« ComputerWeekly IT security blog award nomination | Main | Edward Tufte is dull »

Firefox versus SSL is really about security versus usability

July 15, 2008

My blog post Firefox 3 improves handling of invalid SSL certificates is proving to be very popular. It touched a nerve, and the comments of unhappy Firefox users keep piling on. Although I suspect a large part of the problem stems from bugs (if you read the comments you will find the reports of clearly unintended behaviour), there is a bigger problem between Firefox and its user base: it is one of security versus usability.

Who knows better: developers, or users?

It's not a problem specific to Firefox, nor a problem that only exists in the security sphere. In fact, once you become aware of the existence of the problem and start looking around, you will find it in virtually every aspect of technology. GNOME, for example, is famous for dumbing down the user interface and forcing its users to behave in a certain way.

It's not surprising that, with two opposing sides, there are two schools of thought. Implementing either approach is easy—and that's what many applications do—but that only results in unhappy users. Finding a way to make products usable, yet secure (or feature-full, outside security) is the real challenge. How do we educate the innocent yet enable the proficient?

Speaking of implementation, the answer may be in making applications capable of adapting to user needs. A system-wide setting could tell applications whether a user prefers to have decisions made for him. Alternatively, an application-specific flag could be set during installation. Having just two settings is probably not feasible, but there should be an easy way for advanced users to ask applications to show them everything.

But it may be that, in order to really solve the problem, we need to make a further step back and examine the way we develop applications. I think the majority of applications are still built by technical people, pushed by business people with features (not security or usability) in mind. Happy users are productive users, but very few companies seem to recognise this fact.