Half our industry is built on fooling users. Exploiting their cognitive biases. Seriously, we understand where they fall, and if we really wanted to, we absolutely could look out for them -- at least, certainly better than we're doing right now.
What can Apple do? They could make a better browser (I like how Chrome and Firefox do things - you have to go out of your way to reach a page with bad SSL -- compare Safari's rather passive and enabling error message: http://blog.serverdensity.com/wp-content/uploads/2009/05/ssl... vs. chrome's: http://i.imgur.com/ttmmDJ8.png -- you have to REALLY see and think how to access the site despite the warning, it's that good). They could be more vigilant in alerting users of where and how this can happen.
If we were talking about any other young startup, your apology might fly -- not so with Apple, they're sitting on billions, they have the resources to think of a solution and implement it.
Interestingly, up to now the only time I've seen an SSL certificate warning was a misconfigured server. This is the first that I've seen an attack throw up a cert. error (usually attacks leverage other avenues that don't alarm users). Microsoft research even confirms:
"It’s hard to blame users for not being interested in SSL and certificates when (as far as we can determine) 100% of all certificate errors seen by users are false positives."*
Dang, didn't realize that the formatting cuts off the quote, here it is in full:
"It’s hard to blame users for not being interested in SSL and certificates when (as far as we can determine) 100% of all certificate errors seen by users are false positives."
I'll buy the argument that the industry has a duty to protect users, and also that Safari could be designed to better warn about SSL.
> Your response is like saying when Facebook was privacy zuckering, the user clicks right through the settings that should have sounded an alarm.
This is a bit odd, though. On one hand we have a company directly attempting to trick users; on the other, we have a company whose product is being attacked by a hostile government. Drawing an equivalence between the two is a bit ridiculous, no?
The comparison was between a company who's web UI tricked unsuspecting/naive users into revealing private info to third parties, and a company who's browser UI is making it all too easy for unsuspecting/naive users to inadvertently reveal private info to third parties.
I think the two are quite comparable. In both cases, the software developer should be responsible for guiding the user to make the right decision.
Yes that was probably not a very good analogy. I was trying to highlight the fact that we're really good at getting users to do what we want (things, specifically, that hurt them and make us more money). So far, we (the tech industry) have put a lot of effort into tricking them to do what we want, now maybe it's time to trick them for their own benefit, rather than ours.
Your response is like saying when Facebook was privacy zuckering (http://darkpatterns.org/library/privacy_zuckering/), the user clicks right through the settings that should have sounded an alarm.
What can Apple do? They could make a better browser (I like how Chrome and Firefox do things - you have to go out of your way to reach a page with bad SSL -- compare Safari's rather passive and enabling error message: http://blog.serverdensity.com/wp-content/uploads/2009/05/ssl... vs. chrome's: http://i.imgur.com/ttmmDJ8.png -- you have to REALLY see and think how to access the site despite the warning, it's that good). They could be more vigilant in alerting users of where and how this can happen.
If we were talking about any other young startup, your apology might fly -- not so with Apple, they're sitting on billions, they have the resources to think of a solution and implement it.