11 June 2010

SSL Awareness (Lack of)

Continuing on the theme of confusing users, Security Dialogs and Graphics discussed the multitude of inconsistent styles for security warnings on web sites, mobile applications and in email.

This is usability hell. Why should each device, browser and application choose how these messages are worded and displayed? I mentioned previously the contributing factor of tab colouring in IE8 and a recent post Tabnabbing: A New Type of Phishing Attack demonstrates how users can be tricked into providing sensitive information to the wrong web site. But it's not just inconsistent technical implementation that matters; the humans in the process matter too.

Last week I came across two web sites in my normal business usage that gave me invalid SSL/TLS secure certificate warnings, and these weren't little businesses that might not know any better—both are multinational enterprises—one a UK bank, and the other a UK mobile phone company.

  1. In one case a registration process used a domain www.[subdomain].[company].co.uk whereas the certificate was for [subdomain].[company].co.uk
  2. In the other, the company had recently been taken over and the site was using www.[oldcompanyname].com whereas the certificate was for www.[newcompanyname].co.uk

But what surprised me most was the response I received when reporting these problems to the respective site owners. Neither organisation had a clear process for sending details of possible security problems and therefore the responses seem to have been directed through customer support channels.

One provided the initial response:

The details entered by you on our website are secured and any third party cannot access your details. In the meantime, you can lower the security level of your browser by going tools of the internet browser.


Once, you've lower the security level of the browser, I trust that security certificate error you're getting will not be occur.

and even though I re-explained the problem, and that it hadn't stopped me from doing what I wanted:

As such you're not able to access online account, please get back to me with the following details to escalate this matter to our online escalation team: - Operating system - Browser and its version - Screen shot of the web URL page, where you get error - Username

and then:

I'm sorry to learn that you are facing problems with the online certificate. Colin, what you can do is lower the security on the browser to overcome this.

and the rather indefinite:

We have changed one of the web-addresses and have not been able to update the security certificate to reflect this; hence you are facing an error. We are aware about this issue and our engineers are working towards it though there is no definite timescale.

and then back to asking me to supply screenshots, my username and details of my browser:

I do understand that browser version don't has to do anything with the security certificate, however, to help you get this sorted, I'll need to forward your account details to our dedicated team. As the issue is highly technical, you'll need to get back to us with the below given information...

Mmm.. and still no idea about the issue:

Believe me above details are very important to get your SSL security certificate issue to get sorted.

My issue? Their issue I believe.

The other company suggested it was the date/time on my own computer which was the fault:

Without speaking to you directly this sounds like you've received a message about a security certificate has expired. If that is the case this normally means the time and date on your computer are wrong, as soon as this is amended you should have no further issues accessing our website.

and some advice about security:

However if this still does not work please call us on ... I'm sorry that I can't act on an e-mail request - as e-mail isn't 100% secure, we're not able to identify you this way. (We want to help keep your details safe - so it's a good idea to keep personal information to a minimum when using e-mail.)

at which point I rang them up, and stumped them by quoting their own tracking number. No further call back from them yet.

I found this all rather depressing. How can we expect customers (end users) to take care with security if the understanding and processes are not in place within the organisation, especially with customer-facing staff? Organisations like Get Safe Online and Card Watch are trying their best to educate people, but the web site owners need to play along too. So here's a quick checklist, including a couple of new items:

  1. Obtain your own domain like example.com or example.co.uk (not a sub-domain of someone other company e.g. example.uk.com)
  2. Provide security training to web site architects and developers
  3. Determine how SSL/TLS will be applied on the site
  4. Buy a certificate and apply SSL usage appropriately through the site
  5. Verify the proper usage of SSL and session management
  6. Verify the correct SSL configuration
  7. Include SSL/TLS certificate management in change control processes
  8. Provide awareness training to customer support staff about what "secure web site" means and the types of enquiries customers may have
  9. Give some basis security advice to customers and direct them to other resources for more information
  10. Ensure there is a simple way for people to inform you of security concerns and possible incidents such as phishing, browser security warnings, compromised credentials, account mis-use, etc.

Please—I don't want to have to go through customer support again! At the time of publishing this post, the certificate problems still exist.

Posted on: 11 June 2010 at 09:17 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter


Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
SSL Awareness (Lack of)
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/2010/6/11/SSL-Awareness-Lack-of
Requested by on Tuesday, 1 December 2015 at 03:47 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2010-2015 clerkendweller.uk