Effectiveness of SSL Padlock on the Browser

From TrustWiki

Jump to: navigation, search

Effectiveness of SSL Padlock on the Browser


Author: Anil [1]

When you perform an e-commerce transaction or provide PII (personally identifiable information) to a website, you typically look for two clues on the website - one that the url starts with https and the other a PADLOCK on the user agent. Certain browsers such as Mozilla Firefox change the color of the location bar. Now if these two clues exist, you feel certain that there will be no Man-In-The-Middle (MITM) attacks and your information will not be compromised.



But, have you wondered from an internet security perspective, how effective these visual cues are?
Here is an excellent research article from Canadian Researchers, Tara Whalen and Kori M. Inkpen who are the faculty of Computer Science at the Dalhousie University in Halifax, Canada. The article is titled, "Gathering Evidence: Use of Visual Security Cues in Web Browsers"[2].
Let me point to some very key observations from this research:
Given the potential consequences of exposing banking passwords and credit cards, users are understandably concerned about the risks of online transactions. People must be given the ability to discover and understand security information when using the web. The overall goal of this research is to develop feedback that clearly informs users about security without overburdening them with distractions.


Sixteen participants (10 female and 6 male) took part in the study. Nine participants worked for the university (faculty or staff), and seven were students.

Bank sign-in: Fifteen participants (out of 16) thought that the bank sign-in page was secure. The one person who thought it was insecure based their decision on lack of clear security statements on the bank’s information page. None of the participants used the certificate data to conclude the connection was insecure.

Our research in visual security cues discovered information that can be applied to browser design and evaluation. In summary, we found that
• the lock icon is the browser security cue that is most often looked at, but few interact with it;
• some experienced web users do not take any notice of browser security cues;
• small browser icons can be easily misidentified or confused, especially given the nonstandard layouts among browsers;
• certificates as sources of information are seldom used and rarely understood; and
• people tend to stop looking for security information after they have signed into a site.
The important conclusion that I want to drive in this blog post is that security cues are necessary but not sufficient to provide an overall sense of trust on the Internet to the users.

The Web Security Context working group at the W3C is working hard with security experts, Browser Implementors, research, Anti-phishing and usability experts and their recommendation (work in progress) is available at: Web Security Context: Experience, Indicators, and Trust[3]

Now do not tell me that the padlock was all that you needed to assure you that a particular website was secure to interact with.


Additionally, you should know that the SSL padlock can be spoofed[4]. Another report on this[5].

Retrieved from "http://www.seamlesstrust.org/trustwiki/index.php/Effectiveness_of_SSL_Padlock_on_the_Browser"
Personal tools