19 February 2009

That Green Bar in Firefox

I was just reading Dan Kaminsky's blog and saw something I found shocking. Let me quote it.

Moxie’s putting his energy on the old positive feedback attacks — simply disabling the security, and seeing if anyone notices. And here he shows up with some pretty astonishing data: Nobody noticed. To be specific, absolutely 0% of users presented with missing encryption on important web sites, being asked to provide sensitive financial data to those websites, refused on the basis of missing security.

Wow. 0%. Seriously.

Why don't users "get it"?

My first thought was "how do you not notice the address bar's not green?" Then I realized that a lot of people probably don't know why the address bar changes colours or what the different colours mean. Here's a hint: if it's a financial-anything, and that bar's not turning green, run away. I didn't know how it worked, to be honest. I knew it was more than certificate verification, designed to get around URLs that look like what you want but aren't, and that it involved paperwork. He's got the scoop on Extended Validation. Also, you can click the green bar to get more information about how the site is validated.

And by the way, that thing where phishers get a fake URL with a valid cert: that doesn't work (without a bunch of legal hula hoops to jump through) for the green bar. When a cert is the only valid thing going on, you'll see blue. Blue can still be phishing. Green is the good one.

Now, I know we're Linux users, and we're not likely to get viruses or trojans or things like that, but phishing is OS-agnostic. Phishing is about stupid users. Don't be a stupid user! When Firefox tells you a site is bad, be careful. When Firefox doesn't explicitly tell you a site is good, be careful. When I say be careful, I mean treat it as if its mode was 444 (read-only).

Oh, and use NoScript for Pete's sake!

/* Insert standard "do not click on login links in email" "do not use search engines to replace bookmarks" "do not use the same crappy password on every website" etc. warnings */


Sup said...

I guess they do not get it because Firefox nags them very often before self-signed certificates, so they learn to ignore it and accept everything they are warned against. I do so myself (though I use Opera), but probably I would not when it comes to internet bangking.

Mackenzie said...

So if you read Dan's blog, he talks about negative v. positive feedback, and the fact that whether negative feedback works or not...it can be bypassed on many sites by one of the bad guys. They can make it so you don't get warned about bad or self-signed certs at all.

So ok, you don't have any negative signs showing up...but are there any positive ones? At the very least, look for the blue background. That tells you that the SSL hasn't been stripped to avoid negative signs. Better is to look for green though because then you know that the entity behind it has been verified, rather than only verifying the domain name.

phil99 said...

NoScript... oh my, I've never used such a frustrating extension. It's all well and good that it's protecting me from attack x/y/z but it breaks functionality on SO many sites it's unreal. And the kicker is that half the time, you don't realise the functionality is broken until you've filled in a form.

Mackenzie said...

At first it's very annoying. Once you've built-up your whitelist (like, allow mail.google.com so GMail works right, etc.) over the course of the first few days, it becomes fairly easy. The point isn't to block all JS all the time. If that were the case, you can disable JS entirely. The point is to only enable it when you trust the site. It's meant to put control back in your hands.

I would like to see more granularity though. .name domain names are usually firstname.lastname.name, and it'll filter on lastname.name instead of firstname.lastname.name.

Erigami said...

Here's a hint: if it's a financial-anything, and that bar's not turning green, run away.

And how's your grandmother supposed to know that?

Firefox shouldn't be putting the onus on users. The application can sniff input for something that looks financial (most people don't enter 8-16 digit numbers into most websites), and pop up a warning if the site isn't properly secured.

If that seems too Clippy-like, how about this: the browser could sniff the passwords that a user enters on trusted sites, and stores a (weak) hash. If the user types the same password on a site that isn't trusted, javascript is immediately paused, and the user is warned that the site isn't trusted.

Asking users to know the ins and outs of every app they use is unrealistic. People use computers to simplify their life, not to acquire more domain-specific knowledge.

Mitch said...

I think the problem is people don't have time to worry about it. They have e-bills to pay regardless of security. And ultimately nothing is SAFE no matter how secure it might be. If TV has taught me anything it is that any kid with a laptop and a cell-phone can 'hack' any account numbers anyway, so why worry about the security.

ACnP said...

It's amazing what kind of crap I get from using NoScript. Snuxoll likes to say I live in the dark ages. On the other hand, Firefox hasn't locked up on me since I began using it, as well as it uses a lot less ram.

