This is Mozilla's submission for the upcoming W3C Workshop on Transparency and Usability of Web Authentication.

Jane, IRL

Jane is travelling, and finds herself in an unfamiliar area. She turns a corner and sees a bank, a corner store, and a taxi. She's hungry and wants to get back to her hotel, so she enters the bank, uses her ATM card to withdraw some money, walks to the corner store and gets a local snack and drink, and finally hops in the cab and heads off.

How did Jane know that the bank could be trusted? How could she be sure that the food she was about to buy wouldn't make her sick? What convinced her that the taxi driver was on the level?

In the physical world, there are a variety of signals that Jane can use to establish a sense of trust. Some of these signals are physical in form such as the architecture of the buildings, the cleanliness of the taxi, and freshness seals on packages. Other signals are entirely conceptual such as brand recognition. In all cases however, Jane's assessment of trust is based on levels of familiarity. If Jane recognizes the name of the bank, she will likely trust it completely. Jane may also decide to trust the bank if she recognizes the pattern of the name of the bank (ie: First National Bank of Whereverland) or if its physical characteristics match her mental image of a bank. There is a chance that Jane will be fooled, but we tend to be very effective at pattern matching, and even small inconsistencies would very likely raise suspicion.

Jane, Online

Jane returns home from travelling, and decides to go online and plan her next trip. After using a search engine to look for recommendations, she finds herself on an unfamiliar message board. She sees a link to a website that builds custom vacation packages. Jane likes this idea, and follows the link, submits her preferences and identification information, and charges her next trip to her credit card.

This time, when Jane had to make her assessment of trust, she had a similar set of signals to choose from. The name of the website may be a recognizable brand, or have closely matched a pattern that was familiar to Jane. The look and feel of the website may also have matched Jane's expectation of what a professional website looks like. Finally, and uniquely, her web browser may have provided some indication to Jane about how she should trust the website being viewed.

IRL vs. Online

There are some fundamental differences between signals available to an individual in the physical and online worlds, and it is these differences that make internet users so vulnerable to attack.

• Tangibility: Perhaps the most obvious difference is that the physical world is tangible whereas the online world is not. When an individual visits a location in the physical world, they can examine it directly as opposed to through some intermediary interprative tool. As a result, we experience objects in the physical world in many more dimensions than those of the virtual. The additional dimensions (ie: touch, smell, depth, tactile sensation) all provide contextual signals which are absent from objects in the virtual world, and which can contribute to one's evaluation of trust.

• Cost of Impersonation: Related to tangibility is the cost of impersonation. Because physical world objects must be convincing in so many dimensions, and because the human brain is so adept at recognizing patterns and exceptions to patterns, the task of impersonating an entity in the real world is is both complex and costly. Virtual world objects, on the other hand, are easy to impersonate as they exist in far fewer dimensions. In fact, even authentic virtual world objects are frequently just endorsed impersonations of real-world counterparts.

• Familiarity: The virtual world is new and unfamiliar to many of its users. As a result, there is less of an expectation of how an entity should appear in the virtual world. While it is true that many virtual entities such as banks have patterned themselves after one another (ie: similar features, navigation structure and use of a prominent client login area) these patterns are young and malleable. The physical world, on the other hand, has well established patterns that result in a expectation of what an entity such as a bank would look like (ie: tellers, thick doors, slips of paper, a security guard.)

• Consistency: Signals from the physical world are consistantly presented to us through our own senses. We cannot modify our senses, merely intepret the signals that we recieve through them. In the virtual world, however, there is an intermediary between the entity and our senses. The web browser we are using can present an entity -- and signals about that entity -- in an arbitrary fashion. As a result, signals from the virtual world are not neccessarily consistently presented, but are instead dependent on the tool with which we are viewing the entity.

Evaluations of trust in the physical world are assisted by the fact that entities are tangible, costly to impersonate, familiar and consistently interpreted by our own senses. In the virtual world, however, we are hindered by the fact that entities are intangible, easily impersonated, unfamiliar and interpreted by clients that are not neccessarily consistent.

