We're getting a bit off topic here, but this stuff is important (the extension won't work but other approaches that convert the web app into something you "install" might do).
The 60% figure comes from the Chrome developers and I believe it's the total of all displayed interstitials.
I don't understand why you think self-signed certs provide any security. It isn't "easier" to do a MITM, it's the same as with no SSL at all. Unless you have communicated the cert to your users out of band (no first time visitors) AND they are installing the cert themselves, it provides no security.
The click through rate on SSL errors for modern browsers should be zero because they don't let you click through (except for self signed certs, and even then, only with a lot of hassle). That change was made because the previous clickthrough rates were close to 100%. Your belief that users are "dumb" if they ignore warnings is worthless because it categorizes all users as dumb, which is usually a good sign that actually your expectations are wrong. The real reason users clicked through these alerts was usually one of the following:
1) They didn't understand what the warning meant.
2) They have seen the warnings before in non-dangerous situations (like the clock being set wrong or a self signed cert).
Surprise, if you cry wolf all the time and do so in unintelligable jargon, people tune you out.
Some usability studies have found that even computer science PhDs often lacked an understanding of PKI!
Here's one usability study on the topic of SSL warnings:
http://static.usenix.org/events/sec09/tech/full_papers/sunshine.pdfOur warnings performed signi�cantly better than exist-
ing warnings, but far too many participants exhibited
dangerous behavior in all warning conditions. Our re-
sults suggest that, while warnings can be improved,
a better approach may be to minimize the use of SSL
warnings altogether by blocking users from making
unsafe connections and eliminating warnings in be-
nign situations.
This of course also ignores SSL stripping attacks. Most likely, some your users navigate to your website by typing an address into the address bar. That means the connection starts out being un-encrypted and can be easily MITMd, there are GUI tools that automate this attack. Once you took control like that, you can remove the SSL entirely. If you do this,
no users will notice that you've done so:
http://usablesecurity.org/emperor/Abstract We evaluate website authentication measures that are designed to protect users from man-in-the-middle, "phishing", and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicators ........ We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed.
In short, SSL has a long history of absolute failure when tested in real world conditions with real people, and it's important that the Bitcoin community not repeat those mistakes.
