Last in this session at #usesec19: "The Web's Identity Crisis: Understanding the Effectiveness of Website Identity Indicators" by Christopher Thompson, Martin Shelton, Emily Stark, Maximilian Walker, Emily Schechter, and Adrienne Porter Felt, Google

[ delay while they try to make the slides not trigger a seizure for anybody. ow. ]

This talk is about the problems we face in explaining website identity to users.

The principal form of website identity is like google.com

Also show extra information through Extended Validation certs, like show cert is associated with a legal entity

Chrome has tried to move for HTTPS indicators towards not showing that something *is* secure and showing it *isn't* using HTTPS (correctly).

When a user does something risky, we should let them know. If it's something really bad, show them BIG TIME.

Like in cars, check engine light comes on when there's a problem.

SafeBrowsing can warn if it's a known-bad page, but for unknown threats we rely on showing the site origin. So we're showing when things are *right* not telling people when things are wrong.

We've also seen attacks on EV certificates, like getting a legit cert for "Stripe" which wasn't the payment processor or one called "Identity verified" which sounds much less sketchy to most users than it is.

Tested: does the absence of the EV UI affect user behaviour? (e.g. navigation behaviour, form behaviour, etc.)

Result: it has effectively no effect [🔥🔥🔥]

So did more studies to figure out whether users detect cross-juristicion name collision attacks. The EV name includes country code.

Result: it doesn't matter. Showing the wrong code, showing no country code. Users didn't notice.

Used eyetracking studies to dee where people looked.

Result: they looked in the same places but didn't see the issue.

Best quote: "I never noticed the MX on a PayPal page, but it seems legit"

How do user react to EV UI in other modern browsers. Tested Safari. Users didn't seem to mind either way, but split on whether the EV name helped (some wanted to see the URL)

Used eyetracking studies to see where people looked for Safari UI. Basically the same.

Users don't do very well with understanding and making security decisions with URLs. Does highlighting parts of the URL help users understand site identity?

Tried a bunch of experimental conditions where highlighted parts of name, hid noisy stuff (like long random numbers in URL).

... few noticed anything strange

So what now? We think we need more radical redesigns in web identity indicators.
* EV UIs fall short, doesn't provide good defense, users don't act differently
* Recent POC attacks would likely to be effective in the wild
* Simple tweaks don't seem to be enough

Suggest moving to negative indicators, like for HTTPS. Open problem in expressing identity.

For example: Chrome experimenting with "lookalike" warning. If a user goes to a site and going to something that looks really similar, shows interstitial warning page.

User education: focus user attention on things that matter. That's also a way to educate. EV indicators take up valuable room... and don't seem to actually be helpful. At all.

We should use user research to know if we're helping users understand the sites they visit.

Q: 6-7 years ago AdBlock+ flagged similar URLs to more high ranked companies. They got complaints from lower-ranked companies who were close to high-ranked URLs.

A: Yes, this is why we're approaching these things carefully, analyzing false positives, monitoring in the wild, etc.

Q: could you go into more detail about how you compare the similarity of domains?

A: simplest heuristics are things like being off by 1 character, but I didn't implement all of this so chat offline

Q: maybe show warning if someone doesn't have an EV cert?

A: there are things on the policy and implementation level for identity verification
[ tl;dr it's not strong indication of anything but that was said politely ]