Hiya, I'm not sure if chromium-dev is the right place for this discussion as it's a bit vague. Please don't hesitate to redirect me if not.
I'm concerned about the way Chromium displays SSL security indicators, which this blog post reminded me about: http://chrome.blogspot.com/2009/10/are-you-seeing-red.html There have been a few studies of SSL usability and the conclusions are that Chrome-style UI does not work. For example see Dhamija, Tygar and Hearst: http://portal.acm.org/citation.cfm?id=1124861 Specific issues raised are: 1) Terms like "certificate" are not understood and ignored. Bad cert errors are clicked through. 2) Use of a lock icon as a positive security indicator is easily forged by putting a lock picture in the web page itself. Users do not understand what parts of the browser UI are trustable and which are not. 3) Use of colored address bars is easily confused with the aesthetic choices of the website designer. 4) Visual complexity is used as a metric for "how hard it is to copy", eg favicons or animations in the web page make things look authentic 5) Many users don't look for security indicators at all and have a poor or non-existent understanding of what the elements of a URL mean. I don't have any great ideas about this, but it seems like something Chrome could do better much than the competition. Possibilities that come to mind are: - Showing some permanent status indicator of "insecurity" that visibly changes, eg with a very noticeable animation, when tab status changes. - Replacing the entire contents of the URL bar with the organization name when an EV cert is present rather than displaying both. - Use of "cheap" negative trust indicators, for instance if a page matches the regex "Bank of America" and is not the well known site a small bar or bubble could appear that says "This website is not owned by Bank of America". This would obviously have a high false positive rate, but that's OK because it simply asserts a negative rather than a positive. Obviously the real regexs would be based on the contents of the actual BoA website rather than a simple phrase. What do you think? Should I take this to chromium-discuss? thanks -mike --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
