Today’s happy little rant comes courtesy of some asshat at UMass Lowell. The article is entitled:
Mozilla SSL policy bad for the Web
First, I want to tell you about my grandmother (mom’s mom), Marion. I’m not gonna call her Marion, ’cause that just feels weird. I’m gonna call her Grandma, because she’s my goddamn grandmother.
My grandma is, well, a bit older than I am. I’m not exactly certain, but I’m going to shoot for early 80′s. My grandma is an intelligent woman, who belies every story I hear about older people losing mental faculties. Then again, some days I wish she would lose her grammatical-correction faculties. That’s right, grandma, you and me should have a talk about it sometime.
Anyways, my grandmother has always been a bit lagging in the computer world, but nowhere near as bad as I would expect her to be (I would estimate that she is about as good with a computer as my mother is; neither is “below average”, by my estimate). Her primary method of getting online these days is MSN TV, which used to be WebTV. I don’t know too much about it, except that WebTV was kinda annoying, MSN TV is a gigantic bucket of donkey shit (my words, not hers), and those nice Microsoft people are always so helpful, but can never figure anything out.
So, every once in awhile, my 3 brothers and I (there you are, grandma; happy?) are pulled in for technical support. We do this for everyone in the family, mind you, since we are the geeky cousins (on both sides). Using my mother as a standard, I would say my grandma is about 1/4 of a mom worth of computer help a year, versus my Uncle Kevin, who is approximately 6 cubic moms worth of technical help.
Over the years, I’ve noticed there are a few things that “normal” people (read: people who have never heard of “slashdot”) just don’t seem to get. Spam mail is on that seems to be oh so completely obvious to all of my techie friends, but something my older relatives have difficulty with (or, like my Uncle Kevin, they go off the other deep end – everything on the internet is a scam). The desire to explore the computer is another one (the best techies learn by doing, not by getting their geeky relatives to do for them), although I think my grandma does pretty good in this area. I’m thinking about getting her a macbook when I’m richer :)
Anyways, one of the things people do seem to get, to some degree, is them thur secure website thingies. I’ve explained to relatives (quite a few times) to “look for the little lock on the bottom-right part of your browser – that means the site is safe”. Surprisingly (to me, at least), most people seem to pick up on this well. I think it has something to do with the obvious graphical cues (the lock) and the happy, bright colors associated with “safe” websites – usually the lock is golden and glowing, or with the new firefox, the url bar is a happy green color. Yay, happy green! This website is secure!
If you didn’t get a chance to read the article, the author is bemoaning firefox’s behavior for SSL certificates, presented by “safe” websites, that don’t come from trusted signing authorities. He rages for awhile about how awful it is that people have to pay for trusted certificates (somewhere around $200/year), ranting about how the web is supposed to be open and happy and loving. Kum Ba Ya and all that.
He correctly points out that there are really two benefits to SSL. The first (and primary one, I’d say) is the fact that your traffic is encrypted, decoder-ring style (just kidding about that last part). The second is that, because of the whitelisting we use for certificate authorities, you get to have faith in the identity of the site you are visiting. In a sense, the second part isn’t fundamentally a part of SSL – as he says, just having the first part is a great way to, say, prevent people from snooping on your wireless connections. I understand completely. SHIP IT. Right?
Well, not really. You see, I’d like to see him explain that to my grandma. I had a pretty easy time making the connection that the bright golden lock means that the website is a “good” website. It’s also much easier to say that websites are either good or bad, and you should only give credit card information to good websites when you are buying things.
But how are you going to explain to her the rest of it? I want you to explain to my grandma that some websites offer you just SSL but no real certificate of identity, so you can at least be assured that anyone snooping on your wireless connection when you are out wardriving with your dirty cousin Melvin won’t be able to look at all the pr0n you are downloading.
What?
Like I said, my grandma is no idiot, but if things get too complicated, she’ll likely just ignore it. And maybe she’ll forget about some of the stuff when she happens upon “www.bankofamarica.com”, which also shows this pretty little lock thingy. Sure, like the author suggests, there was this little bar at the top of the screen with some big paragraph about “identity” or something, but what does that even mean? The website has a SSN? It pays taxes? Does it receive medicare benefits?
