Time spent: 1 hour + 4 hours
Google has introduced a new internet functionality, ‘Certificate Transparency,’ which will bring changes to the SSL Certificate system. You are a company (among many) that is issuing SSL certificates and you want to sell a monitoring service to your customers (those who bought an SSL Certificate from you for their websites) to alert them when someone (besides themselves) purchases an SSL certificate for a website that they own. You want to design/develop a product that will allow your customers to identify and monitor SSL certificates issued for their websites and to take action if a suspicious purchase is detected.
Phase 1 - Please describe how such a product might work and the possible work flows. Include a description of how the user can recognize when an SSL Certificate is wrongly issued.
Phase 2 - Please continue your work on the Certificate Transparency product and show us some potential designs for such a product.
Before create design solutions, first I wanted to figure out who are the users, what are their goals and needs, and what are the scenarios they would be in when monitoring their websites.
Websites owner who wants to monitor SSL Certificate that is issued to website that they own and takes actions if a suspicious purchase is detected.
I break the goals down based on different scenarios.
When there is no suspicious event
- Monitor a list of domain they that has SSL Certificate
Get notified when someone purchases an SSL certificate for a website that they own
When suspicious purchase happened
- Get notified when a suspicious purchase happen
- Log into the application to see details about the suspicious purchase
- Identify the reason behind it (misissued certificates, rogue CAs, stolen certificate)
- Take actions depends on the reason why it's suspicious
I created a persona to illustrate who the user is, and what's the needs and goals. It helps me throughout the design process focus on solving problems the user has .
After creating the persona, I created a task flow for when suspicious events happened, and how IT administrator from being notified to take actions.
I started sketching out different possible solutions, and evaluated the pros and cons of each idea based on users goals.
Compact view of the full list and can sort by clicking on header.
Information is grouped, easier to read. But no way to sort by column header.
Separate suspicious event to its own tab so users can focus on important tasks.
Provide an overview page with graphic and statistic for decision making.
I designed a web application that allows users to monitor list of suspicious SSL Certificate and active/expired certificate.
When everything is normal
- Users can see how many active SSL Certificate is active and how many is expired
- See a list of websites (the users own) with certificate authority, issue date, and when it's expired
When a SSL Certificate is wrongly issued
- Users will receive email notification when something goes wrong, at the same time the notification badge(red) will show up, indicating the number of suspicious event
- Users can then view the list of suspicious purchase. In the list, there will be an icon to indicate it's suspicious, and need users attention.
- Each row will have domain, issue authority, issue date and actions users can take. The list will also provide the reason why it's suspicious.(for example, maybe the CA issued malicious certificate before)