Exploring User Reactions to New Browser Cues for Extended Validation Certificates

  • Jennifer Sobey
  • Robert Biddle
  • P. C. van Oorschot
  • Andrew S. Patrick
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5283)


With the introduction of Extended Validation SSL certificates in Internet Explorer 7.0, web browsers are introducing new indicators to convey status information about different types of certificates. We carried out a user study which compared a proposed new interface in the Mozilla Firefox browser with an alternative interface of our own design to investigate how users react to these new indicators. Our study included eye tracking data which provided empirical evidence with respect to which parts of the browser interface users tended to look at during the study and which areas went unnoticed. Our results show that, while the new interface features in the unmodified Firefox browser went unnoticed by all users in our study, the modified design was noticed by over half of the participants, and most users show a willingness to adopt these features once made aware of their functionality.


Usable security extended validation certificates browser security user study 


  1. 1.
    CA/Browser Forum,
  2. 2.
    Dhamija, R., Tygar, J.: The Battle Against Phishing: Dynamic Security Skins. In: Proceedings of the Symposium on Usable Privacy and Security (2005)Google Scholar
  3. 3.
    Dhamija, R., Tygar, J., Hearst, M.: Why Phishing Works. In: Human Factors in Computing Systems (CHI 2006), April 22-27 (2006)Google Scholar
  4. 4.
    Downs, J.S., Holbrook, M., Cranor, L.: Decision Strategies and Susceptibility to Phishing. In: Proc. of the 2006 Symposium on Usable Privacy and Security (July 2006)Google Scholar
  5. 5.
    Felton, E., Balfanz, D., Dean, D., Wallach, D.: Web Spoofing: An Internet Con Game. In: Proc. of the 20th National Info. Systems Security Conference (1996)Google Scholar
  6. 6.
    Franco, R.: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers,
  7. 7.
    Gomes, C., Sellmann, M., Van Es, C., Van Es, H.: Computational Methods for the Generation of Spatially Balanced Latin Squares,
  8. 8.
    Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In: Proc. of Usable Security (2007)Google Scholar
  9. 9.
    K Desktop Environment,
  10. 10.
    Kumar, M., Garfinkel, T., Boneh, D., Winograd, T.: Gaze-Based Password Entry. In: Proceedings of the 2007 Symposium on Usable Privacy and Security (2007)Google Scholar
  11. 11.
    Microsoft: Extended Validation SSL Certificates,
  12. 12.
  13. 13.
  14. 14.
    Nightingale, J.: Personal Communication (September 19, 2007)Google Scholar
  15. 15.
    Opera Software,
  16. 16.
    Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The Emperor’s New Security Indicators. In: Proc. of the 2007 IEEE Symposium on Security and Privacy (May 2007)Google Scholar
  17. 17.
    Tobii Technology AB,
  18. 18.
    Whalen, T., Inkpen, K.: Gathering Evidence: Use of Visual Security Cues in Web Browsing. In: Proc. of Graphics Interface 2005, May 2005, pp. 137–145 (2005)Google Scholar
  19. 19.
    Whitten, A., Tygar, J.D.: Why Johnny Can’t Encrypt: A Usability Case Study of PGP 5.0. In: Proceedings of the 8th USENIX Security Symposium (August 1999)Google Scholar
  20. 20.
    Ye, E.Z., Yuan, Y., Smith, S.: Web Spoofing Revisited: SSL and Beyond. Tech. Rep. TR 2002–417, Department of Computer Science, Dartmouth College (2002)Google Scholar
  21. 21.
    Ye, Z., Smith, S., Anthony, D.: Trusted Paths for Browsers. ACM Transactions on Information and System Security, 153–186 (May 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Jennifer Sobey
    • 1
  • Robert Biddle
    • 2
  • P. C. van Oorschot
    • 1
  • Andrew S. Patrick
    • 3
  1. 1.School of Computer ScienceCarleton UniversityOttawaCanada
  2. 2.Human-Oriented Technology LabCarleton UniversityOttawaCanada
  3. 3.Institute for Information TechnologyNational Research CouncilOttawaCanada

Personalised recommendations