Security questions and warnings are effectively confirmation requests

May 24, 2020

Every so often, well intentioned people throw up security questions and warning messages and so on in an attempt to help people, as in the recent case of the new warning on many extensions on These don't work in practice, as I've written about before (for example, that asking users questions never increases security). However there is an important reason for this beyond things like users not knowing enough to make the right choice, which I want to mention explicitly and clearly for once.

To put it simply:

Security questions and warnings are a form of requesting confirmation, and people almost always say yes to that in general.

When Firefox throws up a 'this addon requests these permissions, do you agree' dialog when you install an addon, what it really asking in practice is 'do you want to install this addon?' Of course most people are going to say yes. Installing the addon is what they set out to do, so yes of course they want to do it, can you please stop asking all the time.

The one time requesting confirmation can work is when the person actually did something different from what they intended to. They wanted to delete file A, but now you're warning them that they're also deleting files B, C, and D. If they're deleting file A and you only ask them 'are you sure you want to delete file A', they're going to be annoyed with your interruption (which is why systems have mostly moved away from this sort of interface).

(Also, if you ask people these questions all the time, question fatigue sets in and people develop the reflex of saying yes without reading the questions.)

But most security questions and warnings are not telling you that you've done something different than you wanted to do. Instead they're of the 'do you really want to delete file A, are you sure' form, and so people automatically say yes, just as they automatically say yes to all of the other confirmation popups and so on that they deal with. Do you want to install this addon that asks for these permissions? Yes, that's why I I clicked on '+ Add to Firefox' button.

PS: The application of this to rewording various browser TLS warnings is left as an exercise to the reader, although such rewording would probably be somewhat controversial because it might wind up having to say things that aren't always true, like 'you have connected to something other than website <X> because the TLS certificate says this is <Y> and <Z>'.

Written on 24 May 2020.
« Mixed feelings about Firefox Addons' new non-Recommended extensions warning
A cheatsheet for Python's pip for how I use it »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun May 24 00:05:35 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.