It's amazing what a poorly coded site can do to a browser. NoScript just happens to solve part of that.

Mackenzie said...

It's not very domain-specific. IE, Safari, Opera, and Chrome do the same thing. I only talk about Firefox because it's the default Ubuntu browser and the only FOSS browser for Linux that does it, as far as I'm aware.

And hey, why do you think I'm posting this? People don't read release notes, I get that. So hopefully the knowledge of its purpose can spread. Tell your friends what the blue and green codes in the browser mean. And put some pressure on legitimate financial institutions to get EV. I've already contacted my bank about going from standard domain-only validation to EV.

It's not "don't do online banking" it's "don't do online banking without SSL or at mybank.123.com" and how to ensure that some bad guy hasn't shut off SSL without you knowing it.

meta said...

I think it's ridiculous that NoScript and CS Lite aren't standard Firefox functionality, yet they're planning to add crap like Web Services as content handlers.


Obviously the safety of users takes a back seat to keeping advertisers happy.

jldugger said...

Blackhat has videos of both Moxie and Dan's presentations. They're pretty entertaining. I think the bigger point about Moxie's presentation is that you should expect to be man-in-the-middle'd if you use Tor.

Eivind said...

There's a problem with the password-thing though. Just what *are* you supposed to do ?

Pick a different, long, semi-random password for each site, and change all of them regularily ?

For many active internet-users that would mean literally juggling several dozen long, semi-random passwords and change all of them regularily.

And I've got news for you: Most people simply cannot. They are physically unable to do that.

When the advice is "please do X", where X is something which it's unreasonable to expect people to be able to actually do, well the problem isn't only with the people failing to follow the advice (i.e. 90%+)

To the degree passwords remain usable at all, we're going to need centralised logins, openid or the like. I can deal with 3 different secure passwords, perhaps even 5. I cannot deal with 31. (random number, but probably an understatement, truth be told)

Mackenzie said...

I have different classes of passwords.

My PGP/SSH keys, my bank account, my email, and my OpenID all get different strong passwords (all things where someone posing as me would be bad).

Everything else gets weaker passwords. And then there's "this stupid forum makes you register before you can download an attachment...jerks."

I don't see anything wrong with having the same crappy password on all the sites where you'd rather use BugMeNot and it doesn't matter who you are. It's *just* for thieve-able things that I recommend keeping them separate.

Eivind said...

What you describe is what essentially everyone does: re-use the same crappy passwords everywhere that they don't really care about.

But it's not what is advised, the advice, invariably, is "pick a different strong password for every site", and that is just, frankly, perfectly useless advice in the real world.

I've got strong and different passwords for email, and pgp/ssh-keys (the two latter are the SAME password though), my bank isn't secured using passwords (but rather using tokens from a security-device).

But other than those 3 things, more or less every other site gets the same password. I don't -really- care if someone are able to pretend to be me on Slashdot, or Launchpad, or the KDE bugtracker or whatever.

But it's a problem, some of the places I "don't really care about" could potentially be problematic, and though I don't care much about them independently, it'd be annoying if someone snagged them ALL. (which can easily enough happen when the password is the same)

My point?

At this point, creating new websites with a login-system that assumes the user should create a new login locally on your site, should be a crime. It's NOT that hard to support openid, for example. And yes I know it's not perfect, but it's a hell of a lot better than the alternative.

Mackenzie said...

Well yeah, I really like OpenID, but no....not everyone classifies their passwords & use-cases into strong / fairly valuable / throwaway categories. Some people *will* use "password1" for *every* site, including their bank and PayPal. That is the thing to avoid.

When I said "don't use the same for every site" i literally meant *every* site. Don't use the same password for Facebook that you use for your bank. But Facebook & MySpace sharing a password? Whatever.

Eivind said...

My comment wasn't really meant as a critique of you, spesifically.

Rather it was directed at that subset of IT-people who honestly believe that advice like "pick a different strong password for every site, change them regularily" is workable at all in the real world.

And people who think that it's reasonable to expect Grannie to not only have learnt that https, and the little lock-icon means something is secured, but also that a green adress-bar means a DIFFERENT and better sort of secured.

There's a tendency among some, to blame the user for doing stupid things. Which is true, offcourse. But if the interface we offer is such that they have no, or little, choice, then it's too easy to just blame the users.