Passive indicators are not the best approach because users don’t notice them, and users are soon habituated to quickly pass through active blocking of a websites. Maurer et al. came up with a different approach, a semi-blocking dialog, with three versions as shown in the image below. The dialog is positioned near the data entry box, and appears as you type in that box. The warning shows the type of data they are entering (as image and text) and an addition information box that shows whether or not traffic is encrypted and the domain.
A first trial evaluation allowed them to get initial feedback, and also update the design based on feedback and a design exercise. They then ran a field study with 14 participants across 7 days, which people generally liked, and found the warnings did decrease overtime. In general, they repair that semi-blocking dialogs are beneficial, though users won’t find additional information if not shown (required expansion).
From the questions, we learned that the tool does suspend most AJAX submissions by creating an additional text field, though there are of course spoofing attacks that could be attempted, and a longer study with the tool needs to be run to see if they are habituated to it, if they understand the benefits, and if they understand why and when it appears.
Read the full paper at: http://cups.cs.cmu.edu/soups/2011/proceedings/a2_Maurer.pdf