Friday, June 6, 2008

SSL Thoughts

How will we ever effectively educate users not to click through SSL warning boxes while our own systems have expired or invalid certificates? I've come across SSL certificate warnings on a federal agency site that liaisons with the private sector on security. I've seen them on vendors sites selling security products and services. And of course I come across them regularly on retail sites on the Internet. When they become pervasive and common, coupled with the fact we do a really poor job educating users what those warning boxes really mean, we've in essence trained them to click through and ignore them.
Misinformation from well meaning sources is another issue. I've seen articles that said to look for the golden padlock at the bottom of your web browswer, and if you see it, you're safe.
We know that's not the case, but the average end user reads that and takes it as accurate information and makes their on-line experience less secure through false assurance.
I appreciate the effort to try and educate; I just wish they had consulted someone knowledgable in security before writing the article.
Put that one right next to the tip about how hiding the SSID on your access point makes your wireless more secure.

No comments:

Blog Archive