Scam-Detective: A reader has asked me to talk to you about face to face scams. Were you ever involved in meeting a victim, or was all of your contact by email?

John: I never met a victim, but I was involved in a couple of Wash-Wash scams.

Scam-Detective: Wash Wash scams? What does that involve?

John: We would tell the victim that we had a trunk full of money, millions of dollars. One victim met some of my associates in a hotel in Amsterdam, where he was shown a box full of black paper. He was told that the money had been dyed black to get through customs, and that it could be cleaned with a special chemical that was very expensive. My associates showed him how this worked with a couple of $100 bills from the top of the box, which they rinsed with some liquid to remove the black dye. Of course the rest of the bills were only black paper, but the victim saw real money. He handed over $27,000 (about £17,000) to buy the chemicals and was told to return to the hotel later that day to pick up the cash. Of course when he came back, there was nobody there. He couldn’t report it to anybody because if it had been real it would have been illegal, so he would have gotten himself into trouble.

Part 1, Part 2, Part 3.

We build tools in Firefox like stale-plugin warnings and malware blocking to help protect our users, to neuter the technological attacks they may encounter on the web. But we also try, and need to keep trying, to build tools that inform our users so that they can make better decisions. Our phishing warnings and certificate errors try to do this, but mostly by scaring users away from specific attack situations. I hope we’ll continue to build tools like Larry which try to give people some affirmative context as well, to lend some nuance to their sense of place online. I want us to help our users know when they’re on Main Street, and when they’re in an alley.

I know: People get conned in the real world, too, and certainly no browser UI is going to save you from an email-based scam. Stories like this, though, are just specific instances of what I believe to be a more universal principle:

the biggest security risk most people face is misplaced trust

John: Some of the blame has to go to the victims. They wanted the money too because they were greedy. Lots of times I would get emails telling me that they wanted more money than I was offering because of the money they were having to send. They could afford to lose the money.

Scam-Detective: John, I think you have been basically honest with me so far. Please don’t stop that now. You know as well as I do that not all of your victims were motivated by greed. I have seen plenty of scam emails that talk about dying widows who want to give their money to charity, or young people who are in refugee camps and need help to get out. You targetted vulnerable, charitable people as well as greedy businessmen, didn’t you? You didn’t care whether they could afford it or not, did you?

John: Ok, you are right. I am not proud of it but I had to feed my family.

If you have ideas for how we can help users place their trust online more deliberately and carefully: please comment here, or build an addon, or file a bug.

What is going on?

Basically for as long as there has been software, there have been nasty people out there who get you to download and install software which turns out to have hidden cargo.  Security folks use names like “virus,” “trojan,” “worm,” and “malware” to describe different types, but the point is that if a person can be tricked into running nasty programs, they can do nasty things.

In this case, rather than wiping your hard drive or turning all your icons upside down, this particular jerk has decided to mess with your Firefox. Once you run the program, it hooks into your Firefox and watches for you to visit certain sites, at which point it will steal your username and password.

How Can I Tell If I Have It?

You can open up your Firefox addons manager (Tools->Add-ons) and go to the “Plugins” section.  If you have a plugin called “Basic Example Plugin for Mozilla” you should disable it.

Original credit to TrustDefender Labs’ blog post on the subject

Does This Mean that Firefox is Insecure?

No, and here’s why:

• This particular malware targets our program, but once you have malicious software running on your system, it can just as easily attack other programs, or harm your computer in other ways.
• This isn’t contracted by just browsing around the web with Firefox 3. In fact, the Malware Protection features in Firefox 3 are designed specifically to prevent sites from being able to attack your computer.

The people getting infected here are either downloading enticing files that have the malware hiding inside (which is why Firefox 3 hands off all downloads to your computer’s virus scanner once downloaded) or, as some sites are reporting, people who have already been infected in the past having their computers forced to download this file as well.

Typical Firefox 3 users who avoid downloading software they don’t trust are unlikely to ever see this, and even the sites reporting it describe its incidence as “rare”.

What’s this I hear about GreaseMonkey?

There are some mentions of greasemonkey in a couple of the early reports based on some analysis of the code used by this malware, but I want to be clear that the (legitimate, and awesome) Greasemonkey Addon is not involved in this malware in any way. It is not involved in the installation or execution of the attack.

As always, the best defense is vigilance.  Use a browser with a solid security record and modern anti-malware defenses built in, and be very careful about downloading and running programs you find online.  If a bad guy is able to get you to run a program on your machine they will be able to do bad things, so we’ll keep trying to stop them and you keep trying to as well.

