It's the second time in only a few days that I read this, so I guess I have to comment on it.
Today I had some minor problems loading my GMail account, so it showed me an error as follows:
Alright, so imagine I am a naive computer user who just got this message and I obviously believe what they are saying. Now I am going to go ahead and disable my firewall altogether and live happily ever after -- until I come across the first script kiddie that turns my workstation into a spam bot, virus nest, or both.
Similar issue: That blogger on MSDN.com who nicely suggested to switch off the Phising protection altogether when the CPU usage of your new instance of MSIE 7 spikes on some AJAX websites. -- While he meanwhile revised it to an acceptable "add these individual sites to a whitelist for which you switch off the phishing protection", his initial suggestion was just as bad as the one up there by Google.
Come on, people. Not everybody is a computer geek. People actually believe what you are writing there.
So please start thinking before you type. Having people switch all their security features off first (but burying the information that this might be a bad idea somewhere deep inside the help files) is harmful and -- sorry -- just plain stupid. People will switch it all off, they will see that "everything works" and they will stop reading about the issue right afterwards.
If you really, really, really have to have them switch off part of their software (which is not too surprising for some paranoid security products), at least spend half a minute explaining how the workaround can be done securely, and only for the page in question.
You owe this to your customers. Or, to put it differently: If you handle your customers' privacy as carelessly as you handle their web security, I sincerely hope nobody ever tells you their social security number.
Read more…