stood for "manuscript" at one time and is unpronouncable and unnecessary. After all, the convention has long been that, if one does not know, call her "Miss" (I think the very old convention of changing that to "Mrs" for more mature women is gone); married women sometimes kept their maiden name, using "Miss", particularly at work for professional women and actresses (I know a couple who do that for continuity with their pre-married work references and to distance work from private life).
The obsession with sex in all aspects of life, leading to this nonsense of concentrating on one's gender rather than ones abilities and deeds, interpreting all interactions as a competition between the sexes and corrupting language and communication for the narrow concerns of a few who seem to need props.
-
-
-
Monday 15th July 2013 06:22 GMT austerusz
At my company, we ignore those warnings on a daily basis.
Why? Because we do some development and some of our webservers use a basic shared SSL certificates which is proper for just one URL out of 132 people use. So for the rest, people need to ignore those warnings.
Same goes for one of my personal sites which is on a shared hosting account with shared SSL. Every now and then people need to ignore SSL warnings. There are plenty of reasons to ignore SSL certificate warnings unfortunately.
-
-
Monday 15th July 2013 07:38 GMT Steven Raith
Re: No, your certificate master is an idiot
Theodore - I set up a lot of test environments and these warnings tick me off.
I'll have a look at wildcard certs later today (I assume this isn't the same as self-signed certs, as these are what give the warnings) and see if it can help prevent my stabbing hand itch when I'm doing testing.
Ta for that :)
Steven R
-
Monday 15th July 2013 07:48 GMT El Andy
Re: No, your certificate master is an idiot
If you're using self signed certs internally (which is a perfectly reasonable use of them) then whomever is in charge of your network ought to push them out to users via some out-of-band mechanism. It's not hard to do and it's much better than training users of your corporate network to ignore potential security warnings.e
-
-
Monday 15th July 2013 07:52 GMT austerusz
Re: No, your certificate master is an idiot
"all that needs to be done is for them to generate a wildcard certificate, or, if your network is more than a single namespace, then a wildcard certificate per namespace."
- sure, that's the normal approach. But the guys here are cheap. The host administrator's protocol doesn't include using wildcards because as they charge a couple of euros per certificate, generating a wildcard certificate isn't really bringing them any profit.
- internally, wirldcards are used, but the problem is that in order to comply, we would need to use the form "*.TLD" which is not accepted (still generates warning).
To better understand what I mean, internally we use the form <user>.<language subdomain, 12 variations>.<site name, 132 variations>.<domain, 14 variations>.<environment, 6 variations>.
Even the combination *.domain.environment means 6*14 options, but it doesn't work. The lowest that seems to not generate warnings is *.site.domain.environment. It's much less of a headache to ignore the warnings.
Also, one of the environments is actually an external server that has an internal alias. It already has valid SSL for all sites, but as we usually use the internal aliases (because in that case we can force the site to use an internal CDN for static resources) so not even wildcards help in this case.
Let the warnings ignore rain down.
-
-
Monday 15th July 2013 13:14 GMT John M. Drescher
Now if this is what they are tracking.. I have to enter a site with a self signed certificate at least 1 time per week for what 15 years now? As a programmer (besides the ones I have generated on my own) I click through the warning a lot in forums, wikis, blogs and source code download sites for individual open source projects.
-
Monday 15th July 2013 17:41 GMT Franklin
I routinely track down malware and phishing sites (bit of a hobby, I like figuring out what the crims are up to and how they're doing it), and I generally use Chrome in a VM to do it. So I always ignore Chrome's malware/phishing warning page...not that it matters, since that warning always seems a bit behind the curve anyway.
I had no idea I was cooking the statistics by doing that.
-
-
-
Monday 15th July 2013 08:02 GMT Anonymous Coward
Re: How did Google get this data ?
There is an option t report back at install time. It is not hidden and is right below the set as default option.
Hmm. I hope that data is anonymised, otherwise such an option must be OFF by default and must explicitly (i.e. separately) ask for permission to comply with EU Data Protection laws.
-
-
Monday 15th July 2013 07:36 GMT Jon 37
Re: How did Google get this data ?
When you download Chrome, there is a tickbox option to "Help make Google Chrome better by automatically sending usage statistics and crash reports to Google.". There's a "learn more" link that goes to https://support.google.com/chrome/answer/96817?hl=en This option is ticked by default, but you can untick it if you want.
Information about whether the warning page is used or skipped counts as part of that "usage statistics".
