The Priv.ly Project's anti-spoofing glyph

When you visit a website that looks like your bank's, how do you know that you are actually talking to your bank and not a scammer impersonating your bank? Typically you will look at the address bar of the browser and compare it to the address you remember from the last time you visited the site. Where the web browser uses the address bar to tell you what program you are interacting with, other programs use cryptographic strings (SSH Fingerprints, Mailvelope), colors (Mailvelope, Privly), or shapes (Privly, GitHub). Developers choose one of these methods in the hope that users will come to expect output that can only be produced by the desired program. While colors are a useful property for identification, their introduction brings a perceptual biases into the security game.

Consider "absolute thresholds," which is the hue and saturation difference required before two colors shown in succession can be differentiated by users. User populations exhibit consistent bias such that an attacker impersonating a trusted program will always choose colors with the highest absolute threshold across the population.

Of course, this assumes color assignment is made uniformly random across a color space. If we bias the distribution of color selection to be inversely proportional to the population's absolute color thresholds, then an adversary will not be able to select a color with a greater chance of misperception.

The Priv.ly Project currently selects a color at random, but at some point we will likely use a "threshold correction" when selecting colors for this purpose.