Opera has released version 8 of its browser. It comes with an interesting innovation in security UI – it displays the “O” or “Organisation” field of the certificate in the URL bar (screenshot), ostensibly to help the user in making security decisions about a site.
One concern about this is that O fields are non-unique – you can have many companies all with the same name, in different areas of a country. A recent paper demonstrates the latter problem well – the authors managed to legally and properly obtain certificates for a random domain from multiple CAs with O fields which happened to be confusingly similar to that of some major US banks. Phishers could take advantage of this loophole. Additionally, in some types of certificate the field is useless, containing a repeat of the domain name, or a liability disclaimer statement.
This is one big reason why certificates are nearly worthless. There is no one-size-fits-all solution for ensuring trust that will eliminate the need for the user to _think_. Why is this even a goal online when you’d never expect it in real life? There are certail signs we look for in real life transactions to indicate to us if we should trust the person we’re dealing with.
A large store with a well known chain name lends credibility to the seller. Someone selling Rolexes for $50 out of the trunk of a rusty car in an alley does not instill the feelign of trust. Just because he slaps a “Tiffany & Co.” bumper sticker on the car doesn’t mean he’s suddenly reputable.
People need to be more aware of the sites they deal with, beyond just the presense of a certificate.
>Just because he slaps a “Tiffany & Co.” bumper sticker on the car doesn’t mean he’s suddenly reputable.
But when he can ‘pimp his ride’ to make his rusty car look identical to a Tiffany & Co storefront, we have a problem.