You know what? Forget my grandma for a second. You or I, geniuses that we are, are also liable to make mistakes every once in awhile. Let’s say you were at a different computer and wanted to check your bank account. Say also that you are using an unfamiliar browser. You sit down and type out, well, try to type out the bank of america web address, but you accidentally misspell it. Being in a hurry, and having already dismissed a few information-bar style alerts (like when IE or FF blocks popups), you quickly click the X on the popup and keep chugging along. Whoops! You just gave your login information to some greasy russian kid who just used that information to buy himself a Real Doll named Svetlana.
So for the original author who wrote this? You leave my grandma alone, you dumb twat. $200/yr is a small price to pay for my grandma to be able to safely navigate the internet. That big warning screen you find so undemocratic is the thing that keeps her from getting her identity stolen. The people who came up with these ideas understand that spammer wins every day due to the laziness of the average person. Nobody reads alerts, EULAs, or warnings (think UAC). Nobody really cares enough.
Unless you have a better idea than “The web should be fr33! lolz”, shut the fuck up. Until you sit down with my grandma for 2 hours painfully explaining how to use some feature in Microsoft Word, you don’t get to preach to the world about how Mozilla trying to keep my grandma safe is somehow against the freedom of the web.
—
Also, the post I linked to originally links to another blog post, http://boblord.livejournal.com/18402.html, where the author (a mozilla guy, I assume) describes the reasons behind these extra security measures (the firefox “omg you are going someplace unsafe!” pages, which, by the way, I love). The comments were all laughable (well, the ones arguing along the same lines as the first post):
- “I have a gigabazillion machines, each with a self-signed certificate” – use a singe certificate authority (CA) and create a rule for that one. Problem solved. Oh, and you are an asshat and your boss should fire you.
- “This is against net neutrality!” – no, it isn’t. Net neutrality is about ISPs delivering all content on equal footing (i.e. not lending preference to, say, someone who pays you a couple thousand bucks a week). This is your browser trying to protect you from being stupid, which you clearly are. You make the net neutrality advocates (I’m one) look bad by claiming that whitelisting security is being unfair.
- “My nonprofit uses self-signed certificates, and you are putting an onerous burden on us” (“onerous” basically means “burdensome” – cute, huh?). That’s right, folks. $200/yr is just too much for a nonprofit. Or maybe just $115 a year for 3 years (from digicert). If you don’t have $115 over a course of a year (that’s less than $10 a month, or about 32 cents a day), then you are doing it wrong (for any value of “it”).
- “This is all big-brother, man!”
- “You warn me too much!”
- “This gets in my way!”
Guess what – that’s the goddamn point. The point is to force you to stop what you are doing, to interrupt your train of thought. Now, with UAC it pisses me off to no end – you open the same file and say “YES OPEN IT ALREADY GODDAMIT” 299 times, and the 300th time you open, it asks again. “Yes, I just double-clicked it, like I have the last 299 times in the exact same workflow”. And then I have to click again for another thing. Last I counted, trying to delete things off your desktop or from, say, somewhere in Program Files, takes a good 2-4 clicks of the mouse.
And what does firefox make you do?
- It warns you, by getting completely in your face and stopping your workflow (this is annoying, yes, but mitigated by #4 below). You need people to stop, cognitively, and hopefully get scared off. I want my grandma to run away at this point. Just showing her a little dialog box or a warning bar isn’t enough. Maybe you should even put a scary monster on this page. Seriously. Something horrible. Goatse, even.
- Once you click “create an exception”, it warns you again. 99% of the time, you shouldn’t be adding an exception (unlike UAC, where you want to do what you clicked on 99% of the time), so it is unlikely you would ever get past this stage. Normal people who wouldn’t be stopped by step #1 (although they should have, because eebay != ebay) might get stopped here. The more, the merrier.
- Once you again say yes, you are given a dialog where you can download the certificate from the site and inspect it. This is for advanced users, and gives you the ability to verify different things about the certificate. Also, this dialog is fairly involved, so hopefully you get the rest of the people too stubborn to stop by this point.
- Finally, you can add an exception for the site, and you can even make it permanent (this is the mitigating factor from #1).
That’s right, folks. You have to do this once for the miniscule number of valid sites in the world that are too cheap for the $115 certificate. Or for your sysadmin who is too dumb to have a single CA for the millions of internal websites they administer.
Or, instead of wasting your users time and making the internet just a bit less secure, you could fork over the $115 a year.
So, in conclusion: firefox rocks, my grandma is really cool, and the original article and all the comments on the second blog post were written by a species of subhuman who are threating Steve Ballmer on his perch of chief retard-boy of the technological special olympics.