[Kenji]

But people will always have to be careful about who they're negotiating with and what information they're revealing. You can't engineer that away. And it can't get much simpler than looking for a SSL lock and matching a string.

[alelefant]

You're missing the point, and you make it seem like everyone should be an expert in everything. Not everybody that uses a computer understands the thick stack of technologies at play. It may seem simple to you, but that's you.

When my car makes a noise, I take it to Don the Car Care Man because aside from replacing the battery and windshield wipers I can't do much. If they told me I needed to get part X replaced, I'd trust their input and buy part X.

When people visit eBay, there is an inherit level of trust placed in that site. It's a legitimate business used around the world. If a listing links outside of eBay and is asking for personal information, not everyone understands that such behavior is a sign of an attack.

My grandma doesn't know what a URL is. If I told her to visit my companies website, she would ask where it is in her bookmarks. Just like I would ask where part X in my car goes. To me that's a very basic question; to a car expert they might be thinking: "Good thing this guy is having us take care of the problem".

[Karunamon]

How is checking basic stuff an implication that everyone should be an expert in everything?!

Someone learned enough to start up a computer, log in, access their web browser, navigate to an online storefront, select products they want to buy, navigate through the checkout process, and enter their details to effect the purchase has already demonstrated the pattern matching skills and knowledge necessary to answer the easy question "Is the picture of the lock there?" and the slightly more involved question "Do the words up match with where the page says I am?"

I'd be willing to bet your grandma can understand "When you're shopping somewhere, make sure the lock icon is in that bar at the top of the window before you put your credit card in". This is stuff that's been drilled into people since the early 90's when eCommerce began to become a thing.

It's not arcane knowledge, hardly "expert" level, it's a basic skill that anyone who shops online should have.

The idea that we can advocate against users having that skill provides dubious benefit to systems security and a handicap to what is the weakest link in any secure process, the human element. Anything we can do to make end users more skeptical is a Good Thing.