Improving the usability of index.html

[miohtama]

GM ladies and sers,

Thank you for the good work for keeping Ethereum safe.

Here is some usability feedback for the "Deceptive site ahead" text. Earlier, I discussed the issue and some past incidents, spoke with people getting the alert and hoped to improve the communications a bit. Please have this input for the discussion—it may or may not be that any of this feedback is ever incorporated, but happy to open PR if you think the feedback here could improve things.

• Change the page title from "Deceptive site ahead" to a more specific one

  • Currently the same "Deceptive site ahead" title is used by other security products like Safe Browsing https://github.com/ans-group/docs.ukfast.co.uk/blob/20d49881b85f1b386d408315dc0a1c1826b9bbc6/source/security/phishing/files/deceptivesite.png
  • While Safe Browsing and MM's phishing warnings have the same purpose ("prevent phishing") the cause and the impact of the MM's use case are often more serious ("one click away losing something") and in the specific context of cryptocurrencies
  • To make sure that people who see the block error do not confuse it with generic "safe" browsing error, or other security product errors (McAfee, Windows Defender, etc.), have a more punchy headline that makes it more obvious what's going on. E.g. Your MetaMask Wallet has blocked this page
  • People who Google with this error message (over a phone when your mom calls you) to understand the situation: a specific title will help them to land on the more correct information page (forum post, etc.) instead of getting Google's (not so useful) Safe Browsing help pages

• Give users more immediate options and potential causes why this happened for them

  • Have a helpful message telling what might have happened: Reasons to end up on a blocked website may include following links malicious advertisements, social media messages or forum posts.
  • This one is important - explain no harm has been done: You do not need to do anything. Your wallet and computer are safe. Make sure people do not panic and do anything unnecessary to make situation worse for them, like delete MetaMask wallet.

• Advisory provided by Ethereum Phishing Detector and PhishFort - while it's important to bring up hard-working partners, this does not help the end user.

  • Users should be able to confirm if the error is real or not somehow
  • MetaMask has millions of users, and there are going to be a lot of false positives, in absolute terms
  • A lot of people do not like false positives, and it can cause unnecessary feedback
  • We can address this issue by being more specific how the blocklist content is being generated and maintained, to manage the expectations
  • This can be made more punchy and can be merged with the following "Report a detection problem." liink
  • For example: The block list is maintained by MetaMask, Ethereum Phishing Detector, PhishFort and blockchain community members. The block list is based on both automatic and manual reports.
  • Continue: You can check the status of the website and search the reports here. (link to https://app.chainpatrol.io/ if maintained, or similar)
  • As a bonus: For each domain, give a direct link with reporting date and source why it is on the list, though not sure if this is possible in practice. E.g. It should say "Blocked by SEAL 911 automatic phishing site detector 2024-03-15." By knowing if the block is very recent or old, it gives some more context to the end user on how to relate to this block.

• Educate people about cybersecurity

  • "Learn more" currently points to https://cryptoscamdb.org/search that might not be that helpful for an end user
  • Give people a guide that allows them to study and understand cybersecurity better, in the context of a cryptocurrency wallet
  • Instead of very genric and uninviting "Learn more" Have a sentence For more information about cybersecurity, visit the guide by XXXX.
  • Have a link to basic Cybersecurity guide

Visual cues

• While it is obvious that something bad might happen, nothing bad has not happened yet
• Don't scare people unnecessary
• Maybe think the visual of the page
  • Instead of all red "red alert style page use a visualisation like traffic lights
• Offer the click-through but use Chrome and Firefox style tricks
  • Checkbox [ ] I understand this warning and I proceed with my own responsibility
  • Checkbox [ ] I have read the cybersecurity guide
  • Have a count down of 30 seconds before this can be pressed (Firefox piloted this back in a day)

Old text for the reference:

[AndrewMohawk]

While Safe Browsing and MM's phishing warnings have the same purpose ("prevent phishing") the cause and the impact of the MM's use case are often more serious ("one click away losing something") and in the specific context of cryptocurrencies

You are literally getting phished, whether you have to click mint now and approve or it pops up as you load or you are about to sign in your google account. While the risk is more because the assumption is this phishing is directly funds lost its not that dissimilar to a banking phishing page.

This one is important - explain no harm has been done: You do not need to do anything. Your wallet and computer are safe. Make sure people do not panic and do anything unnecessary to make situation worse for them, like delete MetaMask wallet.

This seems like it might be troublesome, you shouldnt be telling users that no harm has been done unless you are very explicit that in this one case no harm has been done, otherwise it could work against you as a false sense of security

People who Google with this error message (over a phone when your mom calls you) to understand the situation: a specific title will help them to land on the more correct information page (forum post, etc.) instead of getting Google's (not so useful) Safe Browsing help pages

I think you probably want the link to a help page in the result rather than risk them getting to a malicious page (we see tons of spammers abusing SEO to have their adverts first to grab people), there should ideally be enough information that you wouldnt need to Google I guess?

[miohtama]

My artwork suggestion for the page:

[AndrewMohawk]

Advisory provided by Ethereum Phishing Detector and PhishFort - while it's important to bring up hard-working partners, this does not help the end user.

Users should be able to confirm if the error is real or not somehow
MetaMask has millions of users, and there are going to be a lot of false positives, in absolute terms
A lot of people do not like false positives, and it can cause unnecessary feedback
We can address this issue by being more specific how the blocklist content is being generated and maintained, to manage the expectations
This can be made more punchy and can be merged with the following "Report a detection problem." liink
For example: The block list is maintained by MetaMask, Ethereum Phishing Detector, PhishFort and blockchain community members. The block list is based on both automatic and manual reports.
Continue: You can check the status of the website and search the reports here. (link to https://app.chainpatrol.io/ if maintained, or similar)
As a bonus: For each domain, give a direct link with reporting date and source why it is on the list, though not sure if this is possible in practice. E.g. It should say "Blocked by SEAL 911 automatic phishing site detector 2024-03-15." By knowing if the block is very recent or old, it gives some more context to the end user on how to relate to this block.

I appreciate the comments here and that you put this into text. This is a rather large ask of the community and would involve a lot of new infra/services/functionality. The reason most of us commit to this particular list is its neutral status rather than being specifically aligned with one blocking/prevention service or another. That being said if you are looking to build this functionality I am sure everyone in the community would be appreciative

[miohtama]

That being said if you are looking to build this functionality I am sure everyone in the community would be appreciative

I believe the easiest way to accomplish this that instead of exchange data as list of domains, the data is exchanges as a list of tuples (domain, blocked by, reason, date). The domain block lists come from somewhere, so it would be easier to tackle this in the source instead of as a third-party infrastructure.