On Thursday, October 24, 2019 at 5:31:59 PM UTC-4, Paul Walsh wrote:
> There is zero data from any company to prove that browser UI for website
> identity can’t work.
https://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf
"In this paper, we presented a controlled between-subjects evaluation of the
extended validation user interface in Internet Explorer 7. Unfortunately,
participants who received no training in browser security features did not
notice the extended validation indicator and did not outperform the control
group."
https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf
"We conclude that modern browser identity indicators are not effective. To
design better identity indicators, we recommend that browsers consider
focusing on active negative indicators, explore using prominent UI as an
opportunity for user education, and incorporate user research into the design
phase."
And more at
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md
- Julien
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy