It seems like Ivan Pavlov’s theory of Classical Conditioning is demonstrated every time I install an extension. You follow the same mindless task of white listing the domain, so that you can install, then wait for the delay, and install. Restart your browser, and your done. It rather quickly gets to the point where you don’t even think about it. Is that a good thing? Is this a bug?
I hope at some point, we get to the point where there’s a secure repository of extensions, ones that have been tested and known to be “evil free” (spyware, adware, virus, etc.). A source of safe and effective extensions that you can use without worry. It would likely be hard to review them all, but some. That can be installed easily, and the user can know that they are safe.
My objection to the current system is that it does little but block “drive-by downloads”. It requires a few clicks, so you don’t install something by accident. But other than that, what have you prevented? The extension can still be literally anything in the world.
How many end users really understand the risk? How many actually understand the dialog presented by those prompts that we bypass without even thinking about? I’m guessing most people just few these as annoyances, and still open and install stuff indiscriminately.
The problem with security is eventually people get used to it, and life goes back to normal. It’s something faced by national security experts, as well as programmers. Special security measures are only special when used in a limited way. Otherwise they become the norm. Right now the US threat level is “elevated”. How many people are doing something special as a result of that? Yea, most are just living their normal lives. Does this “elevated” level serve a purpose (other than PR)?
The big question is how do you clearly distinguish between safe, and unsafe to end users? I’d love to hear some comments on how to prevent these current security measures from becoming a Pavlovian Vulnerability.
Pavlovian Vulnerability – the susceptibility to a security risk due to a learned response almost automatic in nature in reaction to a monotonous situation or predictable chain of events.
Note: this is different from carelessness or negligence because Pavlovian requires it be learned, either by training, repetition or some other means.
Note: Yes, I’m discussing extensions here, but it also applies to how IE handles ActiveX, Safari and Dashboard Widgets, or how all browsers handle downloads. No browser that I am aware of is exempt from this issue.
Edit (10/15/05 9:13 PM EST): Added definition for clarity in regards to the title of this post.