More details are also available on the official Mozilla security blog.

What’s interesting to me, though, is the difference between what I originally recorded, and what Alix published. I recorded the raw screencast using Jing, which is a simple, free screencasting tool for Mac and Windows. It caps you at 5 minutes, and records as flash, but it’s super easy to use, and screencast.com will host the resultant video for you. You can see what I recorded here:

But then I handed it off to Alix and David and Rainer, and they turned my 5 minutes of low production values into 2 minutes of edited, titled video, with helpful visuals! See if you notice the difference…

Firefox 3: Security from Mozilla Firefox on Vimeo.

As promised in my last post, I’ll soon be posting yet another video, this time an hour long talk I gave at FIRST. And then, I think, no more blatant self-promotion for a couple weeks, eh?

Have you installed Firefox 3 yet?

If you’re interested, check it out.

[PS - Full props to r80o on flickr - this is a pretty excellent photo for "caution", and CC too!]

With Firefox 3 on the cusp of the precipice of the knife’s edge of release, though, I wanted to stop pretending that everyone reads the same articles I do and talk about one of the many, really concrete things we’re doing to keep our users, like you, safe.  There will be graphs.

The Age of Dorks

In Gang Leader For A Day, Sudhir Venkatesh writes about the embarrassment inner city drug dealers feel when they see what passes for a “gang” out in the suburbs; little more than young kids with nothing better to do than smash windows for the fun of it.  That’s what internet crime was in the early days.  The typical criminal might have looked a little different, and the typical crime a little more confusing, but the net effect was about the same: some people, particularly people who visited the wrong parts of town, were victimized in relatively unexciting ways.  Maybe a sensitive email got forwarded around to your coworkers by a mysterious hacker.  Maybe your computer started acting funny.  Ho hum.

There Goes the Neighbourhood

After a while, your less geeky friends started getting online.  Words like “online banking” stopped sounding like something out of a bad movie.  Everything started getting the letter ‘e-’ attached to it.  Most importantly, there started to be money.  Money begets lots of fun things, like Diet Black Cherry Vanilla Dr. Pepper and Turtle Wax.  But it also begets crooks.

In terms of crime (okay, e-crime), the e-crooks were still mostly e-clueless, because they were still mostly e-newbies.  They weren’t very efficient, they weren’t very organized, they were actually pretty dumb.  But the internet was also wide open and didn’t have a lot of rules.  Ask an American Bison how that heady mix tends to play out.

So this legion of idiots started ruining it for everyone: they started spamming, because the internet made it cheap; they started defacing web sites of Fortune 500 companies and world governments, because the internet made it easy; and they started mass-mailing bank fraud, “phishing,” because the internet made it hard to stop.

Phishing is the emails you see every day telling you that your bank accounts will be closed for some reason unless you log in right away.  Of course, the link in the email doesn’t take you to your bank, but to a clever forgery that steals your information, and then uses it to steal your money.  It’s not a trick you would fall for in real life, because a criminal would have trouble setting up shop in your actual bank branch, but online, it can be hard to tell your bank’s real web site from one of these fakes.  Firefox 3 includes some features to help you do that, but really, it would be far better to just not go there in the first place.  That’s why we keep a list of known phishing sites in the browser, and warn you when you’re about to visit one.  We’ve done that since Firefox 2; maybe you’ve even seen one of our warning messages.  If not, well… that’s good!

The Heavies

The internet isn’t new any more.  We don’t bother pasting “e-” to the front of everything, because the fact that a service is available online isn’t exceptional any more.  That’s really fantastically awesome, as far as I’m concerned, but there’s a catch.  The really bad people out there, who were busy doing really bad things in the real world to make money before, they don’t ignore the internet as a passing fad any more.  There are ways for them to make real money online now: protection rackets extorting online casinos or major web sites for hundreds of thousands of dollars; selling 10,000 hacked computers to a major spam operation so that they can evade filters; enslaving millions of computers to click ads all day in order to scam ad companies.  The legion of idiots is making way for genuine organized crime, and it sucks.  The way they’re running a lot of these operations is with a thing called malware.

