It seems like Ivan Pavlov’s theory of Classical Conditioning is demonstrated every time I install an extension. You follow the same mindless task of white listing the domain, so that you can install, then wait for the delay, and install. Restart your browser, and your done. It rather quickly gets to the point where you don’t even think about it. Is that a good thing? Is this a bug?
I hope at some point, we get to the point where there’s a secure repository of extensions, ones that have been tested and known to be “evil free” (spyware, adware, virus, etc.). A source of safe and effective extensions that you can use without worry. It would likely be hard to review them all, but some. That can be installed easily, and the user can know that they are safe.
My objection to the current system is that it does little but block “drive-by downloads”. It requires a few clicks, so you don’t install something by accident. But other than that, what have you prevented? The extension can still be literally anything in the world.
How many end users really understand the risk? How many actually understand the dialog presented by those prompts that we bypass without even thinking about? I’m guessing most people just few these as annoyances, and still open and install stuff indiscriminately.
The problem with security is eventually people get used to it, and life goes back to normal. It’s something faced by national security experts, as well as programmers. Special security measures are only special when used in a limited way. Otherwise they become the norm. Right now the US threat level is “elevated”. How many people are doing something special as a result of that? Yea, most are just living their normal lives. Does this “elevated” level serve a purpose (other than PR)?
The big question is how do you clearly distinguish between safe, and unsafe to end users? I’d love to hear some comments on how to prevent these current security measures from becoming a Pavlovian Vulnerability.
Definition
Pavlovian Vulnerability – the susceptibility to a security risk due to a learned response almost automatic in nature in reaction to a monotonous situation or predictable chain of events.
Note: this is different from carelessness or negligence because Pavlovian requires it be learned, either by training, repetition or some other means.
Note: Yes, I’m discussing extensions here, but it also applies to how IE handles ActiveX, Safari and Dashboard Widgets, or how all browsers handle downloads. No browser that I am aware of is exempt from this issue.
Edit (10/15/05 9:13 PM EST): Added definition for clarity in regards to the title of this post.
18 replies on “Pavlovian Vulnerability”
As long as it doesn’t turn into MS’s way of solving security – trusted downloads! Because a signed EXE is certain to be safe no matter who it comes from, even Gator soft!
Signing already exists on XPIs but I’ve never seen it used. Spyware toolbars already exist for Firefox, I’ve seen two of them. The website gives clear instructions on how to whitelist the site and get them installed. And as we know – people are willing to follow any instructions no matter how unwise when pr0n or games are promised. FF needs to come up with a better solution and soon – no later than FF2. If spyware vendors suddenly turn their entire focus on firefox overnight, FF is not properly protected against simple social engineering.
Honestly, you need to educate users. Most users have no idea about security, which is why online banking sites bombard you with security info to try to make you understand.
You can even disable the whitelist from the options with the latest nightlies. 😐
@Doron: Then the question remains: how do you do that without confusing them, or requiring them to go back to school? The simple way is esentially conditioning.
Whitelisting has absolutely nothing to do with the security of the extension, and everything to do with your willingness to allow the website to pose a modal dialog. The only reason we have it is to keep a site from insisting that you install something, by putting up the dialog again when you cancel. If you link to an xpi on my server, or on http://ftp.mozilla.org, the user still has to whitelist you, and isn’t (or shouldn’t be) doing so because they trust you to only link to safe software, but because they trust you not to put them in a modal install dialog loop.
The install delay has nothing to do with causing you to think about the safety of installing the extension, and everything to do with keeping a site from tricking you into clicking the button when you don’t even see it, by doing things like getting you clicking at a particular spot in a game, and then putting an install dialog under your mouse.
Users need to know that installing an extension is exactly as dangerous as installing any other software, no more and no less, but that’s education, it has nothing to do with technology. You should be conditioned to automatically whitelist (or copy-paste into a new tab) when you want to install an extension, since all you are saying is that you don’t mind getting install prompts from that site. You should be conditioned to automatically click OK when the timer expires, when you were planning on installing an extension, since it’s only there for the times when you weren’t expecting an install prompt. The time when something other than automatic responses needs to happen is while you are deciding to click the link to install an extension, and without a jack directly into your brain, software can’t fix that, only education can.
Some sort of “fairly safe extensions” might be nice, kind of, but I can’t see it working. A patch written by a very good core hacker, reviewed by an even better one, and superreviewed by a better yet one, can still have truly awful results. There’s no chance of getting those totally swamped people to review extension code (after all, that’s part of the reason that many things are extensions, rather than core code), so the best you could hope for is “at least somebody kind of looked at this, and thinks it probably isn’t going to attack your pets,” which is pertty close to u.m.o already.
