Author: Anil Saldhana
The padlock displayed in your browser, is an important security indicator for any sensitive web transaction. The transaction may include a simple login to your webmail account, performing banking transactions or enrolling on any web site with PII (Personally Identifiable Information).
As web site/content designers, it is important that you do not display a padlock or any image that looks similar to a browser padlock anywhere in your web page content because it can send the wrong signal to the user that they are interacting on a secure page when they in fact may not be. Increasing the comfort level of the internet users is not only the responsibility of the browser vendors but also web designers and web architects of online web sites. The end goal should be to minimize phishing and malware via the web, which certainly is not simple to achieve.
Tips for Web Designers/Architects
- Use https for the entire site. If that is difficult, then place all the pages that require sensitive interaction with the user such as credentials or PII, on a secure server via https.
- Try to not mix secure and insecure content. If a web page has content coming from resources on your servers, let them all come from a secure server or insecure server location based on whether the page is invoked using https or http.
- Look at the Extended Validation Certificates process for your web site.
Myth: Nobody checks the Padlock.
Fact: Security conscious users (whose numbers are on the rise) are picky about the padlock and insist on its presence in the chrome of the browser before they perform any sensitive operation on the web.
Yngve Pettersen, Chief Security Architect, Opera Browser, has an excellent blog entry on this:
When Opera 9.50 introduced advanced security features such as OCSP revocation and CRL information from CA issuers, multiple websites started to have issues and users noticed the lack of a padlock for some of their favorite sites such as their banks. The users started complaining to their banks and Opera which improved the security of banking sites.
Myth: Browser padlocks cannot be spoofed.
Fact: There have been reports where the padlock certificates have been spoofed.
The Anti-Phishing Working Group (APWG) has a news article on this:
Web Users should notice not only that the URL starts with a "https" in the browser address bar, but also look for as many security cues provided by the browser.
- Look for the padlock in the browser chrome (not anywhere in the web content).
- If in doubt, open a secondary page from the browser menu where more information on the web page is provided (such as Tools->Page Info in Mozilla Firefox where the URL of the site from where the page is loaded and certificate information is available). If the site has spoofed the URL in the browser address bar to start with https, the secondary window will display the real url.
- Browsers such as Mozilla Firefox change the color of the browser address bar when they interact with a SSL enabled web site. If the website has an Extended Validation Certificate (EV-Cert), then the address bar on most modern browsers turn green, when you visit that site.
- Excellent research article from Canadian Researchers, Tara Whalen and Kori M. Inkpen (faculty of Computer Science at the Dalhousie University in Halifax, Canada). "Gathering Evidence: Use of Visual Security Cues in Web Browsers".
- W3C Web Security Context Working Group work on "User Interface Guidelines". Specification Draft.
- Extended Validation Certificates. http://en.wikipedia.org/wiki/Extended_Validation_Certificate
About the Author: Anil Saldhana is the Lead Security Architect at JBoss. He is currently the co-editor of a W3C security specification and blogs at http://anil-identity.blogspot.com