March 06, 2016

When Google's Chrome Security Warnings Can Do More Harm Than Good

We begin with a stipulation. Google has world class privacy and security teams. I know many of the Googlers on those teams. There just ain't no better this side of Alpha Centauri. They want what they feel is best for Google's users.

That said, one of Google's institutional weaknesses -- improving but still very much present -- is (in my opinion) a recurring lack of clarity when it comes to understanding the impacts that some of their design decisions have on ordinary, non-techie users with busy lives that don't necessarily revolve around the nuts and bolts intricacies of these systems.

Last June, in "When Google Thinks They're Your Mommy" -- https://lauren.vortex.com/archive/001107.html -- I noted some concerns regarding how particular aspects of the Chrome browser security model can negatively impact ordinary users.

Today let's look at a specific interesting and current related example.

The image below (please click over to https://lauren.vortex.com/archive/001157.html if you're reading this on a text-based mailing list) is from a current main payments page of a little firm called AT&T -- in this case for payments from bank accounts, where you enter ACH routing and account numbers. We can assume that this page is used by many millions of persons on a routine basis.

We've spent many years training users to look for a little lock, or key, or green icon, or something similar up on the URL bar to indicate a "secure" page. So one can forgive users for being concerned when they notice that this particular page just shows an ordinary page icon -- nothing to indicate security beyond the URL starting with https. You can't see that icon in this screenshot, but it's the same one pointed at by the red arrow below.

If one happens to think of hovering over that icon on the URL bar, Chrome claims the page is not secure, and offers a "Security Overview" details link. The image below shows those details.

And if you really believe that an ordinary, non-technical user could make head or tail out of this information presented by Chrome in this case, I strongly suggest cutting back on your psychedelics dosage.

The summary near the top appears definitive: "This page is not secure" it proclaims in a dramatic orange font.

Below that we have an "explanation" -- the certificate is signed with SHA-1, which we can agree is considered weak by modern security standards. Scary!

But wait, let's read on. Further down the overview, we're told that the page is actually using a Secure TLS connection: "The connection to this site is using a strong protocol version and cipher suite" -- and there's even a reassuring green ball right there!

Further below, there's another green ball, and we're informed that "All resources on this page are served securely." Phew! This sounds like good news!

OK. Now, based on all this, to win the new car and a fantastic array of kitchen appliances, just answer this one simple question, yes or no:

Is this page under discussion actually "secure" ... ?

Time's almost up ...

Buzzz! Sorry, it was a trick question.

Because even though Google's "summary" judgment is that the page is not secure, the reality is that -- even if Google were not presenting us with seemingly contradictory detailed conclusions on their details pane -- the term "secure" is absolutely meaningless without appropriate context not only relating to systems and programs, but also to possible attackers and the probability of attacks in any given case.

It seems certain enough that Google actually knows this, but in their attempt to avoid really explaining, they've muddled the message into a scary conclusion that isn't useful to most people. The clue is that Google didn't mark the page with a red "X" padlock, or present even more terrifying warnings and/or access blocks.

So Google very likely appreciates that (to paraphrase "Miracle Max" from "The Princess Bride"), the page is actually "mostly" secure, at least as far as most users should be concerned. That is, the odds of anyone evil (leaving aside aspects of AT&T itself) getting hold of your data sent through that page are probably really low in a practical sense.

But as mentioned above, Google -- their top notch techies and policy folks notwithstanding -- still has difficulty explaining matters like this to ordinary people, so as in this case, they tend to fall back on "summary" statements like "this page is not secure" -- that can leave users unnecessarily confused, concerned, and as the saying goes, twisting slowly in the wind.

Because -- let's face it -- all this talk of SHA-1 certificates and TLS and battles between the green balls and orange triangles mean nothing to most people.

They just want to pay their damned bills. And while we can assume that AT&T will eventually update their certs, good luck finding the person at AT&T in charge of actually doing that. Sure, call up customer service and try get them to fix it. Go ahead. Everyone should have a hobby.

My bottom line here is of course not that Google should ignore security concerns. Far from it.

But I will assert that Google is in many cases failing to do a good job at explaining what's really going on in situations like this -- in language that most users can understand -- and that various aspects of their deployed security policies are confusing, arbitrary, and can cause users unnecessary alarm and confusion. I hear from such users every single day.

I am not claiming that this is easy stuff to get right. And -- believe me -- I understand why techies often aren't thrilled to be tasked with figuring out how to explain these matters in non-techie terms for the world at large.

This is all really important though. Even the best security concepts can be rendered impotent or worse, if their deployment is more opaque and contradictory, than transparent, consistent, and understandable.

And that's the truth.

Be seeing you.

--Lauren--
I have consulted to Google, but I am not currently doing so -- my opinions expressed here are mine alone.

Posted by Lauren at March 6, 2016 11:00 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein