[17284] in cryptography@c2.net mail archive
Re: Citibank discloses private information to improve security
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Tue May 31 12:12:47 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 31 May 2005 17:05:59 +0200
From: Amir Herzberg <herzbea@macs.biu.ac.il>
Reply-To: herzbea@macs.biu.ac.il
To: "James A. Donald" <jamesd@echeque.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <42984C5C.30126.1D70B2@localhost>
> With bank web sites, experience has shown that only 0.3%
> of users are deterred by an invalid certificate,
> probably because very few users have any idea what a
> certificate authority is, what it does, or why they
> should care. (And if you have seen the experts debating
> what a certificate authority is and what it certifies,
> chances are that those few who think they know are
> wrong)
Well, I have some usability tests that seem to prove your intuitive
claim that most users don't know what's a CA. I don't know about
arguments between experts on this. I think however that even naive users
understand quite the TrustBar UI for SSL protected sites. We display
something like <name/logo of site> identified by <name/logo of CA>. I'll
appreciate your thoughts/feedback, try it at http://TrustBar.MozDev.org.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
