This post is in a new category, “Spot the Sarcasm”; guess why.
Windows has a wonderful feature for Internet Explorer users called Trusted sites. Trusted sites are described as “Web sites that you trust not to damage your computer or data.” Pretty straightforward, right?
But, as they say, the devil is in the details. Let’s say you have a web application that lives at http://www.webapp.edu. http://www.webapp.edu uses a central single-signon service for authentication; let’s call that http://www.signon.edu. Both http://www.webapp.edu and http://www.signon.edu are listed in the Trusted sites zone for Internet Explorer.
Considering it’s Microsoft, I let a little slide. But this rates as one of the stupidest security errors I can think of. Let’s break it down.
Both sites listed are on my Trusted sites list, a list I had to manually edit to add the sites. That means I spent time and effort to verify that the sites were trusted, find the zone, and then enter the sites. The warning states “If you don’t trust the current Web page, choose No.” Why would I ever choose No? Both sites have already been trusted. Both sites are obviously known to me. Why am I even given this dialog box?
Then, let’s look at the dialog box. For “security”, the focus is defaulted to No, the option I don’t want 999,999 out of 1,000,000 times. It’s also lacking, for security, a basic of standard dialog boxes: hotkeys. This one? No way. I have to either click Yes or arrow over to Yes. Dismissing the dialog results in.. ? Anyone, anyone? That’s right, a 404 error; very intuitive to the average Internet Explorer user.
But let’s think about what sites go on a Trusted site list, since Microsoft did not. It’s highly likely that sites manually added to that list are put there because I a) trust them and b) go to them a lot. I want them on that list because that security zone is more open, allows more browsing freedom, maybe requires it for functionality (yes, Web apps use pop-ups). Why do I have to confirm every single visit to a “trusted” site, but not to any other random site not listed as a trusted site? Logically, if I don’t trust a site, shouldn’t I need to verify that I do, in fact, want to go there? (Note to IE team, please, for the love of God, don’t implement this hypothetical.)
And, the best part of all? It is not optional for me or my team to use either IE or have our sites listed as Trusted sites. Our division administrators have placed both http://www.webapp.edu and http://www.signon.edu in the Trusted sites list and Webapp requires IE for certain administrative functions.
To all our users, Firefox is supported (thank goodness); I would recommend it for you. To Microsoft, please hire more user experience engineers. When you see posts like “Deleting a Shortcut In Windows Vista Takes How Many Steps?” on Gizmodo, you have issues.