The concluding points of the paper are that:
- We should reduce the cost of security advice to users
- We should offer advice whose cost is proportional to the victimization rate
- We should retire advice that is no longer compelling
- We should prioritize the advice we do give
I agree with all four. 3) and 4) in particular can be hard to persuade people of, particularly geeks and techies who, as well as understanding the advice easily themselves, are often people who like people to have “all the information”. Read some of the comments on my first post about passwords to see examples.
For SSL, I am hoping that we can get to a point where the main piece of security advice on the web is “check the name of the company is correct in the green box”. The EV vetting system should ensure a very low false issuance rate, and the revocation system should ensure minimal damage for any falsely-issued certs. That glance should hopefully take each person a half a second per site. It’s not the 0.36 seconds per user per day which the paper argues for, but it’s a whole lot closer than we are now.
I’m convinced we can’t protect users fully with zero user education. But we should minimise what that education is. And it shouldn’t involve reading URLs.