Visit three fictional but realistic Web sites where students were assigned password protected accounts
The first site: maintained by the students’ university.
It allows students to monitor the respective reward points (earned by doing well in exams, independent studies, etc.)
HTTPS + Certificate issued by internal CA
The second site: m. by a remote e-merchant not affiliated with U.
Students can spend their reward points, (e.g. to buy books, CDs, etc.)
HTTPS + bogus certificate
The third site provides access to users’ Web email accounts
HTTP only (no certificate)
Study’s Design 100 Choosing not to access to 2nd and 3rd site insecurely 100 Correctly obtained and installed the issuing CA’s certificate 50 Simply did not visit the site insecurely 0 Access to a site despite lack of security Score (points) User’s Action