Malware (think “software”, but bad) is the name we give to web sites and software that try to take over your computer, in order to do bad things, in the service of bad people.  Sometimes they use the old trick of getting you to run the program yourself – promising screensavers or greeting cards or otherwise nice-sounding things.  More and more though, they’re trying to attack you through the web sites you visit.  Here’s one way it can work:

1. You visit a web site that you trust – maybe a news site, or an interesting blog.
2. Unbeknownst to you (Aside: do we ever talk about things being knownst?  “Knownst to me, this bagel contained bagel.” Anyhow…) Unbeknownst to you, the malware guys have injected some new code into the website.  They can do this by hacking the site, or by buying “ad space” as a way to get their content in there.
3. As soon as you load the page, this code starts trying to attack your computer by exploiting some unpatched security hole.  In fact, it will try hundreds of attacks, looking for any weakness.  This can happen in seconds, and invisibly, while you read about the rising price of Turtle Wax.

Obviously, we work very hard to make sure that Firefox is never the “unpatched security hole” and I think we do a pretty good job, as long as you make sure to apply those security updates when we send them to you.  But there are lots of programs on your computer, so Firefox’s own security isn’t a guarantee.  The best thing we can do is stop the page from ever getting the chance.

In Firefox 3, we have juiced up your protection in a couple of pretty hard core ways.  First of all, we’ve added a second list, tracking all reported malware sites live on the net, in addition to the forgeries we blocked in Firefox 2.  Second, we now block the page right up front, before it even loads, so that your computer is not at risk.  And third, for people who are curious, we provide a report for malware sites that explains exactly what badness is going down.  This report is pretty technical, but it’s there if you’re interested.  It’s your browser.  You can even choose to ignore the warning, if you want, and go through to the site.  Obviously, I sort of hope you don’t.

We’ve got the real bad dudes and dudettes online now, and they’re not going to like having their income shut down, so we’re going to have to stay on our toes.  But when Firefox 3 comes out (and we’re getting it out as quickly as we can, believe me), I’m going to feel a lot better about you getting online.

We have built-in malware protection now, and better phishing protection.  We have a password manager that intelligently lets you see whether your login was successful before saving, instead of interrupting the page load.  We have gotten rid of several security dialogs that taught users to click OK automatically, unseeingly.  We have OCSP on by default.  We have a consistent place in the UI now where users can get information about the site they are visiting, including detailed secondary information about their history with the site; all of which are first steps in a long road towards equipping users with more sophisticated tools for browsing online, by taking advantage of habits they already have, and things we already know.  All the people who worked on this stuff know who they are, and I want to thank them, because it sure as hell wasn’t all me.

With Firefox 3 in full down-hunker for final release (and with conference silly season upon us) though, I’ve started to get serious about thinking through what comes next.

Here’s my initial list of the 3 things I care most about, what have I missed?

1. Key Continuity Management

Key continuity management is the name for an approach to SSL certificates that focuses more on “is this the same site I saw last time?” instead of “is this site presenting a cert from a trusted third party?”  Those approaches don’t have to be mutually exclusive, and shouldn’t in our case, but supporting some version of this would let us deal more intelligently with crypto environments that don’t use CA-issued certificates.

The exception mechanism in Firefox 3 is a very weak version of KCM, in that security exceptions, once manually added, do have “KCM-ish” properties (future visits are undisturbed, changes are detected).  But without the whole process being transparent to users, we miss the biggest advantage to this approach.

Why I care: KCM lets us eliminate the most-benign and most-frequently-occurring SSL error in Firefox 3.  Self-signed certs aren’t intrinsically dangerous, even if they do lack any identification information whatsoever.  The problem is that case-by-case, we don’t have a way to know if a given self-signed cert represents an attack in progress.  The probability of that event is low, but the risk is high, so we get in the way.  That’s not optimal, though.  When the risk is negligible, we should get out of the way, and save our warnings for the times when they can be most effective.

2. Secure Remote Passwords

Secure Remote Password protocol is a mechanism (have some math!) for allowing a username/password-style exchange to happen, without an actual password going out along the wire. Rob Sayre already has a patch.  That patch makes the technology available, but putting together a UI for it that resists spoofing (and is attractive enough that sites want to participate) will be interesting.

Why I care: SRP is not the solution to phishing, but it does make it harder to make use of stolen credentials, and that’s already a big deal.  It also has the happy side effect of authenticating the site to you while it’s authenticating you to the site.  I wouldn’t want this useful technology to get stuck in the chicken-egg quagmire of “you implement it first.”

