W3C home > Mailing lists > Public > public-usable-authentication@w3.org > September 2006

Re: Usability model

From: James A. Donald <jamesd@echeque.com>
Date: Sat, 09 Sep 2006 14:00:58 +1000
Message-ID: <45023C7A.4000108@echeque.com>
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
CC: public-usable-authentication@w3.org, "Adler, Joseph" <jadler@verisign.com>, "Bajaj, Siddharth" <SBajaj@verisign.com>, "Braz, Christina" <cbraz@verisign.com>, "Burstein, Jeff" <JBurstein@verisign.com>

     --
Hallam-Baker, Phillip wrote:
 > Looking at the security shortcomings of the Internet
 > some common themes emerge:
 >
 > 1) The user is never told what parts of the display
 > are trustworthy and what parts are not.

This is not the problem.  Most users correctly believe
that what is inside the inner frame of the browser is
controlled by someone else, and that someone is probably
trying to sell the Brooklyn bridge, or asking us to
invest in swamp land, and correctly believe that what is
between the inner and outer frames is reasonably
trustworthy.

My browser has the Netcraft toolbar, which correctly
detects scam websites and legitimate websites almost all
the time.  Yet the fact is I seldom check it, even when
banking or share trading. I focus on the task at hand,
at the inner window, and ignore the outside window.  I
have right above the window an extremely accurate scam
detector, and seldom look at it.

To prevent incoming phishing, the client needs to
correctly label the communication according to your
relationship with the sender - which under the covers
has to be implemented by the client knowing the public
key of entities that you have relationships with, or the
network address of entities that you have relationships
with, or some such.  This is not so hard as it sounds.
Instant messages usually get correctly labeled.  Secure
letterhead has to be done on top of such correct
labeling, not instead of such correct labeling, or as a
form of such correct labeling.

To prevent outgoing successful phishes, the login page
must not be controlled by the website.  The login page
must be your local client, which tells you your bookmark
name (petname) for the entity you are logging into, if
you have an existing relationship, and if it is unaware
of such a relationship, tells you that also.

 > 2) The user is expected to verify their mental model
 > 'I am dealing with Ebay' in the context of deep
 > knowledge of Internet protocols, by relying on the URL
 > encoded in the domain name.

Even though I almost never check the Netcraft toolbar, I
do in fact check the url, because the url actually
contains useful information in the normal case, in the
case that I really am dealing with a legitimate entity.
The moral is that the information that would enable the
user to check for scams has to be part of his normal
workflow, something he does need to attend to in order
to get things done in the ordinary course of events.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      MXWqJIyB/n53ItnMMOUbJMfSRkUYfWVFjJz/QRI/
      4aMjAtHFO3T8FMcKGra7Sm58vSbq61eHYB1nTpD3M
Received on Saturday, 9 September 2006 04:01:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT