Section 28.1. Usability and Security: Bridging the Gap

28.1. Usability and Security: Bridging the Gap

The Mozilla Foundation has undergone a profound transformation during its short lifetime. It began as a loose organization responsible for shepherding the open source community to help develop Netscape 6. In those formative years, the foundation was a technology provider, working primarily with technology vendors like ActiveState and IBM. Although the foundation's work was significant, its developers were always at least two degrees away from the customers who would eventually use its products.

Enter Firefox, the organization's first-ever product designed for and marketed directly to end users without any middlemen. The factors and circumstances that motivated such a tremendous shift in direction make for an interesting business case study, but aren't really of interest here. What is relevant is the attitude shift that the change necessitated.

As a technology provider, the Mozilla Foundation didn't need to concern itself with designing and focus testing usable interfaces. That was, by and large, the burden of the vendor using its technology. Instead, Mozilla's job was nearly the opposite: to provide an interface that exposed all of its capabilities, allowing vendors to pick and choose with ease.

As a maker of consumer products, the organization had to realize one key insight: whereas vendors wanted to use the technology, users want to use the Web. They care about Firefox's features and capabilities only to the extent that the technology helps them maximize their productivity while online. Designing for this audience required a fundamental paradigm shift. The end result is a browser that can do most of the things the old Netscape and Mozilla browsers could do, but with a simpler interface sporting a tiny fraction of the older programs' options and windows.

Firefox has a simple design philosophy: those features that are not perceived to significantly improve the online experience of the collective web population are hidden, and those that do improve the experiencesuch as pop-up blocking and tabbed browsingare pushed to the forefront. In a world of programs that seem to get more complex with each iteration, Firefox's approach and clean interface have won plaudits from the media and users alike.

So, how do our security obligations fit into this picture? Quite easily, actually. We are committed to designing products that help people use the Web easily, and we don't compromise this vision to help them use it securely. Our decisions about security, and when to expose an interface to the user that manages security, hinge on three basic assumptions:

• Users want to believe that their products are keeping them secure.

• Users do not want to be responsible for, nor concern themselves with, their own security.

• We know more about security than our users do.

Perhaps this betrays a kind of brazen confidence on our part, but that's the point: users want their software to protect them, because they don't knowand don't want to knowabout the details of security.

Our chief competitor, Microsoft, has publicly expressed doubt that a marriage of usability and security can last. Upon releasing Windows XP Service Pack 2 (SP2), an Internet Explorer program manager wrote this comment in the IE team's public blog: "We are absolute [sic] dead serious about security now. It's permeated everything we do, and we're willing to impinge on the user experience if needed."^[1]

^[1] Tony Chor, "IE in Windows XP SP2," Internet Explorer Team Blog; http://blogs.msdn.com/ie/archive/2004/08/10/212008.aspx#212128.

Indeed, many aspects of the revamped IE interface in SP2 illustrate the compromises that were made. Things that once took a single click to accomplish now take three or four; whereas users previously endured one warning, they must now endure two. Realistically, however, what we're seeing in SP2 is probably more Microsoft's overreaction to public criticism than it is the inability to realize an experience that is both secure and usable. For years, Microsoft took the heat for allowing spyware installation with a single click of the mouse; SP2 is a natural reaction toward the other extreme.

We believe that it's possible to straddle the line and deliver products that are silently secure while outwardly usable. This chapter will walk through the methodology we employ and the assumptions (listed earlier) that power it.