In a really interesting post, Bruce Schneier tells that “lots of warning dialog boxes don’t provide security”. The cause is users don’t pause to read the content of the dialog box and act consequently. They only want the job to be done, so they click the default button or, if this doesn’t work, they click whatever button until it finally works (or at least, the dialog disappear).
This happens with every application. The most usual case is security warnings from bad SSL certificates.
The user doesn’t stop to read the explanation of why the certificate is not correct. Usually, they don’t even know what is a certificate and why that dialog box popped up in first place, so they click the first button they see, accepting the certificate and accessing the page. It worked, so they don’t worry about it very much and next time this dialog comes up they will accept the default again, because it worked last time.
At least, in this example it’s easy to see that both name are not equal but are from Google. This is not always the case and we have seen it some times with phishing attempts which use SSL certificates with names looking similar to the site being masqueraded.
There’s no easy way to educate users about this, although there are some mitigating solutions, like better explanations of what is actually happening, in a language the user can understand.
Firefox, chooses another way, and uses a downcounter so you can’t accept the action until the counter arrives to 0. This is not perfect, as it can’t assure the user has read the warning, but it might help as the user might do something while waiting, and this could be to read the pop-up. (BTW, the warning dialog in the example is in Spanish).
The recommendation for users is to always read these pop-ups and try to understand what they are asking before accepting the default action. The recommendation for developers is to code better dialog boxes, with simple language, and never overwhelm the user with lots of warnings as they will become warning-blind and never read them again.
0 Responses to “Are warning dialog boxes really useful?”