Like many User Interface professionals I received the recent email notice from VeriSign about their new Secure Socket Layer Certificates which turn green when the site is secure - to make ecommerce and other information transfers through -
"Maximize customer confidence and sales with new VeriSign® EV SSL Certificates
In response to increasing consumer fear of online fraud, VeriSign has introduced *Extended Validation (EV) SSL Certificates*. The new certificates turn the browser address bar green, communicating to consumers that your site is secure."
Taking a quick look around Technorati I found this blog Cyber Top Cops Security http://cybertopcops.blogspot.com/2007/02/green-means-trust-but-does-it-mean.html
an article which quickly pointed out that the average user could care less what color his/her browser turns for all they know it's just supposed to do that.
These Cyber Cops pointed the caring reader to Rachna Dhamija, a Postdoctoral Fellow at the Center for Research on Computation and Society at Harvard University; who besides an enviable career, including electronic commerce privacy and security at CyberCash, has done some interesting studies on scams and why they work on the Internet.
Replacing Rachna Dhamija's educated language with the vernacular, "you can't save the stupid people, because it doesn't really matter who you are, everyone is at risk."
Here's what Dr. Dhamija said -
"We discovered that existing security cues are ineffective, for three reasons:
1. The indicators are ignored (23% of participants in our study did not look at the address bar, status bar, or any SSL indicators).
2. The indicators are misunderstood. For example, one regular Firefox user told me that he thought the yellow background in the address bar was an aesthetic design choice of the website designer (he didn't realize that it was a security signal presented by the browser). Other users thought the SSL lock icon indicated whether a website could set cookies.
3. The security indicators are trivial to spoof. Many users can't distinguish between an actual SSL indicator in the browser frame and a spoofed image of that indicator that appears in the content of a webpage. For example, if you display a popup window with no address bar, and then add an image of an address bar at the top with the correct URL and SSL indicators and an image of the status bar at the bottom with all the right indicators, most users will think it is legitimate. This attack fooled more than 80% of participants.
We also found that popup warnings are ineffective. When presented with a browser warning of a self-signed certificate, 15 out of 22 participants proceeded to click OK (to accept the certificate) without reading the warning. Finally, participants were vulnerable across the board -- in our study, neither education, age, sex, previous experience, nor hours of computer use showed a statistically significant correlation with vulnerability to phishing."
See Fishing with Rachna
sounds friendly enough, na?
So, I believe, and catch me if I am wrong, that unless the Internet security industry comes up with better methods to prevent users from giving away their economic lives by mistake, eventually micro-public-Internets will spring up promising to provide enhanced security just like gated communities.
I know it's scary kids, but it is actually possible that AOL has a future in fear and security, if they can guarantee online safety for their stakeholder customers. It is possible that being an AOL member will mean you are richer and have more at stake than others, and we will have to forgive W because "The Internets" aren't so stupid after all.
No comments:
Post a Comment