Making a usable security dialog

There’s an argument about to occur at the Ubuntu Developer Summit.  It’s come up before, it’s coming up now, and it will come up again later.  This argument, cliched as it is, is about security vs usability.

Imagine you’re a user.  One who just happens to have Wine installed on your system.  And you double click an executable file.  What happens?

You might expect it to open.  That’s what Windows did.  But then people ended up running programs they didn’t actually want to run – they were surprised when Olson_Twins_Nude.jpg.exe wasn’t a picture at all, and even more surprised to discover their computer could be more accurately described as on loan from Vlad the hackpaler’s discount botnet.

It wasn’t long before third party security software and, ultimately, Windows Vista started giving prompts to the user.  Even Firefox felt the need to warn you that the movie you just downloaded was actually a program.

The unix approach to this was to require the user to give explicit permission for programs to run by embedding it into the filesystem – the execute bit.  No one complained, mainly because there weren’t many programs to download and run outside of a command line.

Two things have since happened.  First, we wrote an awful lot of interpreters that don’t care about the execute bit, like Java and Wine.  More importantly, we finally made a Linux desktop that doesn’t suck.  Now people actually want to download things, and they want to run them without having to open that shortcut to the terminal.  So the debate is back.  Now we have to figure out what to do when you click on those pesky .exe and .jar files.

For Wine, the issue was “solved” for 8.10 and 9.04 by making double clicking on a .exe file flat out broken – Ubuntu will try to open your program in Archive Manager, hit you with a shovel, and then give you a mysterious error about the shovel blade being the wrong curvature.

Well, that solution wasn’t good enough for me.  I wanted to make Wine open the executables on double click since, well, that’s how you open executables.  But the security guys, understandably, want to be really sure that a user actually meant to open the executable.  This means some sort of dialog has to happen between the computer and the user when you double click the .exe file.

I figured that, since I know something about user interface design, I may as well design the dialog myself and minimize the damage.  Here’s my second attempt:

Ok, that sucked.  I said it was my second attempt, because my first attempt was to go with something a little more direct.

I stared at my pen board for a good 10 minutes.  As it turns out, it’s a bit difficult to design a dialog that conforms to user expectations when you’re deliberately ignoring what they just told you.

That’s a bit better. We’ll skip the obvious question of why we didn’t do what we were asked, and instead act like it just has to be this way.  Any explanation would take up a bunch of words users won’t read anyway, so let them mindlessly click on launch application and maybe we can hope they’ll forgive us when their computer blows up because they gave it permission to.

Or, we can remember that the whole point of this message is to remind the user that this is a program they’re launching.  Let’s start by putting a Wine icon there instead of that generic warning label.

You might be wondering what that “Wine preferences” button’s doing there at the bottom.  That was me thinking ahead a bit – maybe a user will want to disable this behavior somewhere, so maybe we’ll need to have a preference setting for that, and we might as well help them get there as soon as they’re frustrated enough to fix it.  But now we’ve made three buttons, and the user has to make a decision and think a bit. Worse, if they actually used the middle button, they’d have to dig through a bunch of unrelated Wine preferences before finding what they want.

Here, we give them exactly what they want right there in the dialog.  We act like it’s some sort of preference they had set, so now instead of wondering why the computer didn’t do what you wanted until you told it twice, you at least know this annoyance can be prevented in the future by simply unchecking the magic box.

But that sentence says something else too, more than the button ever could: it has the phrase “new applications” in it.  It means we’re only showing this dialog for programs you’ve just downloaded.  If you’ve already run them before, the damage is done, so we may as well just launch without asking the second time.  And, get this, we can keep track of it all by using that silly execute bit.  Turns out it’s useful after all.

But there’s one more major improvement we can make.  Did you catch it?

That’s right. It’s a very slight difference in wording. Without thinking about it, we wrote the original dialog like a programmer, using programmer jargon.  Prompting is exactly what we’re doing here, and it’s the exact word I’d use to describe this dialog in a spec, and it’s exactly the most inhuman thing to say.  Two words turn this dialog into something an actual human being might enjoy – now, instead of ignoring their double clicking due to these wonky default preference settings, the computer is doing the user a favor.  We’ve turned a robotic vending machine into a bellhop who asks, “sir, did you mean to leave this dollar here?” whenever you try to tip him.

So, now I’ve got a rough design for a dialog.  It’s the least bad I can think of.  But it’s better the damage came from me than the security team.

17 Comments

Martin OwensMay 21st, 2009 at 5:32 am

Now make it so that it’ll do that for .sh .java .py .pl and .run files and we’re all set. Oh and maybe an option to prevent execution of programs from home directories?

But it looks wonderful, just the sort of thing that should be there already.

yokozukiMay 21st, 2009 at 6:34 pm

You’re not going to get away with that disable-confirmation checkbox. Allowing an unvetted downloaded executable to run on click — especially if executables can hide under image thumbnails — is an enormous security hazard not to be dispensed with an idle click. You might compare it to including a “Give applications root privileges by default” option; it’s possible, but you don’t see developers rushing to include it under the platitude of user freedom. In any case, someone opening executables frequently in Ubuntu is a pretty rare user case. The prevelance of repository-distributed and packaged software is a natural and advantageous solution.

There is such a thing making things too easy.

JanneMay 21st, 2009 at 7:55 pm

Actually, when you think about it, we do not actually run applications in Linux by double-clicking on them. We run applications by selecting them in the start menu, or through Gnome Do or some other such mechanism (or through the terminal of course).

