Jennifer Sobey, Paul Van Oorschot, and I have recently reported on some work-in-progress research on web browser interfaces for SSL certificates. The report can be downloaded at
http://www.scs.carleton.ca/research/tech_reports/index.php?Abstract=tr-09-02_0023&Year=2009
Here is a summary…
Browser Interfaces and EV-SSL Certificates: Confusion, Inconsistencies and HCI Challenges
by J. Sobey, P.C. Van Oorschot, and A. S. Patrick
The introduction of Extended Validation (EV) SSL certificates has caused web browser manufacturers to take a new look at how they design their interfaces for conveying certificate information. In turn, we take a thorough look at the choices they have made. Our observation is that the changes being made significantly increase the confusion surrounding SSL certificates rather than increasing trust. We perform a systematic walkthrough involving dialogues and interfaces related to site identity, certificates, and SSL encryption; raise questions concerning the inconsistencies in their implementations; and highlight the confusion between identity and confidentiality. Prior to carrying out a full user study, we aim to define the problem clearly and to explore some possible alternatives. We suggest some improvements in terms of both mental models and interface design and emphasize the importance of consistency across browsers for appropriate user interaction with these certificate interfaces.