Abstract
Extended validation (EV) certificates provide web users with information about the identity of the visited websites, and the security indicators of EV certificates provide information on how to distinguish whether a visited website is legitimate. Although EV certificates have been used for over ten years, general web users still do not sufficiently understand the mechanism of EV certification or what the indicators mean. Through preliminary interviews, we extracted the relationship between three key factors in security conception on the basis of users’ cognitive processes: attention, comprehension, and trust. Specifically, indicators should draw users’ attention and have clear meanings for increasing their comprehension; thus, indicators can assure users of the trustworthiness of websites on the basis of users’ correct attention and comprehension. We designed brand validation (BV) indicators, which are new website identity indicators that display brand or service names on the URL bar and certification processes in the detailed dialogue. According to results of an online survey to evaluate identity indicators, our BV indicators were more trusted by participants than the ordinary EV ones. Besides, because most opinions on domain validation (DV) indicators being trustworthy were based on misunderstandings or habituation, by excluding these incorrect opinions, our BV indicators were far more trusted by participants than the DV ones. Our BV indicators could better educate participants to comprehend the meaning of website identity more correctly than the ordinary EV and DV ones.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Interviews were conducted in Japanese, and the responses are translated into English in this paper.
- 2.
Three images ((A), (B), (C)) like in Fig. 4 were displayed in random order for each participant.
References
Althobaiti, K., Rummani, G., Vaniea, K.: A review of human- and computer-facing URL phishing features. In: EuroUSEC (2019)
Biddle, R., Oorschot, P.C., Patrick, A.S., Sobey, J., Whalen, T.: Browser interfaces and extended validation SSL certificates: an empirical study. In: CCSW (2009)
Internet Crime Complaint Center. 2018 Internet crime report (2018)
Close, T.: Petname tool: enabling web site recognition using the existing SSL infrastructure. In: W3C (2005)
Cooper, S.D., Santesson, S., Farrell, S., Boeyen, R., Polk Housley, W.: RFC5280: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile (2007)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: CHI (2006)
Drury, V., Meyer, U.: Certified phishing: taking a look at public key certificates of phishing websites. In: SOUPS (2019)
Felt, A.P., et al.: Rethinking connection security indicators. In: SOUPS (2016)
CA/Browser Forum. Guidelines for the issuance and management of extended validation certificates (2007)
CA/Browser Forum. Baseline requirements for the issuance and management of publicly-trusted certificates (2011)
Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture attacks. In: USEC (2007)
Jakobsson, M., Tsow, A., Shah, A., Blevis, E., Lim, Y.K.: What instills trust? A qualitative study of phishing. In: USEC (2007)
Lazar, J., Feng, J.H., Hochheiser, H.: Research Methods in Human-Computer Interaction, 2nd edn. Elsevier Inc, Amsterdam (2017)
Lin, E., Greenberg, S., Trotter, E., Ma, D., Aycock, J.: Does domain highlighting help people identify phishing sites. In: CHI (2011)
Luo, M., Starov, O., Honarmand, N., Nikiforakis, N.: Hindsight: understanding the evolution of UI vulnerabilities in mobile browsers. In: CCS (2017)
Roessler, T., Sladhana, A.: Web security context: user interface guidelines. In: W3C (2010)
Santesson, S., Housley, R., Freeman, T.: RFC3709: internet x.509 public key infrastructure: logotypes in X.509 certificates. In: IETF (2004)
ENISA. Qualified Website Authentication Certificates (2016)
Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: S&P (2007)
Sobey, J., Biddle, R., Oorschot, P.C., Patrick, A.S.: Exploring user reactions to new browser cues for extended validation certificates. In: ESORICS (2008)
Thompson, C., Shelton, M., Stark, E., Walker, M., Schechter, E., Felt, A.P.: The web’s identity crisis: understanding the effectiveness of website identity indicators. In: USENIX Security (2019)
Reeder, R.W., Felt, A.P., Consolvo, S., Malkin, N., Thompson, C., Egelman, S.: An experience sampling study of user reactions to browser warnings in the field. In: ACM CHI (2018)
