Site Inspector: Improving Browser Communication of Website Security Information

Site Inspector: Improving Browser Communication of Website Security Information

연구 분야: Safety

학회: ACM Transactions on Privacy and Security, Volume 28, Issue 3

Phishing sites exploit users’ limited understanding of website identity to mimic legitimate sites. While X.509 certificates can provide crucial cues regarding a website’s identity, current browsers fail to effectively communicate this information to users, even as phishing becomes an increasingly serious issue. To address this, we developed Site Inspector (SI), a UI tool that conveys website identity and connection encryption information, along with brief explanations of the relevant underlying security concepts. SI is implemented as a Mozilla Firefox browser extension, but the basic design could be integrated into any web browser. SI organizes content in a three-tiered abstraction hierarchy, drawing on Ecological Interface Design. The top level presents an indicator of the website owner, if known, and also whether the connection is encrypted. The second and third levels offer progressively detailed explanations of the verification process. SI adheres to design principles aimed at educating users about security through the UI while overcoming associated challenges. Its text is concise and direct, respecting limitations in users’ attentional resources and motivation to engage with security matters. As a proof of concept for SI’s principled design, we conducted a user study with 30 participants to evaluate its effectiveness in helping users differentiate real from fraudulent websites. Results suggested that SI improved users’ ability to identify fraudulent sites. Future work will involve further testing with a larger user base, integrated SI directly into browsers, and ultimately a more widespread and improved validation process for certificates, with stronger verification and transparency.