[SOUND]. In this video, we're going to look at an example of usability for the average user. And in particular, we're going to focus on Firefox's Untrusted Connection Error. This is an important security error that happens when Firefox tries to connect to a website that has an invalid security certificate. But the error is pretty technical and may not be accessible to the average person. So I've brought in a computer savvy user who's not a computer scientist and I'm going to have him go through the process of receiving that error. And he's going to tell us what he thinks it means and what he should do. All right, so sitting at the desk here we have our computer savvy non-computer scientist who's going to go through a process of getting a common security error on the browser. And we're going to see what he has to say about it. So computer savvy non-computer scientist, I want you to go Twitter.com, and it'll probably auto-complete. So just go in the bar at the top and do Twitter.com. >> Okay. >> And hit Enter. All right. So I want you to read what's on the screen and then tell me what you think it means. >> This connection is untrusted. Want me to read the whole thing? >> You read whatever you would read if you encountered this in your normal browsing life. >> All right. You've asked Firefox to connect securely to Twitter.com but we can't confirm that your connection is secure. >> What do you think that means? >> That means, they don't know, they, Firefox doesn't know whether the connection to Twitter is secure. Then it says, normally sites will present trusted identification to prove that you're going to the right place. However, this site's identity can't be verified. So, Firefox can't be veri, can't verify that it's Twitter, actually Twitter. >> So what do you think the risks are if you see an error like this? >> Well, it could be a spoof site or it could be taking me to somewhere that is not actually Twitter. >> So what would you do if you got this error? >> In real life, I would ignore it. >> And so, what, like in real, so pretend we're in real life. What would you actually do here, on this screen? >> I don't know. Try to click on whatever button they give me. And then try to type the whole thing into Google. aha, so it says, I understand the risks. >> If you're reading, read out loud for us. >> It says, if you understand what's going on, and I have a vague notion, I may be wrong. >> Wait before you continue, what is your vague notion about what's actually going wrong? >> That there's a, a disconnect between Firefox and Twitter and Firefox can't verify that it's going to Twitter. But it looked like the Twitter addressed it to me. And it was, you know, I found it also through Google so I, I, I think it's Twitter. And so then it says, if you understand what's going on, you could tell Firefox to start trusting this site's identification. But even if you trust the site, this error could mean that someone is tampering with your connection. >> Do you know what that means when it says someone is tampering with the connection? >> I have a vague concept that it means someone might be, have gained access to my computer or you know, is, I don't know. Siphoning off information between what Firefox is doing and what Twitter is doing. >> Okay. >> But, it's only Twitter, it's not my bank. So I'm not sure there's that much harm in this case, but I don't understand it that well. >> Would you do this, I understand the risks, saying if it were your bank? >> Probably not. Or my credit card. >> Yeah. >> Statement? Probably not. >> Okay. >> So I can add an exception. Maybe. >> If you're reading, read out loud. >> It says, you are about to override how Firefox identifies this site. Then it says legitimate banks, stores and other public sites will not ask you to do this. And it says, the certificate says, is this site attempts to identify itself with invalid information, it's outdated information. The certificate is not currently valid, it is impossible to verify whether this identity was reported as stolen or lost. >> Now do you worry about that or not? >> Yeah, I'm worried about it. And it seems like Firefox is going to some effort, I think it's Firefox to- >> Yeah. >> Not let me do this. So I'll just not do it. I'll cancel. >> Okay. >> Get me out of here. Okay. But I'm still not sure what happened? >> Thank you computer savvy non-computer scientist for helping us process this error message. >> I'm happy to help. >> So what are some lessons we can take away from watching this video? First, the user knows that something bad is happening, but he's not really sure what. He's able to read back some of the possible errors that the screen is telling him, but he doesn't really know what those mean or how they would work. The user also has good general strategies. For example, he said he'd worry more about sites with sensitive information like his bank or his credit card, but with Twitter, he's not too worried. That's a great strategy. But if he were, for example, to be facing a man in the middle attack where someone would hijack his password and potentially his email address that he uses to log in. If that password's repeated, he actually could make a lot of his accounts vulnerable. So his strategies are good, but because he doesn't understand what the possible security risks are, and they're not communicated to him by this error in a way he can understand, he may make himself vulnerable if he were to go around this error. And finally, the error message that Firefox shows relies on a lot of information that the average user doesn't understand. The example user we have here is actually quite computer savvy, but he didn't understand a lot of the technical terms and jargon. He doesn't understand what security certificates are. How they work. When they expire. What that means. And how they can be spoofed, or inaccurate credentials can be sent to allow an attack. So, the Firefox does a very good job of discouraging people from continuing on, when they encounter this error message. They're not doing a very good job of explaining what could be happening. So a question for you to think about in to having the discussion is, how could we improve this? If we wanted to have an error message that appears when there's an invalid security certificate. What could we do to make it so a really average user could sort of understand what's going on there, and make good decisions? It's not a bad idea to really discourage them from taking a risky action, but it's even better if we can educate them on what's happening. So, think about how we can improve that error message
