Discussing software, the web, politics, sexuality and the unending supply of human stupidity.

On showing URLs and why security and usability will always have a rocky relationship

Jeremy and Jake are debating the merits of Chrome’s plan to hide away the path segment of the URL.

I have only a few things to say:

If Firefox starts hiding the path of the URL I’m looking at, I’ll find whatever extension, plugin, haxie or user script I need to make it stop. It’s bad enough that it hides the protocol from me. I want to see what page I’m on. The URL is the way I know this. I wouldn’t trust a car that hid the speedometer from me, or didn’t let me easily ascertain which gear I was in. Information helps me make decisions. Hiding information away makes me less able to make decisions: it makes me a less informed user.

And, yes, you can show me lots of user experience faff about people and how they operate. I don’t care. You can show me that when asked to make a choice between Vim and Microsoft Word, most normal people choose Microsoft Word. Doesn’t mean that’s the choice for me.

As for the security issue: hiding more of the URL doesn’t help there either. The whole reason that phishing is a problem is because users don’t pay any bloody attention to what they see in their location bar. Putting less information in the location bar makes the location bar less useful and thus there’s less point paying any attention to it.

The problem we also have is that the HTTPS certificate model is very, very broken. The certification authorities have been compromised. In 2011, DigiNotar was hacked and issued fraudulent certificates for Google, Yahoo!, WordPress, Mozilla and the Tor Project. If you are using an up-to-date browser, the CA certificate that signed those certificates was removed. But we are in an industry where people are not only still using a 12-year-old browserpiece of malware, they are complaining about moving from the 12-year-old malware application and paying the malware’s creator to continue supporting it.

In Firefox’s default CA cert list is the China Internet Network Information Center, the body in China that sets Internet policy, and which distributes “Chinese-Language-Surfing Official Edition” which Wikipedia at least claims to be malware. They seem like a fit and proper group to be able to determine whether an SSL certificate is trustworthy or not.

The problem we face is you can’t actually satisfy two masters. Security requires educated, pro-active, informed thinking users. Security is rarely a positive user experience—the free massage provided by the TSA when I refuse to go through their backscatter body scan is rarely as erotic in real life as it tends to be in advertising.

Usability is about making the whole process of using the web seamless and thoughtless: a child should be able to do it. But the security environment we have on the web is extraordinarily broken. In order to actually stay safe online, you need to see the “seams” of the web, you need to pay attention, use your brain.

Don’t Make Me Think says the title of the famous usability book. Be alert all the fucking time or you’ll get scammed say the security people. Good luck squaring that circle.