Cranor, L.F.: A framework for reasoning about the human in the loop. In: USENIX (2008)
Chromium. EV UI moving to page info (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendices
A. Recruiting Detail of the Preliminary Interview
We recruited participants as following conditions:
-
using PC and browser
-
security-conscious to have installed anti-virus software
-
high IT-literacy to spent much time and money on websites and to know about words like “URL”, “browser”, “domain name” and “address bar”
B. Interview Flow Detail
The group interview flow was as follows:
-
interviewed participants about their everyday internet use
-
interviewed participants about internet security risks they recognized
-
interviewed participants about their countermeasures against security risks when using e-mail, what they took care to do, and why
Follow-up:
-
what e-mails they conceived as suspicious, and why
-
whether they trusted URLs or links in e-mails, why they thought URLs or links were safe or suspicious
-
what countermeasures they used such as provider services, security vendor software, or other manual approaches
-
what actions they took when they received spam e-mails
-
whether they felt secure by taking these countermeasures only, and why
-
if they took no countermeasures, why not
-
-
interviewed participants about their countermeasures against security risks when using web browsers, what they took care to do, and why
Follow-up:
-
whether they trusted URLs or links in search engine results, why they thought URLs or links were safe or suspicious
-
why they trusted websites, what they saw as important, and why
-
what countermeasures they used such as provider services, security vendor software, or other manual approaches
-
whether they felt secure by taking these countermeasures only, and why
-
if they took no countermeasures, why not
-
-
explained websites’ vulnerabilities because of URLs, and explained EV certificates as a countermeasure
-
interviewed participants about recognition of EV certificate & indicator and their problems as follows:
-
whether they looked at URL bar with company or organization names in green, on what websites they saw it
Follow-up:
- *:
-
their first impression of the indicator
-
whether they had known about the EV certificate, certificate authorities, and certification processes before this interview
Follow-up:
- *:
-
why they had known or noticed
- *:
-
whether they clicked on the indicator or searched for the meaning, and why
-
how they felt or thought about the EV certificate after the explanation
Follow-up:
- *:
-
why they felt trust
- *:
-
why they felt EV certificate was difficult to understand, how it could be easier to understand
- *:
-
whether they could differentiate EV certificate from the others
- *:
-
why they had not noticed
- *:
-
what current EV certificate & indicator seemed to lack
-
what they thought about the strict certification processes for EV certificate & indicator
Follow-up:
- *:
-
how differently they felt about websites with EV certificate after learning about these certification processes conducted by third parties, and why
- *:
-
whether they had known about indicators displaying company or organization names, and how they felt about them, how they would be better for user recognition than company or organization names
-
C. The details of the online survey
Q1. Time to spend on the internet for private use (on a weekday).
Q2. Time to spend on the internet for private use (on a holiday).
Q3. Your OS.
Q4. Your Web Browser.
(Q5 - Q7). Take a look at the 3 images ((A), (B), (C)) given below and answer the following questions.
Q5. Which one can you “recognize” the most?
Select One of the following: ( (A) / (B) / (C) ) and Why?
Q6. Which one can you “understand” the most?
Select One of the following: ( (A) / (B) / (C) ) and Why?
Q7. Which one can you “trust” the most?
Select One of the following: ( (A) / (B) / (C) ) and Why?
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Okuda, T., Chiba, N., Akiyama, M., Fukunaga, T., Suzuki, R., Kanda, M. (2021). Brand Validation: Security Indicator to Better Indicate Website Identity. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2021. Lecture Notes in Computer Science(), vol 12788. Springer, Cham. https://doi.org/10.1007/978-3-030-77392-2_28
Download citation
DOI: https://doi.org/10.1007/978-3-030-77392-2_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77391-5
Online ISBN: 978-3-030-77392-2
eBook Packages: Computer ScienceComputer Science (R0)