Note - Document the Status Quo

User studies have revealed many problems with currently available security context information. This page is a mapping between DocumentStatusQuo and results from the resources in SharedBookmarks.

Results show users commonly do not understand the meaning of current security context information or are prone to using information that has nothing to do with security.

PKI Certificates

Most users are unaware of the purpose or meaning of certificates. Those who are aware of their purpose may not know what information to look for or do not know the proper meaning of terms like certificate authority. They do not know how to correctly check the information is valid or if it matches the domain.

EV Certs

Users were presented sites with and without the green address bar and asked to determine whether the site was real or fake. Results from the questionnaire show the color of the address bar was not used in making this decision.

HTTPs

Users who know to look for https may not notice the absence of the s when they are presented with a site at http.

Users have been told to look for the lock icon and are aware it is linked in some way to security. But, users may not know what the lock means to them, and a high number don't know where the lock should appear. There isn't a distinction between the chrome, page content, and favicons.

( Anyone know of any results for Mozilla's yellow address bar? )

User Agents - Code and Language Capabilities

HTML, Code Capabilities

Chrome

Users are unable to make the distinction between the browser chrome and the content of the page. They are unsure of who controls the information displayed in different parts of the chrome.

Messsages / Dialogs

Messages are ineffective because users have been trained to click through warnings, do not understand the technical terms in warnings, or check the box to never receive the warning again.

Configuration

Web Server

Application Security

User

Site Introductions

Third-party