Jun 01 2017
Web Certificates
Much of life is now online, so online security is critical. While many aspects of security are infrastructural, users must still make key decisions. In particular, users must decide websites to trust, and which to avoid. How can users know if a website is truly what it claims to be? This is a pivotal issue.
When attackers can convince users to trust their sites, though phishing other strategies, credentials are captured, user security and privacy easily compromised, malware downloaded, and infrastructure undermined. The introduction of the secure sockets layer (SSL) in 1995 was an important advance, using asymmetric cryptography to support both in-transit encryption and assurance of identity using X.509 certificates. Web servers and browsers can implement the encryption and decryption, and browsers can convey the identity information to users via the browser chrome interface. The technical aspects of SSL, however, only provide technical confirmation of identity, that being necessary to enable successful encryption. For example, “Self-Signed Certificates”, can be used, and they offer no assurance of identity to end-users.
To support users in assessing real-world identity, some external confirmation is necessary, and this is the role of Certificate Authorities (CAs). Even this confirmation can be limited, however, and “Domain-Validated” certificates typically only confirm that requestors do control the domain. This is of only limited assurance, and is typically obtained quickly by requestors. More confirmation of identity, and thus assurance to users, is provided by “Organization-Validated” certificates, where CAs do verify the identity of the organization making the request. And more recently, “Extended Validation” certificates have become offered, where the confirmation of identity is more comprehensive, thus offering more assurance to users of the real identity of websites.
No Cert:
DV Cert:
EV Cert:
- An Alternative Interface for Website Security Certificates
- Basic Background
- General Project
- DV vs OV: If users can’t tell the difference, is there one?
- Proposed Mental Model for Certificates
- Why doesn’t Facebook have an EV cert?
- Recent and Continuous Changes
- Prevalence of EV Certs in Canadian Banks
- Visualization for Mental Models of Website Certificates