thoughts about software and sensible security.

Security as an afterthought

S

I am doing a Coursera course called Usable Security which – as you would expect – is all about improving the security of systems through better usability.

It’s hard to dispel the opinion common among developers that usability and security are somehow inversely proportionate; that rock-solid secure systems are of necessity hard to use, and that improving their usability must degrade their security. Quite the opposite is true in fact. Systems with a large potential for serious damage should be foolproof and that’s where usability comes in. Making them hard to learn only makes them more error-prone.

Security should also be an integral part of a system’s design, and that’s where we seem to have missed the boat with the web. Encrypted communication was optional. It was difficult/expensive to configure and a drain on nineties’ hardware. But nowadays https is still optional and browsers still flag arcane warnings that the average user still doesn’t understand after twenty years. So they ignore them, mostly. If we want people to be suitably scared it comes down to the proper modal dialogue with screaming red colours, but if we want them to understand what’s actually happening only carefully chosen, non-technical, wording will do.

And that’s a big problem for a sizable portion of the population who have poor reading skills. We already force them to use a computer for most dealings with bureaucracy, having automated away all opportunities to speak to a human being, but we cannot possibly expect them to understand a warning about an expired SSL certificate. I don’t blame the folks at Firefox/Safari/Chrome/IE and I don’t consider myself a better linguist: it’s just too damn difficult.

The most annoying thing is that we shouldn’t have this situation in the first place. If SSL had been the default, these warnings wouldn’t need to be a necessary part of the interface. We deserve better, but I guess we’re going to be stuck with it for a while.

thoughts about software and sensible security.

Recent Posts

Jasper on twitter

Catching thought criminals in Orwell's analogue dictatorship was time-consuming and ineffective. A.I. will fix all… https://t.co/XpzIDondJe
h J R
I expect Mars to be successfully colonized long before we have flawless PDF to Word conversion.
h J R
Don’t tout #kotlin conciseness as a unique selling point. Concise does not equate understandable and if concise is… https://t.co/Hj7FrbZuI8
h J R
Hilfiger gives ‘smart dress’ a whole new meaning with new tracking chip. https://t.co/OeB4NEbVQI
h J R
ATDD is really different. Think of it as All Tests Drive Development. New blog post. https://t.co/J7uyHmCXFf
h J R