> > > [0] I don't know for sure, but it is my suspicion that bayesian statistics > explains this more clearly. If there is anyone in the house that actually > knows it, please speak... > > https://sparrow.ece.cmu.edu/group/731-s09/readings/Axelsson.pdf provides a fantastic overview of the problem with false warnings and its impacts on security warning design. http://people.ischool.berkeley.edu/~jensg/research/paper/Grossklags-NSPW11.pdf , imo. provides a good model and argues why warning designers should reduce the number of false warnings. I used this model to make some arguments about how SSL logic should be a bit more forgiving in http://www.cs.berkeley.edu/~devdatta/papers/trustmemaybe.pdf
> Sure, but warnings are useless. Some people -- us -- might follow them. > Most have been trained for so long to click through Recent data for Firefox and Chrome indicates that it is not true: clickthrough rates are not like 90% or some crazy rate like that. Clickthroughs are under 30% mostly. http://www.cs.berkeley.edu/~devdatta/papers/alice-in-warningland.pdf > them that they no longer read them. Click-thru syndrome is a sad result > of unreliable systems: if the False Negatives (wrong warnings) are too > frequent, and True Negatives (correct warnings) are too infrequent, then it > simply doesn't work [0] as people learn to click-thru without further > examination. that said, I agree with you that the browser should actively try to reduce the number of such false warnings. I argued for it in https://bugzilla.mozilla.org/show_bug.cgi?id=776278 and I also think the impact and the number of false warnings should play a big role in deciding whether or not to block iframes. I am not sure if the number of false-positives of blocking iframes was considered. As far as I know, there isn't much telemetry on how many times just mixed content iframes (everything else is secure) cause a warning. Those numbers can help us out, but doing this measurement is tricky. ------ A couple more thoughts on this thread: Making iframes "mixed active content" means that a user saying "yes, show me the iframe" is also saying "and run any script over http in this secure page". I also think the comparison to IE is not apt---in the absence of auto-upgrade, the compat hit IE takes is much lower. A more apt comparison is Chrome, which didn't block mixed content iframes. cheers Dev _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