3. Private Browsing Mode

This is the idea of a mode for Firefox which would protect their privacy more aggressively, and erase any trace of having been in that mode after the fact.  Ehsan Akhgari has done a bunch of work here, and in fact has a working patch.  While his version hooks into all the various places we might store personal data, I’ve also wondered about a mode where we just spawn a new profile on the spot (possibly with saved passwords intact) and then delete it once finished.

Why I care: Aside from awkward teenagers (and wandering fiancés), there are a lot of places in the world where the sites you choose to visit can be used as a weapon against you.  Private browsing mode is not some panacea for governmental oppression, but as the user’s agent, I think it is legitimately within our scope (and morally within our responsibility) to put users in control of their information.  We began this thinking with the “Clear Private Data” entry in the tools menu, but I think we can do better.

(And also…)

Outside of these 3, there are a couple things that I know will get some of my attention, but involve more work to understand before I can talk intelligently about how to solve them.

The first is for me to get a better understanding of user certificates. In North America (outside of the military, at least) client certificates are not a regular matter of course for most users, but in other parts of the world, they are becoming downright commonplace.  As I understand it, Belgium and Denmark already issue certs to their citizenry for government interaction, and I think Britain is considering its options as well.  We’ve fixed some bugs in that UI in Firefox 3, but I think it’s still a second-class UI in terms of the attention it has gotten, and making it awesome would probably help a lot of users in the countries that use them.  If you have experience and feedback here, I would welcome it.

The second is banging on the drum about our mixed content detection.  We have some very old bugs in the area, and mixed content has the ability to break all of our assumptions about secure connections.  I think it’s just a matter of getting the right people interested in the problem, so it may be that the best way for me to solve this is with bottles of single malt.  Whatever it takes.  If you can help here, name your price.

Obviously I’ve left out all the tactical fixup work on the UI we already have.  We all know that those things will need to happen, to be re-evaluated and evolved.  I wanted to get these bigger-topic thoughts out early, so that people like you can start thinking about whether they are interesting and relevant to the things you care about, and shouting angrily if they aren’t.

But that same spot is empty in the malware case (unless you install my magic extension.)  Should it be?  It’s a harder question than it seems, on first blush.

My gut reaction is “No click-through for malware.”  I’ve spoken before about how we, as the experts, have an obligation to make certain decisions, rather than leave them to our users who are less well-equipped to make good ones.  That’s a hard position to hold, we very much want our users to have the power, but a malware click-through is a perfect example.  We know that “I’ll just take a quick look” or “It looks fine to me” are not safe behaviours with malware sites, that the very act of loading the page may have already pwned you.  It feels like we should make this call.

But people are curious. When they encounter a blocked page, some number of them are going to want to see the trainwreck for themselves, and without a click-through, they have two options:

1. Disable malware protection
2. Use a different browser

In terms of keeping our users safe, these are both really terrible options.  Allowing a click-through is arguably far better for these users, since it keeps them in a safer browser, and since it still leaves malware protection running.  Even a user who will persistently click through every single warning page is still helped by malware protection running in frames, and maybe even decides to stop clicking through at some future point.  A user who turns it off probably never turns it back on again.

It is wholly unsatisfying to me to argue “Well, if they turned it off, they deserve what’s coming to them,” because these are our users, and they deserve protection no matter what.  Sure, some of them will click things they shouldn’t click, but our interface should keep the most users safe the highest percentage of the time with the minimum limitations imposed on their browsing experience.

Aren’t conflicting constraints fun?!

So what to do?  I said before that in cases where we can make a substantially more informed decision than our users can, we should do it.  But I don’t know if that’s the case here.  I’ve talked to a lot of smart people about it, and most of them seem to end up somewhere in the middle.  If we can’t make smarter or safer decisions than our users, then I think we have to bring the choice to them after all.  I think that if we can’t find a convincing argument that totally blocking click-through is viable, then we need to make one available.

But I don’t like that one little bit.

If you have new information to contribute to the debate, it rages on in Bug 422410, but I would encourage you not to jump in at the bottom without first reading the conversation that has come before.  Nobody here needs reminding that malware is bad juju, or that we shouldn’t be in the business of creating “Shoot me in the face” buttons.  With that disclaimer in mind though, any suggestions for resolving it are welcome.  The bug’s not a blocker, but it’s still an important thing to get right.

As right as possible, anyhow.

