Google study finds users ignore Chrome security warnings You're surfing the 'net when Chrome decides not to bring you the web site of your choice, but instead a page warning that the site you'd hoped to visit might be bogus or contain malware. Do you: (a) Click on “Proceed anyway” because you really want to see the cat picture someone Tweeted to you; (b) Click “Back to safety” …
I am not surprised, either. Over the past 2-3 years, while reading consumer tech blogs, I've noticed a high correlation between self-professed Chrome use and trolling asshatery. Vitriolic hatred of Firefox and a Top Gun-like "need for speed" are common themes. I am pretty confident these are young male idiots we're talking about.
It takes one to know one, but at least I'm aging out of it.
from the pdf...
"A user clicks through a warning to dismiss it and proceed with her original task. A user
leaves the warning when she navigates away and does not continue with her original task...the user has (1) ignored the warning because she did not read or understand it or (2) made an informed decision to proceed because she believes that the warning is a false positive or her computer is safe against these attack"
Will someone please teach these academics about the idea that 'he/his' refers to specifically male people, 'she/her' refers to specifically female people - and that if it could be referring to either male or female then the tradional usage is to say 'he or she/his or her' or (my preference, although it is frowned on by classic grammar pedants) to use 'they/their'.
I believe this style (quite common in Google sourced text) is intended to address the historic imbalance of written gender representation, because it is felt to be 'a good thing to do'.
My personal preference would be to write, "When one is presented with a warning which advises one that proceeding further will compromise one's computer security ....etc". People always laugh at me when I do that so I've stopped bothering.
Except that "he" is the correct word when gender is unspecified, it also happens to be correct for males. Similarly "she" is the correct word if you're personifying an object, such as a boat, car etc and also just happens to be correct for females.
The ridiculous "political correctness" approach of constantly using he/she, or worse using the feminine variants as some sort of gender redressing, just makes people look unbelievably ignorant of their own language.
'The ridiculous "political correctness" approach of constantly using he/she...'
As opposed to some other form of correctness by using 'he' when gender is unspecified? I tend to use 'he/she' in more formal writing, not for its elegance or its political correctness, but because I find it more accurate. I use 'they' in less formal writing and probably in speech. Perhaps I should use it all the time. It was good enough for Shakespeare. And if it pisses off those who believe there are 'correct' and 'incorrect' forms of grammar, all the better.
I hope the new curriculum reintroduces English grammar and literature in some depth.
1. "Man" is the species as well as being used in some contexts to mean a human mail. cf. Dog and dog/bitch.
2. On the same principal, "He" is sexless in the generic sense. "She" is not.
3. Even the Oxford dictionary lists one usage of "they" as the sexless pronoun that can be used when the gender if not known or is irrelevant.
4. "One" is another neutral term, with the added advantage of putting a disinterested distance between the writer or speaker and the subject matter.
I suppose men should complain that their gender is not treated with the respect accorded by a unique indicator.
Pet hates:
Chair or chairperson, showing ignorance and disrespect in one go (can you not see if the person is male or female?).
Unmarried woman using, "Ms", that stood for "manuscript" at one time and is unpronouncable and unnecessary. After all, the convention has long been that, if one does not know, call her "Miss" (I think the very old convention of changing that to "Mrs" for more mature women is gone); married women sometimes kept their maiden name, using "Miss", particularly at work for professional women and actresses (I know a couple who do that for continuity with their pre-married work references and to distance work from private life).
The obsession with sex in all aspects of life, leading to this nonsense of concentrating on one's gender rather than ones abilities and deeds, interpreting all interactions as a competition between the sexes and corrupting language and communication for the narrow concerns of a few who seem to need props.
At my company, we ignore those warnings on a daily basis.
Why? Because we do some development and some of our webservers use a basic shared SSL certificates which is proper for just one URL out of 132 people use. So for the rest, people need to ignore those warnings.
Same goes for one of my personal sites which is on a shared hosting account with shared SSL. Every now and then people need to ignore SSL warnings. There are plenty of reasons to ignore SSL certificate warnings unfortunately.
Theodore - I set up a lot of test environments and these warnings tick me off.
I'll have a look at wildcard certs later today (I assume this isn't the same as self-signed certs, as these are what give the warnings) and see if it can help prevent my stabbing hand itch when I'm doing testing.
Ta for that :)
Steven R
If you're using self signed certs internally (which is a perfectly reasonable use of them) then whomever is in charge of your network ought to push them out to users via some out-of-band mechanism. It's not hard to do and it's much better than training users of your corporate network to ignore potential security warnings.e
"all that needs to be done is for them to generate a wildcard certificate, or, if your network is more than a single namespace, then a wildcard certificate per namespace."
- sure, that's the normal approach. But the guys here are cheap. The host administrator's protocol doesn't include using wildcards because as they charge a couple of euros per certificate, generating a wildcard certificate isn't really bringing them any profit.
- internally, wirldcards are used, but the problem is that in order to comply, we would need to use the form "*.TLD" which is not accepted (still generates warning).
