security user experience

How to enhance user security on internet

Reading the post linked in the title, I remembered something I’ve been thinking some time ago. If sites enabled authentication and authorization with client certificates, they would be more secure. Also people would be less exposed to phishing attacks (read: none at all), because fake sites would not validate the server information present in the client certificate.

The main reason would be what the article states. Certificate management in the browser is not a first class citizen. It’s more than complicated for common users to get to the certificates management dialog, and don’t get me started with importing, exporting and the different formats available.

If browsers give certificate management a first level menu option or a direct action button, with simple wording understandable by the average user, maybe things would start changing. Then, people can be educated and introduced to client certificates and their benefits.

Even here in Spain is not uncommon to use them. Inside the latest version of the ID card issued by the government (a smart card), is a client certificate used to connect to government websites to make bureaucratic stuff online, connecting to your bank account, and some other partnering sites. But, the setup in the browser is very complicated and not many people end using it. You need the JRE plugin and then allow the installation of all the Java applets needed to let the website authenticate with the client certificate. It’s not what I would call the best user experience.

By the way, if you haven’t noticed, the post is from 2008, that is, almost four years have passed and in that time, certificate management has not changed at all in browsers. Even more time, as the dialogs were already present with the same format long before that date.