Insecure vs. Unsecured
A high school classmate of mine recently posted on Facebook:
Message just popped up up my screen from Microsoft, I guess. "This site has insecure content." Really? Is the content not feeling good about itself, or, perchance, did they mean "unsecured?" What the ever-lovin' ****?
I was intrigued, because it was an ambiguous message and it brings up an interesting discussion. Why the choice of the word “insecure” instead of “unsecured”?
It turns out that this message (which doesn’t come from Internet Explorer, but instead from another browser) is generated when you attempt to access a page which contains mixed content. In other words, a page where the primary page is protected via SSL yet there are child elements in the page that are not protected by SSL.
Given that this is a mixed content warning, wouldn’t my friend’s suggestion (that they use “unsecured” in the message rather than “insecure”) be a better choice? After all, the message is complaining that there is content that hasn’t been secured via SSL on the page, so the content is unsecured (has no security applied).
Well, actually I think that insecure is a better word choice than unsecured, for one reason: If you have a page with mixed content on it, an attacker can use the unsecured elements to attack the secured elements. This page from the IE blog (and this article from MSDN) discuss the risks associated with mixed content – the IE blog post points out that even wrapping the unsecured content in a frame won’t make the page secure.
So given a choice between using “insecure” or “unsecured” in the message, I think I prefer “insecure” because it is a slightly stronger statement – “unsecured” implies that it’s a relatively benign configuration error.
Having said all that, IMHO there’s a much better word to use in this scenario than “insecure” – “unsafe”. To me, “unsafe” is a better term because it more accurately reflects the state – it says that the reason that the content is being blocked is because it’s not ”safe”.
On the other hand, I’m not sure that describing content secured via SSL as “safe” vs. “unsafe” is really any better, since SSL can only ensure two things: that a bystander cannot listen to the contents of your conversation and that the person you’re talking to is really the person who they say they are (and the last is only as reliable as the certificate authority who granted the certificate is). There’s nothing that stops a bad guy from using SSL on their phishing site.
I actually like what IE 9 does when presented with mixed content pages – it blocks the non SSL content with a gold bar which says “Only secure content is displayed” with a link describing the risk and a button that allows all the content to be displayed. Instead of describing what was blocked, it describes what was shown (thus avoiding the “insecure” vs “unsecured” issue) and it avoids the “safe” vs “unsafe” nomenclature. But again, it does say that the content is secure – which may be literally true, but many customers believe that “secure” == “safe” which isn’t necessarily true.
Comments
Anonymous
November 06, 2011
Besides, "unsafe" sounds needlessly coy. Unsafe = dangerous.Anonymous
November 08, 2011
I'd also vote for "unsafe", or "potentially unsafe" as used in MSOffice macro containing documents. An application facing less geeky customers should choose an easier to understand word whenever possible. Also unsafe is not exactly equal dangerous. "Dangerous" carries the sense of "actively harmful", it will bite if you're not careful enough. On the other hand, "unsafe" carries the sense of "passively harmful". It may not harm you even if you take no action and pay no attention to it if no "third factor" enters the situation.Anonymous
November 13, 2011
Why is Larry so silent in the last month? Really busy I suppose...Anonymous
November 13, 2011
Larry is so silent because (a) he's really busy and (b) he's not gotten around to finishing a couple of draft posts.Anonymous
December 28, 2011
"unsafe" has two meanings: "dangerous" and "in danger". It's not clear which you meant - I read your post as meaning the latter, the other commenters above read it as the former.