Continuing on the theme of confusing users, Security Dialogs and Graphics discussed the multitude of inconsistent styles for security warnings on web sites, mobile applications and in email.
This is usability hell. Why should each device, browser and application choose how these messages are worded and displayed? I mentioned previously the contributing factor of tab colouring in IE8 and a recent post Tabnabbing: A New Type of Phishing Attack demonstrates how users can be tricked into providing sensitive information to the wrong web site. But it's not just inconsistent technical implementation that matters; the humans in the process matter too.
Last week I came across two web sites in my normal business usage that gave me invalid SSL/TLS secure certificate warnings, and these weren't little businesses that might not know any better—both are multinational enterprises—one a UK bank, and the other a UK mobile phone company.
- In one case a registration process used a domain www.[subdomain].[company].co.uk whereas the certificate was for [subdomain].[company].co.uk
- In the other, the company had recently been taken over and the site was using www.[oldcompanyname].com whereas the certificate was for www.[newcompanyname].co.uk
But what surprised me most was the response I received when reporting these problems to the respective site owners. Neither organisation had a clear process for sending details of possible security problems and therefore the responses seem to have been directed through customer support channels.
One provided the initial response:
The details entered by you on our website are secured and any third party cannot access your details. In the meantime, you can lower the security level of your browser by going tools of the internet browser.
Once, you've lower the security level of the browser, I trust that security certificate error you're getting will not be occur.
and even though I re-explained the problem, and that it hadn't stopped me from doing what I wanted:
As such you're not able to access online account, please get back to me with the following details to escalate this matter to our online escalation team:
- Operating system
- Browser and its version
- Screen shot of the web URL page, where you get error
I'm sorry to learn that you are facing problems with the online certificate.
Colin, what you can do is lower the security on the browser to overcome this.
and the rather indefinite:
We have changed one of the web-addresses and have not been able to update the security certificate to reflect this; hence you are facing an error.
We are aware about this issue and our engineers are working towards it though there is no definite timescale.
and then back to asking me to supply screenshots, my username and details of my browser:
I do understand that browser version don't has to do anything with the security certificate, however, to help you get this sorted, I'll need to forward your account details to our dedicated team.
As the issue is highly technical, you'll need to get back to us with the below given information...
Mmm.. and still no idea about the issue:
Believe me above details are very important to get your SSL security certificate issue to get sorted.
My issue? Their issue I believe.
The other company suggested it was the date/time on my own computer which was the fault:
Without speaking to you directly this sounds like you've received a message about a security certificate has expired. If that is the case this normally means the time and date on your computer are wrong, as soon as this is amended you should have no further issues accessing our website.
and some advice about security:
However if this still does not work please call us on ...
I'm sorry that I can't act on an e-mail request - as e-mail isn't 100% secure, we're not able to identify you this way. (We want to help keep your details safe - so it's a good idea to keep personal information to a minimum when using e-mail.)
at which point I rang them up, and stumped them by quoting their own tracking number. No further call back from them yet.
I found this all rather depressing. How can we expect customers (end users) to take care with security if the understanding and processes are not in place within the organisation, especially with customer-facing staff? Organisations like Get Safe Online and Card Watch are trying their best to educate people, but the web site owners need to play along too. So here's a quick checklist, including a couple of new items:
- Obtain your own domain like example.com or example.co.uk (not a sub-domain of someone other company e.g. example.uk.com)
- Provide security training to web site architects and developers
- Determine how SSL/TLS will be applied on the site
- Buy a certificate and apply SSL usage appropriately through the site
- Verify the proper usage of SSL and session management
- Verify the correct SSL configuration
- Include SSL/TLS certificate management in change control processes
- Provide awareness training to customer support staff about what "secure web site" means and the types of enquiries customers may have
- Give some basis security advice to customers and direct them to other resources for more information
- Ensure there is a simple way for people to inform you of security concerns and possible incidents such as phishing, browser security warnings, compromised credentials, account mis-use, etc.
Please—I don't want to have to go through customer support again! At the time of publishing this post, the certificate problems still exist.