ColdFusion Muse

MS Throws a Curve: IE 8 and the New Security Message

You have probably seen the special security warning that appears when a page has "a mix" of secure and not secure resources. I recently ran into a usability issue with regard to this message that I thought deserved a quick post on the Muse. Let's start with an example:

Let's say you have a page that you access by going to "https://blahblah.com/index.html". This page has an embedded image in it that looks like this:

<img src="http://www.someOtherDomain.com/blah.gif"/>
The first time you access this page the browser will give you a warning message. Different browsers give you different messages but all of them are variations on "This secure page has insecure stuff in it" with a button to either load or exclude the "insecure" items.

Keep this behavior in mind as I tell you about a customer of mine with a secure site. End users log into the site to do certain kinds of work. One of features of the customer's site is a list of resource links. Clicking on a given link takes them to that content in a frame so that the original side navigation is maintained. This little link/frame arrangement had been in service for years when it suddenly stopped working.

User's complained that the links simply no longer successfully loaded the external page. I tested it and the first thing I noticed was that these external links were mostly insecure pages. Sure enough, I got an error in my browser (Google Chrome). I clicked "ok" to add an exception and the page loaded fine. Naturally I asked the users if they were clicking through the security message. They definitely knew about the message and they were bypassing it as always. To add insult to injury some users could not load the pages and some could - seemingly random.

This tickled my brain. Something was bothering me about this message - something I had seen recently. After all there is really not much that can go wrong with this link/frame structure. So my next question was "what browser and browser version are you using?" Like most long time users of an application who don't live and breath technology they had trouble telling me. Finally I gathered the link they clicked on to start was a little "e" - Internet Explorer naturally. In spite of inroads made by Safari, Firefox et al, the vast majority of users still use the default browser that ships with their OS, Microsoft Internet Explorer.

I opened up IE and logged in. In the case of my new Windows 7 PC I had Internet Explorer 8 installed. I logged in and clicked on the link. As soon as I saw the message I knew exactly what was wrong. Here's the message I received in my IE 8 browser:



Now this is a different message than all other versions of IE that precede it. In the old versions of IE the message said concisely "Do you want to display the non-secure items?" It looked like this:



So in every version of IE prior to version 8 clicking on "YES" would load both the secure and insecure content. But starting with version 8 the message now reads "Do you want to view only the webpage content that was delivered securely?" Clicking "YES" in IE 8 will now have the exact opposite affect of clicking "YES" in any other version. It's like Bart Simpson was put in charge of the error messages (Do I have Amanda Hugginkiss? Hey listen up - I need Amanda Hugginkiss).

In my case what had happened was simple and logical. Users on older operating systems that are all, shall we say, "lightly patched", had begun upgrading from IE 7 to IE 8 via Windows Update. As each of them moved to IE 8, the links page appeared to stop working. Why? Because they naturally clicked "YES" just like always. Only this time "yes" means don't load the insecure content. So to these users the links suddenly just stopped working.

I know the urge that lead Microsoft to make this change. Users by default simply click either "Yes" or "Ok". My relatives call all the time with computer problems. Aunt Marge calls and says, "Mark, I have a problem. When I try to load this page I get an error".

"Really", I respond, "what did it say?"

"I don't know, I clicked OK."

I wouldn't be at all surprised if most users salivate when they see an "OK" or "YES" button. So Microsoft naturally wants to arrest that behavior and force users to reconsider their decision. But the end result is probably not particularly helpful. Most users are bent on getting around security, not on learning new things about SSL.

Comments
Andrew Scott's Gravatar Personally I stop browsing any website that challenges me with both secure and non-secure pages.

Due to the high potential of security risks involved, developers need to be more proactive to stop these messages in development. Not encourage them.
# Posted By Andrew Scott | 4/20/10 12:44 AM
Jason Fisher's Gravatar I only use IE at home when checking work email (the Exchange web client is just better in IE, natch), but I have hit this issue several times when following links to other sites. I have only recently gotten in the habit of hitting 'No' instead of the instinctual 'Yes'.

Very annoying.
# Posted By Jason Fisher | 4/20/10 10:31 AM
Mark Kruger's Gravatar Andrew,

There are times when it is useful and necessary - this is one of those cases. I agree with you in principle, but there are exceptions. The job of the outsource developer (i.e. - the muse and his team) is to give the best advice possible and then try to accommodate the decisions made at the business level. But thanks for your comment.
# Posted By Mark Kruger | 4/20/10 10:37 AM



Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.