@Phil Ringnalda: the problem is that it becomes a conditioned responses to simply go through the motions. After a few times, it’s easy to not even think about it. At that point, I wonder if the user really thinks “Hmm, this isn’t whitelisted by default… maybe that means I should proceed with caution?”.
Personally I doubt that much thought goes into it.
I honestly don’t expect to much from whitelisting, though it’s a good idea. My objection is that people will do the same like they do with ActiveX, and just install anyway, despite an extra click or two. They don’t know that the content is safe, or where it’s from. They just do it.
The problem is really interface, more than security. It doesn’t require the user to aknowlege the risk they are actually taking. Doron hints at that up above, but doesn’t mention a solid solution on how to go about that.
I don’t see addons.mozilla.org mentioned anywhere above. Its already on your whitelist and things are reviewed. Of course if you don’t like the delay you can get rid of it.
Well… First of all the delay does good here. User might go with habits, but he will have those 3 seconds to think if he’s doing good. And what if he’ll ignore it? Well… then at least he will not blame us – he knows that we gave him a chance. We can’t do much more without annoying him.
Another thing is with whitelisting. I think that we should add option to allow THIS one specific installation without adding sites to whitelist. So I can install what I want without saying that I trust this site forever.
And what user thinks when he adds a site to whitelist? No matter – once more – we gave him a chance to think. We can’t think on behalf of him.
Otherwise we will end like the worst companies… Watch this – http://www.lafkon.net/tc/
It’s all about WHO has a power to decide…
@Gandalf: completely agree with the 1 time deal. Perhaps call it “temporary whitelist”.
You point out a real problem but I wonder too how (if!) it can be solved.
What is safe for me at home isn’t safe anymore at work: the risk is the same but consequences much higher. There are more people to infect, more work to lose if ever compromised/infected one day.
This strikes me as closer to operant conditioning than classical conditioning… there is a reward for the action being performed, which increases the frequency of that action being performed again. I can’t spot the UCS-UCR/CS-CR pattern in what you’re describing.
(I have not done very much Psych.)
Robert: what for? Why not just add an option to to the bar like we made with popups?
When the site tries to open a popup, firefox blocks it and displays this warning bar. Context menu allows you to add site to trusted, do something else and open this one popup once. We should imho do exactly the same about extensions.
I think that the install software bar should also have something like ‘install but don’t add to whitelist’ option.
Phil wrote:
I think it’s important not to forget that this is “sufficient” UI to protect the Regular People™ who make up the vast majority of many products’ userbases (I don’t think they make up a sizeable enough percentage of Firefox users or this discussion wouldn’t be framed the way it is 🙂 ) “Sufficient” here more closely approximating “good but there’s still room to improve” rather than “foolproof security”….
One of the best security UI improvements to solve a similar problem is the yellow location bar background for https sites (limits of that notwithstanding–hrm, I thought Gerv had a article on those limitations?). The yellow background eliminates the modal dialogues, which makes it less suceptible to the conditioning that comes with annoying modal dialogues, is visually distinct enough to catch the attention even of the jaded Bugzilla user–and for Regular People likely appears infrequently enough to really catch their attention. The absence of the yellow background is the first thing I notice when using non-Moz browsers on my Mac. I’ve become so familiar with it that I’m tempted to turn off “warn when leaving a secure site” and just leave the modal dialogue for mixed-mode sites.
Unfortunately, I can’t think of a way to apply this UI innovation to extension installation. The ability to trust the site one time for installation seems like a good step to take with the current UI, though.
Crud, I must have had a typo in my closing blockquote tag 😳 And it messed everything else up, too; the emphasis was just supposed to be on since it’s only there for the times when you weren’t expecting an install prompt.
Didn’t you use to have a preview function, Robert?
@Smokey Ardisson: I fixed that for you. That preview function was causing some people to have problems typing (since it updates for each key typed) causing long posts to be impossible. I’ll look into something non-dynamic (slashdot style, or phpBB like) for use here, or something that just scales a bit better.
Maybe part of the problem is that the install prompt dialog is so small that it doesn’t look like a big deal, when in fact it is. People might be more likely to think twice before clicking through an installation wizard that presents you with a license (even if the user isn’t going to read it), or a dialog that comes with one of those background windows that covers up the rest of the screen, or for that matter, a dialog that takes forever to load and gobbles up your memory – just like the Microsoft Office installation wizard.
Instead, the current dialog is the same size as the dialog you get when entering a secure site. That fact, and the dialog’s complementary green icon (the default extension icon) could lead a user to subconsciously dismiss the risk involved in installing an extension.
(IANAP)
Hello! Help solve the problem.
Very often try to enter the forum, but says that the password is not correct.
Regrettably use of remembering. Give like to be?
Thank you!