copied into website content. The study also
revealed issues that we did not anticipate […]:
• Some users don’t know that spoofing websites is
possible. Without awareness [that] phishing is possible,
some users simply do not question website legitimacy.
• Some users have misconceptions about which website
features indicate security. For example, participants
assumed that if websites contained professional-looking
images, animations, and ads, [then] the sites were
legitimate…’
So users may be getting smarter, but there is still a lot that
they need to learn and to know.
Q. If we become aware of what this study calls ‘security
indicators’ and can use them reliably, will we be safe? Can
the SSL padlock save the day?
A. Secure Sockets Layer (SSL) is very largely the fabric of
on-line commerce today. But most people assume that it is
simply what it says: secure, which means that too much trust
is often placed in the padlock which most browsers display
when the SSL protocol is in use. After all, padlock means
SSL, and SSL means secure.
In fact, there are a lot of problems with SSL, though
fortunately these do not appear to be of the ‘flawed
cryptography’ sort. The problems are a little to do with
implementation (or at least with deployment) and a lot to do
with use.
Very broadly speaking, SSL provides three main facilities for
securing web communications:
• the exchange of digital certificates, permitting each end
of the link to establish something about the identity of
the other end,
• the secure exchange of session
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24