On September 21, I sent a message to the Mozilla community with the results of a survey of all of Entrust Datacard’s customers (both those who use EV certificates, and those who don’t) concerning what they think about website identity in browsers, browser UIs in general, and EV browser UIs in particular. [1] The data we published was based on 504 results collected over two days (a pretty good response).
The survey was distributed in a way that each customer could only respond once. We left the survey open, and can now publish updated results from a combined total of 804 separate certificate customers (300 more than last time). The results mirror the results we first reported two weeks ago – and based on Paul Walsh’s data on when survey results should be considered statistically significant [2], this means that the updated survey results are very solid. Here is a summary of the updated respondent results for the six questions listed below. (1) 97% of respondents agreed or strongly agreed with the statement: "Customers / users have the right to know which organization is running a website if the website asks the user to provide sensitive data." (This is the same result as for the prior sample.) (2) 94% of respondents agreed or strongly agreed with the statement “Identity on the Internet is becoming increasingly important over time.” (This is 1% higher than in the prior sample.) (3) When respondents were asked “How important is it that your website has an SSL certificate that tells customers they are at your company's official website via a unique and consistent UI in the URL bar?” 76% said it was either extremely important or very important to them. Another 13% said it was somewhat important (total: 89%). (This is 2% higher than in the prior sample.) (4) When respondents were asked “Do you believe that positive visual signals in the browser UI (such as the EV UI for EV sites) are important to encourage website owners to choose EV certificates and undergo the EV validation process for their organization?” 72% said it was either extremely important or very important to them. (This is down 1% from the prior sample.) Another 18% said it was somewhat important. (This is up 1% from the prior sample.) The total is the same at 90%. (5) 92% agreed or strongly agreed with the statement: “Web browser security indicators should be standardized across different browsers to make the UI easier for users to understand.” (No change from prior sample.) (6) Finally, when asked “Do you think browsers should standardize among themselves on a common Extended Validation UI so that it appears roughly the same in all browsers?” 89% said yes. (This is down 2% from the prior sample.) Here is the distribution of respondents by number of employees: 804 enterprise responses total (versus 504 in prior sample). There was an increase in survey participation by smaller companies in these updated results. Organization Size by Employee Count 12.34% 1 to 99 employees 15.53% 100 to 499 employees 9.71% 500 to 999 employees 24.13% 1,000 to 4,999 employees 17.20% 5,000 to 19,999 employees 18.72% 20,000 or more employees 2.36% Don't know Clearly organizations of all sizes think website identity is important, that the EV UI should be retained, and that the browser UI design should be standardized across different browsers. While any survey can certainly be improved, this is the only data anyone has provided to the Mozilla community concerning what website owners think about browser UIs, and what they would like to see. We again recommend that Mozilla consider adopting the binary Apple UI, which works in both desktop and mobile environments and distinguishes between EV/identity sites (with a green lock symbol and URL) and DV/anonymous sites (with a black lock symbol and URL) – check it out in an iPhone. (Apple did not eliminate the EV UI, as some has erroneously said.) This is easy for users to understand at a glance. To see how it looks, compare apple.com (EV) to google.com (DV) on an iPhone using Safari. Paul has suggested that color difference alone is not sufficient, and there should be something more to distinguish the EV UI from the DV UI – that sounds good to me, but if Mozilla and Apple align, we will have made progress on getting a common UI across multiple browsers. As others have said on this string, there are no recent browser or academic studies that that say an improved EV UI can’t work with users. The only study that has been cited to support removal of the EV UI is a Google study that essentially asked what users *do* know about UIs today (answer: users don’t understand the current EV UI and don’t rely on it to make security decisions). I believe the reason for this result is that the EV UI is constantly changing (the Chrome EV UI has gone through three major changes in the last 12 months, with no user education – so why should users understand it?) But the Google study only displayed to users a number of web pages with different UIs (without comment) and observed what the users *did* – the study stopped there. A more useful study to help Mozilla decide whether or not to remove the EV UI (and to treat EV and DV sites as the same) would test what users *could* know and *would* do with an improved (and stable!) EV UI and simple user education about Firefox UI. If it turns out that users can be easily trained to notice whether or not a site’s identity is known, wouldn’t that be useful study information for the Mozilla community? If a user feels comfortable typing in a password or credit card number for well-known and trusted DV sites like google.com or facebook.com, that’s fine – but what about yourgoogle.com or facebook-alerts.com? Safe, or phishing? Wouldn’t it be smart at least to let users *know* through the UI whether or not those sites have a confirmed identity (or are just anonymous DV sites instead), so the users can decide for themselves whether or not to share their sensitive information with the site? Paul has posted sobering data about the rise and danger of encrypted phishing sites. [3] And for those who don’t like EV or CAs in general, fine – but what’s your solution for protecting users? We have to do better. Removing the Firefox EV UI is a big step for Mozilla, and it would be better if Mozilla based its decision on current data, and also considered the alternative of creating an improved EV UI instead of removing it. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/oBHe8ZJmAQAJ [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/Xk_YDFAMBwAJ [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/iVCahTyZ7aw/Q9aOjYUQBwAJ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
