Shostack + Friends Blog

 

Windows Links and Usable Security

Some dialogs can harm the viewer A Windows dialog, discussed at length in the post

Eric Lawrence concludes a recent blog post “Ultimately the guidance in the Security Warning prompt is the right advice: ‘If you do not trust the source, do not open.’”

Unusually, Eric is wrong. First and foremost, the prompt does not show a source, and so it's not giving actionable advice. It shows four fields: Name, Publisher, Type and From. I can make a good argument that at least From and Publisher are the “source,” but I can make a better argument that the source information is literally not shown there. Since it's an internet zone file, it has “Mark of the Web” information, but that’s not presented, and its existence is not even hinted at by the Warning prompt.

There’s a mnemonic, SPRUCE, which is quite useful in analyzing this dialog. SPRUCE stands for:

  • Source (of the dialog)
  • Process (what should the human do?)
  • Risk (what can go wrong)
  • Unique information the user is bringing
  • Choice
  • Evidence that the user should evaluate

So looking at the dialog:

  • Source: What popped that dialog? I’d bet its the Windows shell, but maybe it’s outlook or IE.
  • Process: What do I check as I make a decision? Again, the dialog refers to a field that’s missing. What difference does it make that it’s an ‘unknown publisher’? The fact that information bubbles out seems important, but how do I use it? Do I care that it’s in Downloads? Does it bypass anti-malware?
  • Risk: In what way can this harm your computer? Does it run code? Open an arbitrary file with arbitrary commands? Take advantage of a vulnerability? There’s certainly an argument that this could tip into jargon, but a more information link would be better than treating the reader like an child, incapable of using more information.
  • Unique information: Why is the user being asked at all? (In this case, I can think of scant reasons for there to be a link in downloads which points out of downloads
  • Choice: What choices can I make? Is there something I might do, like use the file explorer to learn more?
  • Evaluation: Where does the file come from? (And here, what’s the relationship between “name” and “from?”

For more about SPRUCE, please see Helping Engineers Design NEAT Security Warnings.

Originally published by Adam on 05 Dec 2025
Categories:   usability   security