Today I want to tell you about both our established plan to highlight secure sites in IE7 but also to tell you about some early thinking in the industry about creating stronger standards for identity on the internet.
IE7 will join other browsers like Firefox, Opera and Konqueror in making the experience for secure (HTTPS) sites more visible by moving the lock icon into the address bar. We think the address bar is also important for users to see in pop-up windows. A missing address bar creates a chance for a fraudster to forge an address of their own. To help thwart that, IE7 will show the address bar on all internet windows to help users see where they are. IE7 will also help users avoid fraudulent sites if users choose to use the Phishing Filter to check a site for known phishing activity.
Today the lock icon in your browser window fundamentally means that your traffic with the website is encrypted, and that a trusted third party, known as a Certification Authority, has identified the website. Certification Authorities offer certificates with broadly different levels of background checking for the website. Unfortunately, there is no industry standard method for anyone to tell what level of background checking was performed for a given site.
On Wednesday, we met with folks from other browser vendors including Mozilla (which is the basis of Firefox), Opera and Konqueror to discuss this situation (other browser vendors were invited but weren’t able to attend). George Staikos from Konqueror was good enough to host all of us in Toronto. Along with picking up the tab for lunch, George brewed coffee strong enough to bring weary travelers from Oslo and Redmond into the same time zone. Microsoft and others in the group think our users should have a better experience when they visit a website that passed a more rigorous identification process.
As a counter-example to how we might handle highly-identified sites, I presented the IE7 Anti-Phishing User Experience for known phishing and suspected phishing sites. The Phishing Filter shows warnings to users when it detects a site that might be trying to misrepresent its identity.
When the Phishing Filter is in use, IE will fill the address bar with red for known phishing sites (Fig 1) and with yellow for suspected phishing sites (Fig 2). In both cases, the address bar will include text that explains that the user should effectively either “stop” or proceed with “caution”. In IE7, most normal sites including those with “the lock” today will not have a color-filled address bar.
Fig 1, IE7 address bar for a known phishing website detected by the Phishing Filter
Fig 2, IE7 address bar for a suspected phishing website detected by the Phishing Filter
If the browsers and the Certification Authority industry can generate better guidelines to identify web sites, we want to take the experience in the address bar a step further to help create a positive experience for rigorously identified HTTPS sites. We have implemented a green-filled address bar in IE7 for sites that meet future guidelines for better identity validation. Along with the green fill, our current design for the address bar includes the name of the business (Fig 3.1) alternating with the name of the third party Certification Authority who identified the business (Fig 3.2). We think this alternating presentation of business name with Certification Authority name is the right balance of user notification and simplicity.
Fig 3.1, IE7 address bar for a site with a high-assurance SSL certificate
(showing the identity of the site from the SSL certificate)
Fig 3.2, IE7 address bar for a site with a high-assurance SSL certificate
(alternating in the name of the Certification Authority who identified the site)
I know that Frank and Gerv from Mozilla, George from Konqueror and Yngve and Carsten from Opera have their own thoughts for an improved certificate standard and how they would handle that in the user experience.
I wish we could promise you that you will see this experience in IE7 and its equivalent in other browsers but there are a lot of details to work out before browsers can differentiate SSL sites based on how well vetted they are. For this to work, Microsoft, Mozilla, Opera and Konqueror, amongst others, think there should be some common validation guidelines for rigorous website identification. There is a lot of preliminary agreement but also a lot of work to do. The American Bar Association Information Security Committee is providing a forum to pursue this. You can check back with us and other browsers to see how the process moves along.
- Rob Franco (with lots of help from Kelvin Yiu and Tom Albertson who work on PKI for Windows)
November 23 Update: You can read more about our meeting in posts from other browser developers who attended:
- George from Konqueror posted "Web Browser Developers Work Together on Security",
- Carsten and Yngve from Opera posted “A Truce in the Browser Wars: Toronto Ideas Create Common Ground”
- Frank Hecker from the Mozilla Foundation posted “CAs, certificates, and the SSL/TLS UI”