+CC Ian Fette, our security PM.
None of the issues you raise are new; we've considered them for a couple of
years.
In general I agree that positive security indicators are designed around the
idea that users should be alarmed by something's _absence_, which doesn't
work well with how people process things. Unfortunately, the negative
security indicators suffer from the problem that they will appear
near-constantly and users will quickly tune them out.
My personal opinion is that much of the problem stems from the false
conflation of "SSL" and "secure" in past and present browser UIs. I don't
think SSL is either comprehensible or relevant enough to users that we
should do things like color address bars and display lock icons. Instead,
it should be one element in a larger equation of "is this site trustworthy".
Note that when you click on the Chrome lock icon we do show you a couple of
different pieces of information to help you decide, but this could be
better.
I applaud Mozilla for having tried to tackle this a bit in their UI. I
think it is superior to ours.
On Mon, Nov 2, 2009 at 12:23 PM, Mike Hearn <mh.in.engl...@gmail.com> wrote:
> 3) Use of colored address bars is easily confused with the aesthetic
> choices of the website designer.
>
The fact that we color our address bar is a continual pet peeve of mine. I
have pushed for its removal since its inception. I will happily champion
patches to get rid of it.
Colored address bars overstate the importance of an HTTPS connection, reduce
readability, and confuse people. It's no accident that basically all other
vendors have steadily moved away from coloring the whole bar.
4) Visual complexity is used as a metric for "how hard it is to copy",
> eg favicons or animations in the web page make things look authentic
>
This isn't really a point that's relevant to Chrome itself, but to web page
authors.
5) Many users don't look for security indicators at all and have a
> poor or non-existent understanding of what the elements of a URL mean.
>
I do think our host-versus-everything-else coloring in the address bar helps
with phishing URLs even if users can't articulate what the different colored
sections are.
- Showing some permanent status indicator of "insecurity" that visibly
> changes, eg with a very noticeable animation, when tab status changes.
>
I believe this will just add visual noise people will tune out.
- Replacing the entire contents of the URL bar with the organization
> name when an EV cert is present rather than displaying both.
>
This suffers from a number of problems, especially with editing URLs (there
are fixes to make the real URL "magically" appear when you focus the address
bar, but they feel gross), as well as obscuring your location on a site.
- Use of "cheap" negative trust indicators, for instance if a page
> matches the regex "Bank of America" and is not the well known site a
> small bar or bubble could appear that says "This website is not owned
> by Bank of America". This would obviously have a high false positive
> rate, but that's OK because it simply asserts a negative rather than a
> positive.
In addition to the "false positives make users ignore the metric" obvious
problems, this implicitly has false negatives since we can't do this for
every site on the web and if users grow to trust it they are at higher risk
when on pages for which we don't provide this.
Sadly, good UI for security is extremely difficult.
PK
--~--~---------~--~----~------------~-------~--~----~
Chromium Developers mailing list: chromium-dev@googlegroups.com
View archives, change email options, or unsubscribe:
http://groups.google.com/group/chromium-dev
-~----------~----~----~----~------~----~------~--~---