More generally, in order to figure out how to improve a computer program, you need to know how it's used. E.g. if 1% of customers use feature A, and 80% of customers use feature B, then perhaps you should spend more development effort on feature B since improvements there will benefit more people. In ye olde days most companies would just guess what users would do, although some companies ran usability tests where they'd get maybe 10 people to use the software in a controlled lab setting with artificial tasks. Nowadays, it's trivial to measure what the actual users are really doing, which gives you solid data to use to improve your product. That's why Google collects this telemetry.
-
-
Monday 15th July 2013 07:39 GMT Anonymous Coward
Ask youself this.....
how did these uses get Chrome?
a) Went and looked for it, checked out reviews, read it's privacy policy and then activly choose it
or
b) clicked on a big icon saying install Chrome or blindly clicked next, next, next when installing "free" software
.
And there folks, is your answer why so many ignored the warnings.
-
-
Monday 15th July 2013 17:35 GMT Old Handle
Re: Perhaps they should have a proceed with javascript disabled button
That's a pretty good idea. It could cover other security risks besides JS too. The only problem that immediately occurs to me is that to do much good it would have to automatically extend whatever restrictions it put in place to other sites linked to from their as well, which could possible become confusing. Maybe it could open in a new window with some kind of visual cue that everything in there is being treated as suspect.
-
-
Monday 15th July 2013 08:17 GMT Turtle
Here kitty kitty kitty! Here kitty kitty! That's a good little kitty!
"Do you: (a) Click on “Proceed anyway” because you really want to see the pussy picture someone Tweeted to you; (b) Click “Back to safety” because it's not worth having crims empty your bank account for a peek at one cute pussy."
1) When we substitute one euphemism for another, we begin to better understand the situation, which is that:
2) according to empirically verified data, yes, it is "worth having crims empty your bank account for a peek at one cute pussy."
This should help resolve the question of gendered pronouns, as discussed earlier in the thread. But, for inclusivity's sake, maybe not...
-
Monday 15th July 2013 08:33 GMT Tomato42
Warning fatigue
I'm quite sure it's caused by warning fatigue. Seriously, who got a certificate warning because of active Man in the Middle? Because that's the only thing that a non self-signed certificates protects you against: active man in the middle. Stuff even PRISM didn't attempt.
We really should opt for SSL everywhere (as in browser tries :443 first), and if the connection is secure, then it shows a padlock/golden address bar/cute pussy.
I need to know if the connection I'm using is secure only if I entered some data on it, not when I just want to read the page!
-
Monday 15th July 2013 09:43 GMT Anonymous Coward
This isn't tech news per se...
...and I don't mean that disrespectfully to the author or El Reg.
The sort of person that continues at a warning page like this on the open internet, is the same sort of person that falls for scams out there in meat-space. They forward chain letters, make no effort to lock doors, get taken in by frauds, spam their social networking site with chain status updates, forward virus 'warnings' en masse...
We all know this. Most of us have been cleaning their computers up for years. Hell, most of 'em just panic and comply with absolutely anything the computer 'tells' them to do.
Google could change that safety page to a line of drag can-can dancers, and it would make no difference - problem is in the chair, not in the web browser.
-
Monday 15th July 2013 09:51 GMT FordPrefect
It depends on the context
I dont normally get warnings about malware or phising sites if I do I ignore them. I often get warnings about self signed SSL certs or mismatched SSL certs and I consider each one. If I am logging into the admin console of a customer device I know that its nothing to worry about generally as I trust the management network involved and know the certs are supposed to be self signed. Again when browsing the web if for example my bank site or facebook presented an SSL certificate error I'd run away! Its not the fact I'm ignoring the warning, I'm considering should this site be using a self signed certificate? Do I need to login to do anything on the site? Are those login credentials likely to cause me a loss(bank or online purchases) or embarrassment(if someone gets my facebook login details and posts malware or spam as me). Sometimes the user knows best!
-
Monday 15th July 2013 09:53 GMT FordPrefect
I dont normally get warnings about malware or phising sites if I do I wouldnt ignore them and wouldn't continue onto the site in question unless I was just being nosy and was sure I wouldn't be infected myself. I often get warnings about self signed SSL certs or mismatched SSL certs and I consider each one. If I am logging into the admin console of a customer device I know that its nothing to worry about generally as I trust the management network involved and know the certs are supposed to be self signed. Again when browsing the web if for example my bank site or facebook presented an SSL certificate error I'd run away! Its not the fact I'm ignoring the warning, I'm considering should this site be using a self signed certificate? Do I need to login to do anything on the site? Are those login credentials likely to cause me a loss(bank or online purchases) or embarrassment(if someone gets my facebook login details and posts malware or spam as me). Sometimes the user knows best!