I was reading the security advice given by the Swedish Bankers' Association. They included these two pieces of advice (my translation), that I assume is to teach the user to check for SSL/TLS and protect from SSL-strip:
- Check that it is the address of your bank in the address bar of your browser before you log on to your internet bank.
- The web address on the log on page should start with
https://
and a padlock symbol should be visible in the browser.
This is a fairly important topic, since some Swedish banks serve their main page (where the link to the internet bank is) over HTTP, and none of them have implemented HSTS. However, I see a number of problems with the advice given:
- How do I check that it is the adress of my bank? An ordinary user would probably go scanning the URL for the name of the bank, and be satisfied when they find it. So armed only with this advice you would easily fall for
mybank.com.evil.com/mybank.com
. (Unfortunately the URL for logon pages are often not very clean, so customers would expect a messy URL.) - "So I remember there was something with an
h
and a couple ofp
ort
or something I should look for.http://
? Yeah, that was probably it. Must be safe." - Look for the padlock in the browser? Seriously? You can just include it in the page, don't even need to use the old favicon trick to fool someone reading this advice.
Naturally I started to think about what some actual good advice would be to give on this subject, but I found it surprisingly hard. The advice should be (A) short, (B) easy to remember and understand even for a user with little technical knowledge, and (C) apply to all fairly modern browsers. Imagine you have 30 seconds to explain this to a not very-tech savvy relative.
Any suggestions?