Presentation on SSL security indicators

November 29, 2010 at 08:06PM     Research

I recently gave a talk at an Australian conference on computer-human interaction (OzCHI 2010) on some recent work I did on analyzing security indicators in web browsers. I've posted the talk and the paper in case any one is interested in looking at the slides; it's probably my least technical presentation/paper to date, and hence accessible even to a relatively non-technical audience.

I also want to take this opportunity to make a brief public service announcement on the lessons from the talk. Security indicators are the things that a web browser displays to help the user decide if the connection from the web browser to the server is encrypted. These include the presence of a lock icon in the browser window, a URL in the location bar that starts with "https", and the domain name of the website matching the domain name the user typed in.

As a user, be sure to check for these security indicators before typing your username, password, or credit card information.

As a website programmer, please design sites that properly display security indicators at the right time. For example, it's not just enough to submit the login form over HTTPS, you should also deliver the login form over HTTPS, otherwise how will the user know that the password will be protected when they click submit? Sadly, lots of sites get this wrong, as my research uncovered. Design recommendations—which are known to some but are worth repeating—appear in the paper.