Designing UIs to obtain actual informed consent, doing my job properly as a developer of a "useragent", is an interesting UX exercise. Really goes to show all UIs (and arguably all communication) is psychologically manipulative, I'm just being mindful about it!

And no, confirmation dialogs are little more than the facade of consent. Show them too often & people click through them. Though often (especially for sandboxing interactive apps) it is hard to move away from them.


I do have to show confirmation dialogs to block readers from visiting compromised (or poorly secured, hard to tell the difference) sites. Most browsers seem to want to remove the consent button here in the understanding people barely read anything else.

My solution is to label that consent button better, with "I don't trust this site anyways". Resembles a common & disgusting dark pattern shaming you into consenting, but my goal is to ensure you know what you're consenting to.


The ideal approach is to fold imply consent within mundane interactions.

You're telling me to follow a link? I'll go contact that server specifying this page & your language preferences, as for any embedded links in the response. You've filled in request information & are telling me to submit it? I'll forward that information to the server then, & allow it to save state clientside.


My final technique is to semi-hide consent buttons out-of-the-way, so that if people bother clicking it (at their leisure) I can be sure they're not just trying to disappear an overlay. That they actually want to enable it, in a "they said it not me!" sense. For a desktop browser right-hand-side of addressbar is a convenient place...

In doing so I must keep in mind "zones of death", which UI components potentially malicious sites have control over...

4/4 Fin!

@alcinnz But what if you know and DO trust the site? Like say if it's a self-signed cert you made yourself.

I don't want to be made to click a button that says "I don't trust this" when actually it's arguably MORE trustworthy (to us specifically) than the CAs.

@frostwolf Maybe I'll design a seperate UI for that case, where you can load your self-signed ceritificates...

Though that would be a target for social engineering, but at somepoint I have to trust you know what you're doing...

@alcinnz Eh, the wording still feels disgustingly manipulative.

I like Firefox's "Accept The Risk And Continue" better. Like yeah it's a risk, but there's also the possibility you really do know what you're doing.

@frostwolf O.K., maybe "Accept Imposter Risk & Continue" is a better label come to think of it... Since it actually says something about what the risk is...

@frostwolf @alcinnz That is the case, for example, for most government sites in Brazil and public universities - for some reason they just use their certificates that no one else recognizes.

Which is wrong from a design perspective, of course, but for the user it is usually obvious that the site is as trustworthy as it can be... and thus the browser is wrong.

Sign in to participate in the conversation

For people who care about, support, or build Free, Libre, and Open Source Software (FLOSS).