I found this snippet interesting:

We also examined the network location of the malware distribution servers and the landing sites linking to them. Figure 8 shows that the malware distribution sites are concentrated in a limited number of /8 prefixes. About 70% of the malware distribution sites have IP addresses within 58.* — 61.* and 209.* — 221.* network ranges.

…

Our results show that all the malware distribution sites’ IP addresses fall into only 500 ASes. Figure 9 shows the cumulative fraction of these sites across the 500 ASes hosting them (sorted in descending order by the number of sites in each AS).  The graph further shows the highly nonuniform concentration of the malware distribution sites— 95% of these sites map to only 210 ASes.

But I think this is the big takeaway:

Because malware is being distributed via ad networks more and more, it’s no longer safe to assume that you’ll be okay if you just avoid the seedy parts of the net.  And because it’s no longer requiring user interaction in a lot of cases, the old-school “don’t run executables from random websites” best practice might not be enough either.  To stay on top of things, you are going to want to be running a browser that is as hardened as we can make it, and that also incorporates active checking of known malware sites.

And lookit, the Firefox 3 beta is right over here.

We also, difficult as it is, need to get out of the “safety” game. We can’t tell users “this site is safe” because we don’t know that. Even ignoring the liabilities that might come with such a claim, there isn’t a good technological way to tell, right now, whether a particular site is safe in the way users care about. Do they handle credit card information properly? Do they ignore angry customers? Are they a front for stolen goods? These kinds of naughty people could get SSL certificates (and accompanying padlocks) and even the extended validation practices being discussed wouldn’t really stop them.

What we can do is equip people to make the safety decision for themselves, just as they often have to in the physical world, because we do have some information. It’s like putting ingredients labels on food. What we can do is change the conversation to be about identity instead of safety. This is important, so pay attention:

We need to change the conversation to be one about identity, not safety.

Identity is something we can verify. The padlock conflated identity with other things like encryption status and security, and while that conflation is almost natural to PKI-veterans, it has proven misleading for users.

This is a preliminary mockup, and mostly it demonstrates my inability to draw. Having said that though, it’s something I’d like to see us looking at for Firefox. The idea is that as soon as the user starts loading a page on a site they’ve never visited, Firefox tries to identify it.

Why The Dude?

He is the international standard passport guy. I call him Larry.

If we’re going to be making a change like this, to talk about identity instead of security, then our visual language needs to reflect that too. I’m not at all stuck on the passport dude in particular, but he is iconic, somewhat visually simple (though not as much as I might like), internationalizable, and already familiar to a large percentage of the population, in a role not unlike the one he would be playing here (i.e. a verifier of trusted identity documents).

Other thoughts have included:

• The blue i for “information”. Visually simple and already in common use, but we’re looking for something a little more specific than just generic “information.” It also might not internationalize well to non-latin alphabets.
• A simpler icon representing a passport (i.e. sans-Larry). This would seem to get us over the visual simplicity hump, but it’s hard to distinguish a passport from a generic book without resorting to either fine detail or language, both of which hurt us here.
• Very simple icons like ? or checkmarks in place of the lock. There isn’t a visual constant (like Larry) to tie the icons together in this case, which risks leaving the icons as visual clutter, and users without a clear idea of what they represent.

But other ideas (or more attractive, royalty-free renderings of Larry) are certainly welcome.

How Does It Work?

To avoid being profoundly irritating, I’m thinking we don’t get in your face on sites that have already been checked out once. In all cases the little dude will live in the address bar, to be interacted with as and if desired, but only on new sites will the speech bubble and text come up. This means that on, say, a phishing site, the speech bubble is basically guaranteed to pop up, actively informing the user. The fact that the speech bubble crosses between chrome and content area is something that also makes spoofing more challenging.

Technologically, what’s happening here is that we’re looking for an EV or other high-assurance certificate. This is a precursor to loading an HTTPS connection anyhow, which means this can be happening before content is presented, minimizing the impact on actual web interactions. And yes, those among you who know how this works might object to the claim that Firefox is “verifying” – it takes us milliseconds to verify an SSL cert’s validity and we’re really only checking an OID attached by the CA. But it’s a sensible mental model to develop with our users, I’d argue.

Firefox verifies, and then, assuming everything’s super, we get:

After a few seconds (or on any activity within the content area, scrolling, mouse clicks, or typing) the bubble will collapse back into the address bar icon and get out of your way. This collapsing action helps tie the two pieces of presentation together, and invites the user to interact with the address bar entry in the future. On mouseover or click, we can bring the speech bubble back up and so reinforce our users’ behaviour to go here when seeking information.