Any solution that aims to simplify the task of evaluating trustworthiness in the virtual world therefore needs to address these limitations on our abilities. The virtual world is however by definition intangible, and by virtue of its youth, unfamiliar. This proposal focuses on improving the consistency with which signals are presented to users, as well as on mechanisms for increasing the costs related to impersonation.

Signals Presented by Web Browsers

Existing technologies for security on the web provide us with two signals that we can use to assist users in evaluating trustworthiness:

• Encryption lets us comment on the likelihood that the information has been intercepted.

• Certificate signing allows us to comment on the authenticity of an entity's claim to its identity as asserted by a certificate authority (CA).

The three major web browsers available to users today (Internet Explorer, Mozilla, and Opera) all provide some mechanism to indicate these two signals to users. Each browser interprets and represents the signals slightly differently.

Internet Explorer 7 also uses a third technology, a "Phishing Filter", to provide a signal that comments on the likelihood that an entity is malicious in nature.

Internet Explorer 7

Members of the team developing the soon to be released Internet Explorer 7 have published their plans to use colour, iconography and text to represent when an entity is thought to be either secure or insecure.

(screenshots)

All the indicators are presented in the URL bar widget. Colour and icons will be used to indicate a recommendation of action, and text will inform the user of the entity's claimed identity and the name of the CA that vouches for that identity. The solution indicates both positive and negative assertions of trust.

Mozilla

The Mozilla and Firefox web browsers use a combination of colour, iconography and text to signal when an entity is thought to be secure.

(screenshots)

In the URL bar widget, colour and an icon is used to indicate the presence of the signals. In the status bar area, an icon and text is used to indicate the entity's claimed identity. The name of the CA that vouches for that identity is available on a mouse hover in the URL bar or through the "Page Info" display.

Opera 8

Opera uses a combination of colour, iconography and text to signal when an entity is thought to be secure.

(screenshots)

In the URL bar widget, colour and an icon are used to indicate the presence of security signals. Text is used in the URL bar to indicate the entity's claimed identity, and clicking on that text reveals further information about the CA that vouches for that identity.

Terminology, Icons, and Locations Used

While all three browsers are currently similar in their presentation of security signals, they are inconsistent:

• Icons: IE7, Mozilla and Opera all use a "lock" icon to indicate when security signals are present, but IE7 alone uses red and yellow "shields" to indicate when an entity is thought to be suspicious or malicious.

• Colours: Mozilla and Opera use a yellow background to indicate when security signals are present. IE7 uses green to indicate a positive interpretation of trust, yellow to indicate suspicion and red to indicate a negative interpretation of trust.

• Location: IE7 and Opera display the entity's claimed identity in the URL bar, and allow an individual to investigate the name of the vouching authority through a UI gesture. Mozilla displays the entity's claimed identity in the status bar and the CA through a UI gesture in the URL bar.

• Terminology: IE7 uses "identified by" to indicate who the CA is. Opera calls the CA the "Certificate issuer" and Mozilla says that an entity is "Signed by" a CA. All browsers refer to "encryption", but present the encryption standards diferently.

Proposals for Consistency and Clarity

It is Mozilla's position that any security solution requires consistency and clarity for users. Consistency allows a user to move from browser to browser without having to re-learn how to interpret signals from the browser on the trustworthiness of an entity. Consistency also shapes user expectations, and helps breed familiarity.

Consistency also promotes clarity, since users can focus on understanding a single concept (ie: encrypting, signing) instead of multiple expressions of a single concept (ie: encrypting, locking, signing, identifying.)

Clarity is also accomplished by avoiding technology-centric terms, and be reducing the requirement for a user to think deeply on issues of trustworthiness.

It is our position that all browsers consistently present the following signals to users:

• A connection to an entity should be said to be secure when the connection is encrypted and it can be reasonably assured that communication is restricted to the user and the entity.

• If a connection is signed, then the entity should be said to be identified with some name, by some CA.

• If a signal exists (through FoaF networks, whitelists, preferred CA signatories, etc) that asserts a site to be trustworthy or untrustworthy, then the entity should be said to be recommended or suspected by some organization that accepts responsibility for that judgement.