Do you guys know that Java based trojans are still a plague out there? It requires the user to manually accept the plugin to get infected, and guess what, millions are still getting infected with interaction from the user.
If you are in doubt, and don’t have a specific exploit for a browser, just add a java based exploit and boom, you are in. Just give them some incentive to click it: it is either the picture of a naked celebrity, the funny video of a cat dancing, or the leaked payroll excel from the HR department. It doesn’t matter what it is, “common people” will ALWAYS fall. I often do it in my pentests to see what’s the lowest common denominator, and even Ms-Office macros are executed, even though you have to go through two or three warning screens from Microsoft Office.
What about the permissions that you have to authorize on Android? Does anybody read the list of permissions that the APP needs? Does anybody read the pervasive abuse of permissions that a simple game is asking? No, nobody cares, nobody understands, and android based botnets are the rage… delivered from the Play Store.
So the message is simple: if you allow social engineering attacks easy to execute, IT WILL BE EXECUTED.
I am happy that @happybeing mentioned the “authorisation fatigue”, this is crucial. Even if it isn’t desensitization for repetitive exposure, people don’t read, period.
So, people, if we are going to build the new internet, we better build it to be SAFE FROM THEMSELVES.
How can we achieve that? Well lets see an example, what about invalid SSL certificates, guess what? People accepted any certificate because they didn’t understand the error itself, and they simply want to get back to the website they were browsing. SSL MITM attacks were a freaking joke, it almost always worked… until… well, lets see what Chrome and Firefox did.
They went from this:
And from that to this:
So what changed?
- The first one was completely absolutely ineffective, NOBODY EVER READ OR UNDERSTOOD THE POPPING DIALOG, and everyone clicked on YES.
- Then we evolved to the second one, which is more scary and yet there was a button that said “proceed anyway” and people naturally pressed on it, because, again, nobody cared.
- Then lastly, they hid the “proceed anyway” option only for the ADVANCED users, the commoners would click the only seemingly option out there which is not “cancel” or “ok”, but a comforting colored button that says “BACK TO SAFETY”.
Another thing to notice is the evolution of the error messages, the third iteration was straight to the point and with no verbosity at all, a single sentence: “Attackers might be stealing your information, PERIOD”, now that is something I understand! I want to go back to safety now!!
Yes, we techies know that it MIGHT not be necessarily the case, it could be a misconfigured server, an expired certificate, a dns change, whatever. But you have to consider that your audience are grandmas, that’s the lowest common denominator, and when you simplify the messages you have the err to the side of caution BY DEFAULT.
Oh BTW, on Firefox it is even better.
SSL Error Screen on Firefox:
Okay, so the common user will definitely click on “back to safety” because it is the only option available. But those who are curious might click on “Advanced” just to see if there is a “Proceed anyway” option hidden…
By now, normal “curious” power users are scared away and left, but those who really know their stuff would click on Add Exception and see the certificate.
And it forces you to add a security exception, which for the common user is way less explicit than “proceed anyway”, then you have to review the certificate AND THEN “Confirm the Security Exception”… which is enough technicality to scare away an average user. You also have to make three clicks to add the exception and go to the site anyway, which also increases the effort and the cost of the action do do it.
My point is: blocking suspicious or risky activities must be a default, and for the common users there shouldn’t be an option at all to override it. Only the “Advanced” users should have a special menu, a little cumbersome to override it to make it sure that if they want to go through the trouble they know exactly what they are doing. A simple dialog warning will never be enough. If it were up to me, I wouldn’t even allow the “Add exception” button to be enabled until the user clicked and scrolled the actual certificate completely.