Car seatbelts (Was: Re: HTTP is just fine -- v. HTTP is insecure --> need a better metaphor)

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Car seatbelts (Was: Re: HTTP is just fine -- v. HTTP is insecure --> need a better metaphor)

Boris Zbarsky
On 11/25/15 2:51 PM, Chris Hofmann wrote:
> Exactly.  Just as it would be inappropriate for an alarm in my car to go
> off if I pull out of the driveway without my seatbelt attaached

I should note that most modern cars have exactly such an alarm: they
start beeping at you if the car goes over some (fairly low) speed and
the driver's seat belt is not buckled.

It's a fairly effective UI affordance to get people who simply forgot to
buckle to do so, though of course it won't deter an obstinate
non-buckler (who will just buckle the belt behind his or her back).

> and an
> alarm tried to communcate "you don't have your seatbelt attached, your're
> going crash and kill yourself"

It doesn't do that, though.  It just beeps annoyingly.  ;)

All of this is clearly veering slightly off topic, of course.

-Boris
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Car seatbelts (Was: Re: HTTP is just fine -- v. HTTP is insecure --> need a better metaphor)

Chris Hofmann-2
On Wed, Nov 25, 2015 at 1:20 PM, Boris Zbarsky <[hidden email]> wrote:

> On 11/25/15 2:51 PM, Chris Hofmann wrote:
>
>> Exactly.  Just as it would be inappropriate for an alarm in my car to go
>> off if I pull out of the driveway without my seatbelt attaached
>>
>
> I should note that most modern cars have exactly such an alarm: they start
> beeping at you if the car goes over some (fairly low) speed and the
> driver's seat belt is not buckled.
>
> It's a fairly effective UI affordance to get people who simply forgot to
> buckle to do so, though of course it won't deter an obstinate non-buckler
> (who will just buckle the belt behind his or her back).
>
> and an
>> alarm tried to communcate "you don't have your seatbelt attached, your're
>> going crash and kill yourself"
>>
>
> It doesn't do that, though.  It just beeps annoyingly.  ;)
>
> All of this is clearly veering slightly off topic, of course.
>
> -Boris
>

The point was to try and make the warnings and operation of the
vehicle/software match the risks.

That's how the seat belt example got to something productive and higher
rates of compliance.

minor beeping annoying signal, backed up with lots of side channel
explanation of why seat belts were important, plus case study and example
of how they saved lives had impact on people.  thats the combination is
what worked.  if the seatbelt was tied to the ignition system they may have
been great backlash and people were forced to engage the seatbelt before
starting the car it's likely to have created backlash.  the same kind of
backlash seen in this thread by people who would normally be supportive of
the larger goal.

this is how the "http is unsafe" warning and possible later prohibition in
the browser down the line might be getting off track, and away from the
main goal of stopping surveillance.   If the "unsafe" risks are overstated
in situations where its not exactly true then its going to be counter
productive.  If the warning are gentle and communicating the goal of
stopping surveillance we might get more traction on reaching that goal.

Its just a small twist in the way we approach and talk about the problem.
Thinking about this as project to stop surveillance, rather than a project
to shutdown http.   starting to reduce, or nearly eliminating all, use of
http can help, but certainly will not be the only thing needed to stop
surveillance.   Let's all work together and keep people focused on the
larger problem.  That's what I think we should be asking for.

-chofmann
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Car seatbelts (Was: Re: HTTP is just fine -- v. HTTP is insecure --> need a better metaphor)

Robert Kaiser
In reply to this post by Boris Zbarsky
Boris Zbarsky schrieb:
> It doesn't do that, though.  It just beeps annoyingly.  ;)
>
> All of this is clearly veering slightly off topic, of course.

To bring it back on topic: Should we make the browser beep annoyingly
when using a non-secure connection?

(I prefer to say HTTP being "non-secure" or "not secure" vs. "insecure"
as while that means exactly the same, it's psychologically easier to
accept - HTTP is not suddenly becoming "insecure", it's just that it
never was secure in the first place.)

