Phishing attacks are often targeted at organisations where login credentials can be used to gain financial reward, and these web sites almost always use SSL to allow users to authenticate the identity of the site and to protect data in transit from alteration or copying.

A recent paper Crying Wolf: An Empirical Study of SSL Warning Effectiveness from Carnegie Mellon University discussed the results of a survey of over 400 internet uses. The conclusion - users ignore warnings about invalid SSL certificates.

The subject of trust user experience (TUX) was discussed during the Workshop on Security and Human Behaviour (SHB 2009) at Cambridge University this summer, and summarised here. This included a discussion on how users, who are trained to be sensitive to warnings, become more susceptible to picture-in-picture attacks. These are where an image of a (fake) browser, perhaps with a graphical representation of a green extended validation address bar is displayed inside the user's real browser window, such as in the example mock-up below. This is most effective when the real browser is displayed at the full screen resolution.

Therefore I was interested to read about how web designers can use CSS to access operating system style settings (the "chrome" of Linux, Windows, Mac, etc) and use these to apply matching fonts and colours to web design elements. This means if users have a customised desktop colour scheme, the fake browser in the picture-in-picture attack doesn't need to be in standard desktop colours, but could pick up on the user's own settings, to confuse them further.

See also my comments about Colour Overload with IE8 Tab Grouping.

The results of the Internet in Britain 2009 survey by the Oxford Internet Institute highlights people's usage and concerns about the internet and web sites.

Some aspects of the report relating to e-commerce, trust, fraud and privacy are summarised below.

• Confidence in the Internet and the commercial services that it offers remains high.
• Use of the internet is leading to greater trust in the technology as a source of information and medium of communication and services.
• Since 2007, people are now just as concerned about credit card fraud, and the right to anonymously express opinions, but less concerned about the threat of computers and the internet to privacy.
• Negative experiences of the internet are not as great as portrayed in the media.
• The survey examined what personal information people are willing to provide when registering on websites.
• A general desire for greater regulation of the internet.

Read the report for the methodology, full information and detailed analysis. The report also provides useful data on internet penetration and usage patterns such as for web 2.0 and mobile technologies.

This week a friend contacted me about his business website. It seemed his company had paid for both a .co.uk and .com domain name, but the latter was not currently mapped to her site.

It seems the web developer wasn't being co-operative and she was asking for some advice. It appeared that neither domain were registered in my friend's company's name—both named the developers. This makes things much more difficult if the developers are slow to respond to change requests, or fail to renew your domains, or you fall out with them or they go out of business.

But I came across another example on Wednesday. I had to drive through London and later in the day I went to pay the £8.00 charge using the congestion charge online payment service from Transport for London.

I looked at the SSL certificate's details and was very surprised to see the organisation named on the certificate (known as the distinguished name field for organization) was not "Transport for London" but "Cobweb Solutions Ltd", presumably this company.

Whilst this may not be contrary to the SSL Protocol Specification, it is contrary to expectations and good practice. If this were a retail website (where you choose to buy rather than being obligated to pay!), would a cautious potential customer trust the site? The information has also given away vital clues to a malicious user on the software development company and thus perhaps possible approaches to breach the system. Cobweb Solutions' own site has a shopping basket/e-commerce system that has a similarly attributed secure certificate:

Like domain names, your own website SSL certificates, regardless of SSL certificate type should be in your own organisation's name, not anyone else's. In fact this also usually makes the proces of purchasing a certificate simpler.

On my friend's domain name issue, she has contacted the relevant domain name registrars using their disputes process to ask for the details to be updated. She is also checking whose name is on the web hosting contract.

The stakes are higher for organisations with web-enabled systems who sign up to the new Personal Information Promise.

The Information Commissioner's Office (ICO) launched their Personal Information Promise which intends to demonstrate an organisation's senior level commitment to data protection.

The promise creates a public obligation, amongst other things, to:

It will be interesting to see how e-enabled organisations build this into their own policies, put it into practice and "regularly check that we are living up to our promises" i.e. audit where the personal information is and who accessed it. Some may be considering implementing a personal information management system (PIMS) - see Protection of Personally Identifiable Information concerning the draft British Standard. I suspect very few web sites have a sufficient level of logging and monitoring built in yet, and fewer still are audited against data protection requirements.