The visuals, once again, are open to design revision, but the key takeaways are that when a site can be properly identified, we:

• Change the visual treatment to reflect the fact that we have received valid identification.
• Show the user a meaningful, verified business name, giving the user something other than only the domain name to work with.
• Identify the party responsible for verifying that identification, since there has been, until now, very little way for a user to make informed decisions about which CAs they trust – the supposed root of the entire public SSL infrastructure.
• Provide them with a discoverable method to get more information.

If that last bullet makes you wonder whether we are also looking to change the way we present the “Page Info” dialogs, you get a gold star. That is another blog post though.

Identity Unknown

When the site cannot be identified, we get this instead:

Personally, I think that text is a little wordy, though less so than my first attempts. We have to be mindful here not to make every site without an EV cert feel criminal. Even the red in the question mark might be too harsh, but again the key design points are:

• The visuals have been weakened – lower contrast, question marks. The idea is not to portray danger, just uncertainty.
• Instead of identifying company and verifier, we have only some text to elaborate on the situation. Must be kept to a sentence, and ideally a short one, so that it has some chance of being read.
• Once again, there is a call to investigate the page further should the user desire. Once again we are putting the decision making power in the hands of the person who can make it. Ingredients on a soup can.

Putting It All Together

Changing the conversation about web security is easier said than done. And it’s easier to bitch about the padlock than it is to try to put something new out there. But passive, intermittent, spoofable and misleading security cues really are a bad thing because there are lots of bad people out there. The design I discuss here is evolving, but it is persistent, elaborative, difficult to spoof and avoids complicating things with mixed metaphors.

There are pragmatic issues aplenty, of course. This blog post isn’t intended to delve into all of them, but a couple we’ll need to look at are:

• How to handle self-signed certs or CA-issued but non-EV certs that you are confident you can trust. Answer: probably we just let you manually add those certs, at which point they get the checkmark, and read “Verified by: You.” This task needn’t be particularly easy or prominent in the UI, since it’s somewhat rare, and relatively expertish. It’s not like you can’t proceed without it.
• Do we have the right set of information in the speech bubble? Should the domain name be there too? Is it more likely to help, or hinder, decision making?

As for the padlock, I think it has had its day. That’s a hard thing to say for me not just because I remember its birth, and have lived with it ever since, but also because it has a very significant amount of user learning behind it and that’s a hard thing to abandon. But that inertia can’t keep us stuck somewhere we don’t want to be. If the padlock had all that hifalutin learning behind it, I dare say that phishing incidents would be somewhat rarer than they are, and a bad idea doesn’t get better by being old.

I’m not opposed to displaying the padlock as a secondary indicator somewhere for users that want to dig for it, as an emblem purely of encryption (as it was, arguably, initially intended). But I think its time as the primary security indicator is ending.

What do you think?

[N.B. I know beltzner hates it when people ask open-ended questions like that, but it turns out I already know what he thinks. And he gets partial credit for much of this thinking, having been Mozilla's sit-in on a lot of security UI stuff before I came around.]

Take my post last week. Right now I’m excited about Firefox security UI, and about how to do a better job with the way we give users information. This is a good thing for me to be excited about, since it pays my bills. But I want to engender conversation about it, and to build context around my thoughts on the matter, and meandering isn’t necessarily the best way to do that.

So. This is the first of two posts I will write in the next week or so about this stuff. The goal is to outline:

1. The way things are, and why we need to change them
2. My thoughts on where we need to be looking to go

This is the first. What are we, as browser builders, doing for the user today when it comes to security UI?

The Padlock

The most iconic (ha!) of browser security indicators is the little padlock icon that appears on “safe” websites. It can be in the address bar…

… or the status bar…

… and is one of the few really universal indicators (please ignore the monkey.)

It, and its predecessor, Netscape’s key icon, try to tie a complicated statement about web site encryption to a concrete metaphor, a lock and key. The good thing about this indicator is that it has some history of user education behind it, and it’s a relatively easy concept to understand.

The padlock has a lot of problems, though. First of all, it is misleading; it doesn’t mean “safe” at all. The padlock appears when a website presents a valid SSL certificate, issued by a company that your browser thinks is trustworthy. But the bar for getting one of these can be as low as $10, and the validation the companies do varies from excellent to non-existent. Even back in 2005, there were over 400 phishing attacks using SSL. So clearly, the padlock is not equivalent to safety.

