On Thursday, October 24, 2019 at 5:31:59 PM UTC-4, Paul Walsh wrote: > There is zero data from any company to prove that browser UI for website > identity can’t work.
https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf "In this paper, we presented a controlled between-subjects evaluation of the extended validation user interface in Internet Explorer 7. Unfortunately, participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group." https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf "We conclude that modern browser identity indicators are not effective. To design better identity indicators, we recommend that browsers consider focusing on active negative indicators, explore using prominent UI as an opportunity for user education, and incorporate user research into the design phase." And more at https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md - Julien _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy