Security as an afterthought

I am doing a Coursera course called Usable Security which – as you would expect – is all about improving the security of systems through better usability.

It’s hard to dispel the opinion common among developers that usability and security are somehow inversely proportionate; that rock-solid secure systems are of necessity hard to use, and that improving their usability must degrade their security. Quite the opposite is true in fact. Systems with a large potential for serious damage should be foolproof and that’s where usability comes in. Making them hard to learn only makes them more error-prone.

Security should also be an integral part of a system’s design, and that’s where we seem to have missed the boat with the web. Encrypted communication was optional. It was difficult/expensive to configure and a drain on nineties’ hardware. But nowadays https is still optional and browsers still flag arcane warnings that the average user still doesn’t understand after twenty years. So they ignore them, mostly. If we want people to be suitably scared it comes down to the proper modal dialogue with screaming red colours, but if we want them to understand what’s actually happening only carefully chosen, non-technical, wording will do.

And that’s a big problem for a sizable portion of the population who have poor reading skills. We already force them to use a computer for most dealings with bureaucracy, having automated away all opportunities to speak to a human being, but we cannot possibly expect them to understand a warning about an expired SSL certificate. I don’t blame the folks at Firefox/Safari/Chrome/IE and I don’t consider myself a better linguist: it’s just too damn difficult.

The most annoying thing is that we shouldn’t have this situation in the first place. If SSL had been the default, these warnings wouldn’t need to be a necessary part of the interface. We deserve better, but I guess we’re going to be stuck with it for a while.