To better understand what I mean, internally we use the form <user>.<language subdomain, 12 variations>.<site name, 132 variations>.<domain, 14 variations>.<environment, 6 variations>.
Even the combination *.domain.environment means 6*14 options, but it doesn't work. The lowest that seems to not generate warnings is *.site.domain.environment. It's much less of a headache to ignore the warnings.
Also, one of the environments is actually an external server that has an internal alias. It already has valid SSL for all sites, but as we usually use the internal aliases (because in that case we can force the site to use an internal CDN for static resources) so not even wildcards help in this case.
Let the warnings ignore rain down.
Now if this is what they are tracking.. I have to enter a site with a self signed certificate at least 1 time per week for what 15 years now? As a programmer (besides the ones I have generated on my own) I click through the warning a lot in forums, wikis, blogs and source code download sites for individual open source projects.
I routinely track down malware and phishing sites (bit of a hobby, I like figuring out what the crims are up to and how they're doing it), and I generally use Chrome in a VM to do it. So I always ignore Chrome's malware/phishing warning page...not that it matters, since that warning always seems a bit behind the curve anyway.
I had no idea I was cooking the statistics by doing that.
There is an option t report back at install time. It is not hidden and is right below the set as default option.
Hmm. I hope that data is anonymised, otherwise such an option must be OFF by default and must explicitly (i.e. separately) ask for permission to comply with EU Data Protection laws.
When you download Chrome, there is a tickbox option to "Help make Google Chrome better by automatically sending usage statistics and crash reports to Google.". There's a "learn more" link that goes to https://support.google.com/chrome/answer/96817?hl=en This option is ticked by default, but you can untick it if you want.
Information about whether the warning page is used or skipped counts as part of that "usage statistics".
More generally, in order to figure out how to improve a computer program, you need to know how it's used. E.g. if 1% of customers use feature A, and 80% of customers use feature B, then perhaps you should spend more development effort on feature B since improvements there will benefit more people. In ye olde days most companies would just guess what users would do, although some companies ran usability tests where they'd get maybe 10 people to use the software in a controlled lab setting with artificial tasks. Nowadays, it's trivial to measure what the actual users are really doing, which gives you solid data to use to improve your product. That's why Google collects this telemetry.
how did these uses get Chrome?
a) Went and looked for it, checked out reviews, read it's privacy policy and then activly choose it
or
b) clicked on a big icon saying install Chrome or blindly clicked next, next, next when installing "free" software
.
And there folks, is your answer why so many ignored the warnings.
That's a pretty good idea. It could cover other security risks besides JS too. The only problem that immediately occurs to me is that to do much good it would have to automatically extend whatever restrictions it put in place to other sites linked to from their as well, which could possible become confusing. Maybe it could open in a new window with some kind of visual cue that everything in there is being treated as suspect.
"Do you: (a) Click on “Proceed anyway” because you really want to see the pussy picture someone Tweeted to you; (b) Click “Back to safety” because it's not worth having crims empty your bank account for a peek at one cute pussy."
1) When we substitute one euphemism for another, we begin to better understand the situation, which is that:
2) according to empirically verified data, yes, it is "worth having crims empty your bank account for a peek at one cute pussy."
This should help resolve the question of gendered pronouns, as discussed earlier in the thread. But, for inclusivity's sake, maybe not...
I'm quite sure it's caused by warning fatigue. Seriously, who got a certificate warning because of active Man in the Middle? Because that's the only thing that a non self-signed certificates protects you against: active man in the middle. Stuff even PRISM didn't attempt.
We really should opt for SSL everywhere (as in browser tries :443 first), and if the connection is secure, then it shows a padlock/golden address bar/cute pussy.
I need to know if the connection I'm using is secure only if I entered some data on it, not when I just want to read the page!
...and I don't mean that disrespectfully to the author or El Reg.
The sort of person that continues at a warning page like this on the open internet, is the same sort of person that falls for scams out there in meat-space. They forward chain letters, make no effort to lock doors, get taken in by frauds, spam their social networking site with chain status updates, forward virus 'warnings' en masse...
We all know this. Most of us have been cleaning their computers up for years. Hell, most of 'em just panic and comply with absolutely anything the computer 'tells' them to do.
Google could change that safety page to a line of drag can-can dancers, and it would make no difference - problem is in the chair, not in the web browser.
I dont normally get warnings about malware or phising sites if I do I ignore them. I often get warnings about self signed SSL certs or mismatched SSL certs and I consider each one. If I am logging into the admin console of a customer device I know that its nothing to worry about generally as I trust the management network involved and know the certs are supposed to be self signed. Again when browsing the web if for example my bank site or facebook presented an SSL certificate error I'd run away! Its not the fact I'm ignoring the warning, I'm considering should this site be using a self signed certificate? Do I need to login to do anything on the site? Are those login credentials likely to cause me a loss(bank or online purchases) or embarrassment(if someone gets my facebook login details and posts malware or spam as me). Sometimes the user knows best!
