The other day I stumbled upon an interesting concept while watching an episode of a series I’m really fond of. The protagonist was talking to Ougi — this mysterious, Yūrei-looking girl that we, as an audience, had just been introduced to.
Her following question, with its counterintuitive answer, helped set the overall tone of the story arc:
“Which is safer: A green traffic light or a red traffic light?”
Traffic lights are social contracts. You agree to comply with the instructions provided by the traffic light. (“Go”. Or “Don’t Go”.) In exchange, you expect your safety to be guaranteed.
Now think about it: Barring some extremely unlikely accident where someone takes a wrong turn and hits you while you’re sitting there waiting, the odds of getting involved on a car crash while your car is already stopped on a red traffic light are pretty much zero.
Conversely, all it takes for you to be involved on a car crash while complying to a green traffic light is someone on the other side not complying with their traffic light.
When it comes to the feeling of safety, a false-negative is harmless, while a false-positive is often catastrophic.
“The world becomes a safer place when there’s signs around telling you it’s not safe. It becomes way more dangerous when the signs tell it is safe.”
Which brings us to Web browsers. In the screenshot below, see if you can spot the “green traffic light”: (No, I’m not referring to the standard OS X window button for “zoom”.)
The green padlock and “https” text, indicating that the connection to the website is secure, both act as green traffic lights. While other browsers — like Safari and Firefox — don’t actually use the color green to indicate the presence of a secure connection, both use the padlock imagery to inspire confidence and demonstrate that the data being sent to the server is encrypted.
I believe that this approach is not the right one. Websites using HTTPS should receive a bland, normal address bar while everything else should trigger an address bar that properly reflects the fact that everything is being transmitted in the open, and anyone can be eavesdropping. The benefits of this approach are twofold:
- Users might not be aware of the implications of visiting websites through unencrypted connections. They might have an intrinsic expectation of privacy. The “unsafe” address bar would wipe out any such incorrect expectations — and put some pressure into website owners and sysadmins everywhere to serve content via HTTPS.
- Recent reports on surveillance by governments worldwide actually bring the effectiveness of commercially available encryption into question. Web browsers should not guarantee or even state that their users are safe. There are multiple ways HTTPS connections could be compromised: installation of malicious root certificates, government intervention on the CA level, or even flaws in the protocol implementations, to name a few. In the past, worrying about these could be considered tinfoil hat, but now they sure don’t look so remote from the realm of possibility.
This change would also bring an end to the old problem of users having a hard time distinguishing between browser chrome and content — and websites exploiting that by showing padlock symbols on the page to pretend they’re “secure”.