Effectiveness of the SSL Padlock on your browser

When you perform an e-commerce transaction or provide PII (personally identifiable information) to a website, you typically look for two clues on the website - one that the url starts with https and the other a PADLOCK on the user agent. Certain browsers such as Mozilla Firefox change the color of the location bar. Now if these two clues exist, you feel certain that there will be no Man-In-The-Middle (MITM) attacks and your information will not be compromised.

But, have you wondered from an internet security perspective, how effective these visual cues are?

Here is an excellent research article from Canadian Researchers, Tara Whalen and Kori M. Inkpen who are the faculty of Computer Science at the Dalhousie University in Halifax, Canada. The article is titled, "Gathering Evidence: Use of Visual Security Cues in Web Browsers".

Let me point to some very key observations from this research:

Given the potential consequences of exposing
banking passwords and credit cards, users are understandably
concerned about the risks of online transactions.
People must be given the ability to discover and
understand security information when using the web.
The overall goal of this research is to develop feedback
that clearly informs users about security without overburdening
them with distractions.

Sixteen participants (10 female and 6 male) took
part in the study. Nine participants worked for the university
(faculty or staff), and seven were students.

Bank sign-in: Fifteen participants (out of 16)
thought that the bank sign-in page was secure. The one
person who thought it was insecure based their decision
on lack of clear security statements on the bank’s information
page. None of the participants used the certificate
data to conclude the connection was insecure.

Our research in visual security cues discovered information
that can be applied to browser design and
evaluation. In summary, we found that
• the lock icon is the browser security cue that is
most often looked at, but few interact with it;
• some experienced web users do not take any
notice of browser security cues;
• small browser icons can be easily misidentified
or confused, especially given the nonstandard
layouts among browsers;
• certificates as sources of information are seldom
used and rarely understood; and
• people tend to stop looking for security information
after they have signed into a site.

The important conclusion that I want to drive in this blog post is that security cues are necessary but not sufficient to provide an overall sense of trust on the Internet to the users.

The Web Security Context working group at the W3C is working hard with security experts, Browser Implementors, research, Anti-phishing and usability experts and their recommendation (work in progress) is available at:
Web Security Context: Experience, Indicators, and Trust

Now do not tell me that the padlock was all that you needed to assure you that a particular website was secure to interact with.

Additionally, you should know that the SSL padlock can be spoofed. Another report on this.