I dont normally get warnings about malware or phising sites if I do I wouldnt ignore them and wouldn't continue onto the site in question unless I was just being nosy and was sure I wouldn't be infected myself. I often get warnings about self signed SSL certs or mismatched SSL certs and I consider each one. If I am logging into the admin console of a customer device I know that its nothing to worry about generally as I trust the management network involved and know the certs are supposed to be self signed. Again when browsing the web if for example my bank site or facebook presented an SSL certificate error I'd run away! Its not the fact I'm ignoring the warning, I'm considering should this site be using a self signed certificate? Do I need to login to do anything on the site? Are those login credentials likely to cause me a loss(bank or online purchases) or embarrassment(if someone gets my facebook login details and posts malware or spam as me). Sometimes the user knows best!
@Justin: Indeed. Notice that the browser/OS combinations with the largest proportion of clickthroughs tend to be the ones most used by sysadmins, especially when using a Linux machine to investigate pages that users have received warning messages about. I've had Trend Micro tagged by Google as a malware site. The more this keeps up, the greater the chances of users going on to a real malware or phishing site, because of the number of false positives.
Let's have a look at why people use Chrome:
"Well its safe innit? Evverywun on teh internets sez use Chrome not IE cos Chrome's rilly safe and cant be pwned. Must be rite cos it sez so on teh internets.".
They then ignore the warnings because they're sure that Chrome will prevent anything nasty happening anyway.
It does not matter what you use. The largest security loophole on any combination of machine and software is the idiot sat in the chair using it. Telling people that such and such software is somehow inherently safer is counterproductive and just leads them into a false sense of security.
My guess:
1) People who have firefox usually installed it because they thought it was a better browser.
2) People who have chrome probably installed it for no better reason than some other program came with a pre-ticked option to install chrome alongside the other program. Often, they are only using it because it installed itself as the default browser and they don't know how to change it.
And so, by marketing chrome in this insidious manner, its surely expected that it will have a greater proportion of less-intelligent users?
Simple answer -- stop bundling chrome with irrelevant stuff and it will progressively gain users with greater intelligence, those who are using it through choice not through deceit.
Chrome has consistently done the best out of the mainstream browsers on security tests (ex pwnium, etc). Maybe the users are more likely to be like "So what if the site pushes out malware. I'm on chrome, the malware won't pwn me"?
The thing is, when you pop up a malware or cert warning, with the only option being ignore or leave, you are asking people to stop the task they were trying to do - and the only way to move towards their goal is to ignore the warning entirely. They could improve the effectiveness of these warnings by giving us an alternative other than all or nothing...
They should always give an option to proceed with JS and all plugins disabled.
For cases where the warning is one of those "Site X contains content from Site Y which is known to distribute malware" - which are almost always caused by an ad network getting hacked and filled with malware - why is there no option to "Proceed, but block all content from site Y"?
I quite often ignore their warnings. Why? Some of the warnings are crap. Not all, but some. What Google don't acknowledge is there are the collateral damage blocks from as using the www equivalent of spamhaus blocklists. So if people get away with it 'I understand the risks durpy durp durp durp' once....
Do Google publish their false positive statistics?
I click through that security warning two times a day every day on my phone. The guest wifi redirect at my place of employment has a bad security certificate. Every day I tap the proceed anyway button and log in. No malware.
At home I've seen it from time to time and turned back.
I'd wager a lot of the people using Chrome are smart enough to know when it is a valid or invalid warning, and many of them probably have strong enough security software that they're confident if their browser gets pwnd it won't hurt them anyway.
I don't care anymore, as everyone from the Council to the Binman has access to 'my` computer ..
Extent of council spying revealed, Mar 2009
I sometimes do and sometimes don't ignore the warnings, I ignore them when going to my NAS drive site, because I know why Chrome isn't happy. And I ignore it other times as well, but I don't always ignore it.
It all depends on what I clicked on, if I'm fairly sure its just a miscategorisation then I'll proceed.
And there's no stats that is going to tell Google that.
For me to never ignore it, then they need to be damn (as in 100%) sure its a harmful site which isn't doable, or have a 'I trust this site checkbox'.
Then the stats might be actually be saying what you say their saying now!
Any business up to Microsoft is liable to let its certificates and even domain name registrations expire. And as for providing up-to-date secure access for your own employees on the intranet, don't be silly. Even though paying your workers to click "Ignore" whenever the security warning appears also costs money, a second at a time.
And even though this is just how they'd be informed if they were tricked into going to a resource that is -not- on the internal network.
On the other hand, if I'm searching for something arbitrary, not specific, online, and the browser or the search engine says "That web page is dangerous", then I am fairly confident of finding a non-dangerous substitute page with a similar resource.
Having said that, when I last looked - which is quite a while ago - the Linux-based SystemRescueCD, which I'm inclined to trust, produced a warning from Malwarebytes security software when visiting SRCD's web site, which seems to be because although it's probably clean, it was or is hosted in a bad neighbourhood on the internet: several IP addresses nearby were malware sites.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
