I recently accessed my Paypal account to fork over some money to a friend for buying me a few bottles of wine. I had also recently upgraded to Firefox 3, without spending any significant amount of time looking over the new feature list, as usual. I was pleasantly surprised when the following object suddenly decorated my address bar (which I have circled in red):
It took a moment to register what Firefox was trying to communicate, but I was delighted when I figured it out. Firefox is letting me know that it was able to verify (using the site’s SSL certificate) that the website I am viewing does in fact belong to Paypal, Inc. To confirm this, I clicked on the decorator and got a little message box giving me more details:
In Chapter 8 of the FIG, I discuss ways to make your application safer and more secure through user-centered design. One of the principles is to clearly communicate consequences, and I rant at length on how poor of a job most browsers do when attemping to communicate the security ramifications of trusting a particular website. The tiny lock icon in the bottom of the screen and/or the series of arcane “Don’t Show Me Again” dialog boxes that both IE and (formerly) Firefox employed weren’t cutting the mustard for me.
Firefox has made a huge step forward with this new design. They placed the site’s verified credentials in a place that people already look to tell where they are on the web: the address bar. This decorator is much more likely to get noticed than the old tiny-lock-in-the-bottom-right-of-the-screen was. The decorator is also clearly visually distinguished from the address, making it more likely that users will come to recognize and trust the decorator, and think something is amiss if they don’t see it (perhaps because they have clicked on a phisher’s link that is only pretending to be the real Paypal, Inc.)
The solution isn’t perfect – it could be clearer that the company name’s placement in a green box implies that the connection is verified. It also doesn’t make clear the risks of sending sensitive information in the insecure (i.e. normal) state of the web. But it’s a huge improvement over the old model, and if widely recognized by web users could significantly reduce instances of fraud on the internet, especially if adopted by IE as well (hint, hint, Microsoft).