SSL: UI Cues
SSL certificates manifest themselves through various subtle visual cues. The address bar displays "https" instead of "http," and valid SSL certificates generally present a trusted lock icon in the address bar to indicate security. For comparison, here are the SSL indicators in the most recent browsers:
| Internet Explorer 9 |  |
| Firefox 4 |  |
| Chrome 11 |  |
| Safari 5 |  |
| Opera 11 |  |
There are also extended validation (EV) certificates, which are special SSL certificates that are reviewed by a human for semantic attacks and proof of legal business operation. For example, bankofthevvest.com (with two v's instead of a w) could easily get an SSL certificate, but only bankofthewest.com would be able to get the EV SSL certificate for Bank of the West. In general, EV certificates are promoted with more green and the name of the organization on the certificate.
| Internet Explorer 9 |  |
| Firefox 4 |  |
| Chrome 11 |  |
| Safari 5 |  |
| Opera 11 |  |
Finally, self-issued, expired, and other forms of invalid certificates pose a thorny problem, because an attacker could easily have generated such a certificate by hand. These certificates sometimes arise from harmless configuration errors and at other times are parts of active scams or attacks. Here the browsers take different strategies: Firefox requires four clicks to get to the site, Chrome highlights the insecurity of the site with a red background, while the others simply present dialog boxes. Unfortunately, a staggering 97% of SSL certificates on the web are invalid, leading users to disregard these dialog boxes. In fact, a 2009 study showed that the more tech-savvy the user, the more likely they would be to ignore the warnings. Designing a good user interface for invalid certificates is thus still a huge open challenge.
| Internet Explorer 9 |  |
| Firefox 4 |  |
| Chrome 11 |  |
| Safari 5 |  |
| Opera 11 |  |