Okay, following my irritated post I received (sigh) complaints about me being too harsh. So to these people here is what I say, because I'm tired answering the same thing over and over.
For starters, the SSL dialog in firefox is badly designed:
- My mom doesn't grok it, so it totally fails the "corridor testing" (see JoelOnSoftware if you don't know what it is), stop pretending otherwise;
- since it fails with the "average not very computer literate user", I, as an advanced user, believe to be representative of this kind of person, say and affirm that this UI is completely broken and horrible, not to mention counter-intuitive.
That said, I have other things to say on the form. Yeah I've been harsh, and I will continue to be about this issue: this has not been designed with the simplicity in mind, but by geeks (FSVO geek) that believe that it's important to educate people about how nice HTTPS is and that everyone should talk in S3kr3t because its 733t. And I'm sure they tried very hard to make it very painful for users to have to deal with HTTPS and not believe in it to be trusted for bad reasons. Why ?
- because geeks want to use https when possible ;
- but they care about it to be secure (FSVO secure);
- and that they want the whole world to do like them because they know the TRUTH.
HELLLOOOO PEOPLE this is the wrong way to do it. People are already aware that it is https, because they did typed https in the URL. And again, my mom doesn't know what the s in https stands for and she doesn't care. What she cares about is to see the small lock when she logs on her bank website, not even when she goes on her webmail. You REALLY want to make a simple UI ? Well, please try to explain and justify (with real arguments) Why on earth is https with an untrusted certificate less secure than http ?.
Okay I'll let you 3 seconds to think.
1
2
3…
What is your answer ? OH see ? it isn't. So now second 1€ question, why does it need to be more painful to use https with an untrusted certificate than plain http ?. Well, I don't have 3 seconds to give anymore, so let's jump to the answer: there is absolutely no reason.
See, I'm far from an UI expert, and what I use every day for UIs would revulse 99% of the planet: vim as an editor, awesome as a tiling window manager, vimperator for a browser, and I live most of the time in a terminal. But it takes me like 10 minutes to design what I believe to be an excellent UI for https with untrusted certificate: just don't mind the certificate and show it like plain HTTP.
YES I'M ANNOYED
That brings me to the last point. I see in my comments, and have received the same by mail, that I should not be harsh with people writing such a brilliant piece of software.
Well, the fact that firefox is or is not a good piece of software is totally irrelevant. When you claim no less than trying to reinvent the web, well, if you fuck up this big, you deserve it. No matter if it's a free piece of software or not. (or a piece of free software or not).
When you request your users to click on FIVE completely counter-intuitive buttons/urls to finally be able to see a webpage they want to see (and my mom doesn't care about the webmail being insecurely hosted, really), with the first screen being almost the same than what you get when a serer timeouts or 404, well, you're just out of your mind. There is absolutely nothing that can excuse such a bad design, and the SSL thing is a failure. I mean everyone is laughing at the vista way of asking you if you really meant to go pee, well I see no difference here, it's as dumb and inefficient.
No matter how much firefox did improved (and it did memory wise, believe me, I feel it, and I'm really glad about that), https is part of my everyday's life. Those five clicks are a real PAIN. When I'm reading documentation, browsing some sources, and so on, I go through this dialog about 3 to 10 times in a row. I'm totally unimpressed, and just because a couple of geeks believed that it was GOOD™ to educate me about how dangerous untrusted certificates are, I have to break my workflow to grab my mouse in the middle of my work. No sorry, I don't really want to be calm.
In fact, what annoys me the most, is that I'm a programmer. And as a programmer, the worst thing to me, is regression. Regression is what happens when you're sloppy, and don't test your program enough. It's what happen when you aren't good enough to keep your concentration, and don't see the big picture, and constantly break your program invariants. So when I see a regression that people did on purpose, well, it shocks me beyond what I can explain with words, that's the worst thing you can do to a piece of software. I won't really mind a new feature that only partially works, I won't mind if a feature that is complicated to write isn't there after 5 years dreaming of it, but this ? I do mind. There is no way to consider that ruining a piece of software like that to the name of A Greater Good is excusable.
Oh and last words: wanting to educate people this way is a way worst offense that what I will ever say on the subject. Such a condescending approach to what they think of their users reminds me of various journalists that I met, and that when I tried to rephrase some things so that they can write about it to their readers, answered to me oh you know, they're too dumb, they'll never understand. And as a result, articles or interview are always distorted, can't interest the readers that don't care about the subject a lot, because there's nothing captivating in the article, and is totally inexact and uninteresting to people interested in the matter, because it's void from its substance. Well, the SSL dialog gives me the very same impression: it's annoying to me who knows what a SSL certificate is, and my mom won't know a single bit more what an SSL certificate is and why she should care[1].
