2

In some websites, especially on their payment section, I see a text something like: You are on a secure page. Your personal data is encrypted and protected by SSL technology. However it looks like a custom message. Therefore, when I am attacked somehow ( by MITM, or with fake copy website), although, my browser alerts for a "not secure website", I might still see the text from the website that tells me to not worry.

I would like to ask the best practice about it. Should I implement a mechanism that checks if my front-end is really in SSL protection before printing this text? Or is it better to not write something like that and leave the protection message to only to the browser?

Thanks in advance.

Pilfility
  • 442
  • 4
  • 14

1 Answers1

5

This is security theater only used to invoke a warm fuzzy feeling of security in the end user. You correctly realized that a fake site could create such a message too. Personally I dislike these easily fakeable custom messages as much as I dislike similar (and also misused) disclaimers of antivirus products in mails.

In my opinion these messages deviate the user from looking at the real indicators of security. It is better not to train users to look for and trust such easily fakeable "indicators" and instead to publicly teach users how really trustable indicators for security look like. Only, some users already expect such shiny fake indicators and one might loose visitors if one is not playing the same security theater as the others :( Other users might simply not understand how to look for the real indicators.

If you need to play this theater too depends on your specific use case and the knowledge and expectation of your users. If you need it maybe use the chance to also explain to the users what the real indicators look like.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424