With bank web sites, experience has shown that only 0.3% of users are deterred by an invalid certificate, probably because very few users have any idea what a certificate authority is, what it does, or why they should care. (And if you have seen the experts debating what a certificate authority is and what it certifies, chances are that those few who think they know are wrong)

Well, I have some usability tests that seem to prove your intuitive claim that most users don't know what's a CA. I don't know about arguments between experts on this. I think however that even naive users understand quite the TrustBar UI for SSL protected sites. We display something like <name/logo of site> identified by <name/logo of CA>. I'll appreciate your thoughts/feedback, try it at http://TrustBar.MozDev.org.

Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University

New: see my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.html

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to