We have trained users to look for a padlock next to a website’s address like it means that you are safe.
Unfortunately, as we all know, it hasn’t quite worked out very well. At least not for us.
Expecting the average user to understand what the padlock means – and doesn’t mean – is unreasonable. In fact, it is doomed to fail.
For example, if a user is presented with a login screen for Netfilx.com, complete with a Netflix logo and a green padlock, are they likely to realize that netfILx is not netfLIx? Not likely.
What the padlock actually represents is the fact that the conversation is private, not that it is secure. When SSL (what is behind HTTPS) was invented, the object was to convince a skeptical public that providing their credit card to buy something online was safe. The people who created that did not have a crystal ball to help them see what scam artists would do in the future.
While that HTTPS conversation may be private, you may be talking to Satan.
Are we all doomed?
Actually not, but we are dependent on our technology providers to do more than they have done.
As Google’s Emily Schechter says in the article quoted above.
Google has already started to do more and they plan to continue doing more.
Rather than, for example, putting a padlock next to a website name saying it is secure when it is not, how about putting the message NOT SECURE next to its name. After all, no one is going to try and con you into falsely thinking their website is not secure, hence you are playing the hacker’s game against them. Google has already started doing this and as long as you and I understand what all that means, it will likely work better.
Another example of giving users a negative indicator of trust is when when you go to a website and get a message that says YOUR CONNECTION IS NOT PRIVATE. No one would lie and say that.
How about if you try to visit a website and instead you got a bright red screen with a message that says DECEPTIVE SITE AHEAD? You are probably going to think more carefully about visiting that site than if you don’t see a little green padlock.
Even the extended Validation, or EV, HTTPS certificate is far from perfect. We saw this recently with Stripe. As a test, a researcher got an EV certificate for a fake Stripe website because while the real Stripe was incorporated in Delaware, the fake Stripe, did exist, but was incorporated in a different state. Would a hacker have to spend more money, take more time and be more committed to pull this off than some? Yes. But it is far from impossible.
On the other hand, a bright red screen with squawking ducks telling you to, err, DUCK!, is much more likely to get your attention, unlikely to be faked and much less likely for the average user to get fatigued about. Or fall for the bad guy.
Google Chrome, the majority browser, is already working on these things. They don’t think this is simple, but they have admitted what we all know – that what we are doing now is not working. The bad guys are winning.
So look for more negative indicators of trust and heed their warning.
Information for this post came from Troy Hunt.