Positive Logic
Tuesday, December 5th, 2006 05:14 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
flwydInternet Explorer 7 recently showed up on a few servers at work which I access through Remote Desktop. Microsoft has had several years of feedback and development time since IE6 and their among their main foci were user experience and anti-phishing technology.
One of our internal web servers requires authentication (using windows domain security) and so runs under https so that passwords aren't sent in the clear. The certificate is assigned to the fully qualified host name, but the shortened host name resolves on our network and is easier to type. Visiting the internal name in Firefox pops up a dialog complaining that the certificate hostname and the URL don't match; if you hit OK (the default button) you view the page without further intervention. As I recall, this is also the behavior of Internet Explorer 6.
Internet Explorer 7's solution to the problem is to produce an HTML page stating "There is a problem with this website's security certificate. Security certicicate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website." (Emphasis in original.)
It then has three icons with links. A green checkbox accompanies "Click here to close this webpage." A red X marks "Continue to this website (not recommended)." A down arrow in a circle says "More information," which will slide out some details but does not show any information specific to the security certificate.
This interface is really annoying. Never mind that they can't seem to settle on "webpage" vs. "website" terminology in the same option list. I'm begrudgingly okay with the fact that I can't see what's wrong with the certificate -- most users wouldn't know how to read the information. The problem is much more insidious:
Yes means stop.
Think about confirmation dialogs you encounter when you use a computer. "Are you sure you want to quit the application?" "The trash contains 42 items and 69 MB of disk space. Delete from system?" In just about any situation you can think of, "Yes" means "Yes, do exactly what I asked you."
Look at any GUI with a set of buttons. If there's a red circle with an X it probably means "Stop" or "Error." If it's an X not in a red circle, it probably means "Close." If there's a check mark icon, it probably means "This item is OK." Occasionally it will mean "Continue." Until IE7, I don't think I've ever seen an X icon that continues to the next step, and I know I've never seen a checkmark icon that closes a window.
Look at any country with traffic lights. A red light means stop. A green light means continue in the direction of your choice.
But in Internet Explorer land, a green check means "Don't do what I asked you to do. Close the window instead." And a red X means "I don't care about your security warning system, take me where I asked you to go." The justification for this nonstandard interface seems to be that "Yes" means "Yes, Microsoft daddy, this site is insecure and I'll stop using it" and "No" means "No, I'm smarter than you and I'll do what I feel like." But is this a good metaphor for user interaction?
Update 12/6/2006: From IE7 I hit a diagnostic JSP page on localhost, which spun for several minutes. It turns out all threads were busy, so I restarted the server. Since the connection was dropped, IE wanted to show me an error page. But first it had to alert me that a page was blocked because it was not in the Trusted Zone. The page? about:internet When I went to add it to the Trusted Zone (along with windowsupdate.com) it complained because it didn't start with https:// about: pages are implemented entirely in the browser; if there's a security problem with an about: page it's a browser bug, not something malicious in this internet I'm trying to find out about.
One of the axioms of security systems is that when operating securely is too annoying for legitimate users, they'll choose or find ways to operate inssecurely.
One of our internal web servers requires authentication (using windows domain security) and so runs under https so that passwords aren't sent in the clear. The certificate is assigned to the fully qualified host name, but the shortened host name resolves on our network and is easier to type. Visiting the internal name in Firefox pops up a dialog complaining that the certificate hostname and the URL don't match; if you hit OK (the default button) you view the page without further intervention. As I recall, this is also the behavior of Internet Explorer 6.
Internet Explorer 7's solution to the problem is to produce an HTML page stating "There is a problem with this website's security certificate. Security certicicate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website." (Emphasis in original.)
It then has three icons with links. A green checkbox accompanies "Click here to close this webpage." A red X marks "Continue to this website (not recommended)." A down arrow in a circle says "More information," which will slide out some details but does not show any information specific to the security certificate.
This interface is really annoying. Never mind that they can't seem to settle on "webpage" vs. "website" terminology in the same option list. I'm begrudgingly okay with the fact that I can't see what's wrong with the certificate -- most users wouldn't know how to read the information. The problem is much more insidious:
Yes means stop.
Think about confirmation dialogs you encounter when you use a computer. "Are you sure you want to quit the application?" "The trash contains 42 items and 69 MB of disk space. Delete from system?" In just about any situation you can think of, "Yes" means "Yes, do exactly what I asked you."
Look at any GUI with a set of buttons. If there's a red circle with an X it probably means "Stop" or "Error." If it's an X not in a red circle, it probably means "Close." If there's a check mark icon, it probably means "This item is OK." Occasionally it will mean "Continue." Until IE7, I don't think I've ever seen an X icon that continues to the next step, and I know I've never seen a checkmark icon that closes a window.
Look at any country with traffic lights. A red light means stop. A green light means continue in the direction of your choice.
But in Internet Explorer land, a green check means "Don't do what I asked you to do. Close the window instead." And a red X means "I don't care about your security warning system, take me where I asked you to go." The justification for this nonstandard interface seems to be that "Yes" means "Yes, Microsoft daddy, this site is insecure and I'll stop using it" and "No" means "No, I'm smarter than you and I'll do what I feel like." But is this a good metaphor for user interaction?
Update 12/6/2006: From IE7 I hit a diagnostic JSP page on localhost, which spun for several minutes. It turns out all threads were busy, so I restarted the server. Since the connection was dropped, IE wanted to show me an error page. But first it had to alert me that a page was blocked because it was not in the Trusted Zone. The page? about:internet When I went to add it to the Trusted Zone (along with windowsupdate.com) it complained because it didn't start with https:// about: pages are implemented entirely in the browser; if there's a security problem with an about: page it's a browser bug, not something malicious in this internet I'm trying to find out about.
One of the axioms of security systems is that when operating securely is too annoying for legitimate users, they'll choose or find ways to operate inssecurely.