And that comment about beeping is only half-joking, we probably will
need warning to go more intense after some time. OTOH, one issue with
the comparison is that in the car example, the user can easily do
something to secure themselves and use the seatbelt - while in our case,
the user cannot make the site they want to use secure, the website
author has to. But the user still wants to use the website and/or its
content, so unfortunately we end up "punishing" them for wanting to see
that content, and that's a bad experience and makes the user angry,
without necessarily making the website author/owner/maintainer react.
Unfortunately, sitting at the client side there makes this a difficult
situation.

KaiRo
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Car seatbelts (Was: Re: HTTP is just fine -- v. HTTP is insecure --> need a better metaphor)

Chris Hofmann-2
Personally I like the leaky pipe metaphor better.

The problem is not with the site.  Its with the pipe that connects a user
to the site.

The next stage is to explain to all parties what's needed and involved in
taking action to fix the leaky pipes of the internet just enough to make
progress on stampping out surveillance, and future risks of increasing
surveillance.

-chofmann

On Wed, Nov 25, 2015 at 6:10 PM, Robert Kaiser <[hidden email]> wrote:

> Boris Zbarsky schrieb:
>
>> It doesn't do that, though.  It just beeps annoyingly.  ;)
>>
>> All of this is clearly veering slightly off topic, of course.
>>
>
> To bring it back on topic: Should we make the browser beep annoyingly when
> using a non-secure connection?
>
> (I prefer to say HTTP being "non-secure" or "not secure" vs. "insecure" as
> while that means exactly the same, it's psychologically easier to accept -
> HTTP is not suddenly becoming "insecure", it's just that it never was
> secure in the first place.)
>
> And that comment about beeping is only half-joking, we probably will need
> warning to go more intense after some time. OTOH, one issue with the
> comparison is that in the car example, the user can easily do something to
> secure themselves and use the seatbelt - while in our case, the user cannot
> make the site they want to use secure, the website author has to. But the
> user still wants to use the website and/or its content, so unfortunately we
> end up "punishing" them for wanting to see that content, and that's a bad
> experience and makes the user angry, without necessarily making the website
> author/owner/maintainer react. Unfortunately, sitting at the client side
> there makes this a difficult situation.
>
> KaiRo
>
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Car seatbelts (Was: Re: HTTP is just fine -- v. HTTP is insecure --> need a better metaphor)

Robert Kaiser
In reply to this post by Robert Kaiser
Chris Hofmann schrieb:
> Personally I like the leaky pipe metaphor better.
>
> The problem is not with the site.  Its with the pipe that connects a user
> to the site.

Maybe a better word to use would be "unprotected" - I guess if we say
HTTP is "an unprotected connection" that also makes clear that anything
in traffic on that connection can be viewed and/or altered before arriving.

KaiRo

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Car seatbelts (Was: Re: HTTP is just fine -- v. HTTP is insecure --> need a better metaphor)

ianG-2
In reply to this post by Robert Kaiser
On 26/11/2015 02:10 am, Robert Kaiser wrote:
> Unfortunately, sitting at the client side there makes this a difficult
> situation.


Yup - this is why you will never be able to secure the user.  Because
you're only sitting at one point in the chain.



iang
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: HTTP is just fine

Ben Bucksch
In reply to this post by Robert Kaiser

Hey Chris, thanks for your balanced stance. That's how I know you :)

Chris Hofmann wrote on 26.11.2015 04:04:
> taking action to fix the leaky pipes of the internet just enough to make
> progress on stampping out surveillance, and future risks of increasing
> surveillance.

The thing is: There is no technical solution against governments.
GSM has crypto. And built-in backdoors. And the crypto is weak.

TLS is weak crypto, because it relies on a third party (actually
hundreds of third parties) to vet my communication partner. That's
inherently insecure, and I think it was deliberate. It plays into the
hands of governments. At the time when SSL was invented, the government
still had to approve crypto exports (I'm sure you still vividly remember
the time, Chris :) ), and made sure they didn't have any problem with
surveillance. Since then, the NSA made a little progress on one or two
fronts.

The NSA hacked Google data centers (see e.g. Google Analytics), hacked
Linux, hacked ISPs, telcos and core routers. Dell and Lenovo added root
keys to their computers and allowed all traffic to be intercepted.

If none of that works, they'll just pass more legislation.

Assuming that TLS will lock out the NSA is simply not taking history
into account.

Ben
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security