Jun 07 2017

An Alternative Interface for Website Security Certificates

Published by


Transport Layer Security (TLS/SSL) certificates and encryption are a central part of protecting user information online. Yet, the interfaces for certificate information are difficult to understand by most users. They do not notice the current indicators for SSL certificates, may misinterpret them, and may not notice if the indicator is missing altogether [1]. The typical user is unlikely to attempt to interact with the indicator by clicking on it, where detailed technical information about the security certificate is available [2]. They are unaware of the meaning of certificates and the information they can provide when determining whether to trust a website [1].

Users are also unaware of Certificate Authorities (CA) role in issuing and validating certificates [2]. The CA is a third-party organization who verifies ownership and issues certificates. SSL certificate assures the user that an eavesdropper will not intercept the information they are sending. However, most users are not aware that an encrypted connection does not ensure that the website they are using actually belongs to their bank or a trusted online store. This is dangerous to the user: they are vulnerable to attacks when the website of a trusted entity is perfectly copied, and they send their sensitive information to the owner of the false website instead of who they believe they are connected to.

An Extended Validity (EV) certificate is important to differentiate from a Doman Validity (DV) certificate since EVs confirm the website owner’s identity in addition to guaranteeing the safety of information transfer from the client to the server, by encryption. Current interfaces describing certificates vary from browser to browser and for the same browser on different operating systems. On major browsers, the interfaces are terse, or confuse by providing technical details. Moreover, browser differences are confusing and can be misleading to users. Also, these interfaces are constantly updated, leading to confusion and out-of-date help guides. Our goal is to specifically display certificate information in a way that is both meaningful and accessible to the user (to aid the typical user to distinguish between different certificate verification levels). Our research demonstrates that this can be achieved with even a simple “baseline” design.