Moreover, as with some of the other cues I discuss below, the padlock has no anti-padlock equivalent. That is, if the padlock is meant to signal safety, then the possibility for danger is indicated by… nothing. Users are expected to notice the absence of an indicator. There is a relatively enormous wealth of data to back up claims that users are very bad at using the absence of something as a behaviour modifier.

Finally, the padlock’s positioning is pretty weak from a usability point of view. Putting in the address bar was a step in the right direction when it comes to associating the cue more strongly with the page you are viewing, but it is still a small, peripheral indicator that is only helpful to those who know, and remember, to check regularly. An intrusive indicator could be worse, if it caused people to disable it completely, but if your cue is invisible to most users, it might as well not be there at all.

Address Bar Decorations

More recently, a lot of attention has been paid to the various ways to use the address bar as an indicator. The flagship example of this is IE7′s “green bar”.

The idea with the green bar is to call out sites which have gone through the extra trouble to obtain an “Extended Validation” certificate for their site. This standard is still being drafted but MS went ahead and included support for this cue anyhow, since standards bodies rarely line up with product release schedules. Mozilla, in a similar vein, turns the address bar yellow to supplement the padlock icon on encrypted sites.

I was in New York a couple weeks ago, with other browser vendors and ceritificate authorities, and let me tell you, there is a lot of interest in whether or not we’ll start shipping a green bar. A consistent user experience around these things is important, so they’re not wrong to want to know where we stand.

But the green bar has most of the same problems that the padlock did. Like the padlock, it is misconstrued to mean safety when it oughtn’t. “Green means go” has become the press spin on the green bar, but just like the padlock, it’s making a statement about encryption and identity of the website, not a statement about whether they have honest business practices or protect your personal information.

Like the padlock, it expects users to notice its absence on sites without EV certs, leaving the address bar white in those cases. In fact, Microsoft turns the address bar yellow on “suspicious” web sites, in delicious contrast to firefox turning it yellow on encrypted sites.

Finally, affirmative address bar decorations are spoofable. In a now relatively-infamous study, Microsoft Research found that the green bar actually made users more susceptible to a particular kind of phishing attack called a picture in picture attack. A clever attacker can use various doctored images to make it look like there’s an IE window within the real IE window, recreating the toolbars and menu items and oh yes, creating a green address bar in the process. Users trained to look only for the green bar are easily fooled by this deception, in part because the real IE window isn’t offering any counter-indicating cues. Just the absence of the green bar.

Page Info

When I say that the padlock isn’t about safety, I mean it. We can’t really be in the business, as browser vendors, of telling users whether a site is absolutely safe or not. What we can do if arm them with the information to make their own decisions. Not “AES encrypted with a 256 bit key” which is so impenetrable to most users as to constitute a total lack of information, but something. In fact we already do this. If you click on a padlock icon or right click on a page, you can get to the page’s security information. It looks like this (at least, on a mac):

I don’t have much to say here except that we can do better. I don’t mean it as a knock on the developers of this code – I know it’s intended to be for advanced users, and that if you dig into it, it really does provide complete information about the certs you’re working with.

But it’s a missed opportunity. Page info, particularly the security tab, should be giving you information to help you make security judgements. Have you been to this site before? Do you have a stored password for this site? My mom might or might not ever check for that information, but on the off chance that she did, I am certain it would be more helpful to her than “(RC4 128 bit)”.

Anti-Phishing

In more recent versions of most browsers, things have gotten a little better. Most major browsers now ship with support for anti-phishing protection that looks something like this:

Anti-phishing has a lot of things going for it, as a piece of security UI. It’s attention getting. It’s very difficult to spoof since it crosses between content and chrome in a visible way (although presumably an attacker wouldn’t want to spoof a warning message anyhow). Even the iconography is better because unlike the padlock which provides a misleading signal, the red-circle sign means DO NOT ENTER in the real world, and means the same thing here. It has some minor bugs, but is mostly a good UI.

The big objection raised against it is that blacklist UIs are only as good as the blacklist, and it guarantees you’re always behind the times. We’re pretty happy with it nonetheless, but it’s obviously not a complete solution.

So. That’s where we’re at. A lot of our cues miss the mark in some important ways. We need cues that resist spoofing, that are clearer about the kind of information they provide, and that provide it in ways that are meaningful. I have ideas here, so do lots of other smart people, and those ideas will no doubt evolve heavily in the coming months.

That’s part 2.