So what the dialog should ask is perhaps _not_ whether you want to run it. Perhaps it should tell you that yes, this is actually a Windows program, and ask you if you want to add it to the Windows Applications (i.e. Wine) submenu where you can run it? That both alerts people to the fact that it’s a program file and nothing else, and makes it accessible to the user in the same way as any other application.

YokoZarMay 21st, 2009 at 8:34 pm

Janne, the 99% use case for this particular dialog is running the installer program, which doesn’t belong on the Wine start menu at all. Wine is already configured to set the execute bit on installed .exe’s, so if you use the applications menu you’ll never see this dialog.

Peteris KrisjanisMay 21st, 2009 at 11:54 pm

I kinda like it, it sounds reasonable, not too frightening (getting rid of warning sign was clearly a clever step), and you could actually manage for casual user to read it.

JohnCCMay 22nd, 2009 at 1:58 am

How will you cope with the fact the Mono binaries share the same .exe suffix? Can file tell them apart with magic numbers and make sure the shell does the right thing? What about the fact that a user may have .Net binaries installed in Wine and want to use those to run Mono binaries by default? What currently happens if you double-click a Mono binary (I believe mono is installed as standard now).

Joseph BookerMay 22nd, 2009 at 5:44 am

How is this any different from the old ‘You are not going from a secure page to an unsecure web page. Are you sure you want to continue?’ which *every* user gets trained to ignore (or uncheck the ‘warn me next time’).

Even files that are not expected to be executables will not be helped by this if the user is trained to press the launch button by habit, especially if they don’t even care to read what the dialog is saying to begin with.

Is making programs say “DANGER! If you do this, I didn’t tell you to, even though you need to in order to to use the programs you want, you can’t blame me if things go bad” really good usability?

I mean, if malware is a problem, why not have wine depend on clamav and have the gui launchers run a scan? or show a warning if the file matches /\.[a-z]*\.exe/i ?

AndyMay 22nd, 2009 at 7:31 am

Just a thought – would it be worth trying to change the behavior so wine doesn’t launch programs without the execute bit set, and if you try, this dialog lets you either cancel, or set the execute bit, and run (so then you won’t ever be asked again for this particular application)?

You would need to go through a similar process to what you just did here to know how to word it right, but it seems to be a slightly better fit for the unix style permissions.

JohnnyGMay 22nd, 2009 at 11:08 am

I don’t have a good answer to this, but checkboxes like this one are not ideal as far as I’m concerned.

First off, in this case it is easy to accidentally uncheck, then launch the app + from then on things will launch no questions asked. So for me the check box needs some confirmation behind, to confirm you really did mean to change the value.

The other thing that bugs me about dialogs like this is that once you have switched them off it is rarely obvious how to switch them on again. This is the bit I don’t have a good answer too.

Finally, agree with Joseph Booker, dialogs like this really don’t help a lot. If the user encounters the thing often enough they get used to clicking without thinking. If they aren’t encountering the dialog often, then it is useful, but then in that case it is a rare enough event that a bit of extra trouble to run the app is probably not a big deal.

YokoZarMay 22nd, 2009 at 12:11 pm

If I designed this thing, there wouldn’t be a dialog at all. It would just work. That’s how it was in 8.04, until archive manager broke things in 8.10 and 9.04.

However, I think we can minimize users learning to ignore the dialog by minimizing the amount of times they see it. If you download the .exe in firefox, for instance, we can have Firefox do the same thing it does in Windows when you download an executable, and if the user clicks through that, then firefox can mark it +x for them.

Wine is also already configured to mark +x any executable that it creates itself. So when you run foo-installer, get through the dialog, and then you try to run foo itself, you won’t see the dialog a second time.

JohnCC: shared-mime-info should be able to tell apart mono binaries and win32 binaries.

YokoZarMay 22nd, 2009 at 12:15 pm

Regarding clamav integration: It’s a bit of work, but it’s something I could do if I had a bit of time. Getting the UI and configuration right requires some real design too.

Milan Bouchet-ValatMay 24th, 2009 at 12:49 pm

Very interesting! I don’t believe users will get too used to this dialog, since we’re on Linux: Windows programs should not be installed all the time. I think it’s absolutely required because else Wine would expose Ubuntu to Windows viruses, which is really ridiculous. I’d even go farther than you, and remove the checkbox: the dialog will be shown only once per app, so that’s not too much with regard to the security you gain. And keeping this kind of checkbox really says the user: “I’m a useless dialog, please untick the box!”

Maybe you could rephrase the message to say: “It’s the first time you start the Windows program XXXX. Do you want to give it the permissions to run?” Explaining why you ask (it’s the first time) maybe make it a little more legitimate.

And you must know that since 2.26 running a .desktop file that has no x bit set prompts a dialog too. I think you should harmonize the designs, only changing the type of the program, and that would help for all executables around here. good luck! ;-)

JanCMay 28th, 2009 at 5:04 pm

I don’t know what you people have or haven’t done, but running Windows-programs with a “double-click” has been working for me forever after installing Wine…

Do you have binfmt-support installed?

DaVinceAugust 24th, 2009 at 6:31 pm

Haha, when you started drawing up dialogs, the last one you made was the first one to pop up in my mind as the best way to do it. It’s good that you’re thinking about this sort of thing. :)

[...] Developing the security advisory UI for WINE applications [...]

[...] Developing the security advisory UI for WINE applications [...]

[...] Developing the security advisory UI for WINE applications [...]

Leave a comment

Your comment