- From: Sheth Raxit <raxitsheth2000@yahoo.co.in>
- Date: Tue, 20 Mar 2007 00:19:14 -0700 (PDT)
- To: "Close, Tyler J." <tyler.close@hp.com>, public-usable-authentication@w3.org
Hi, --- "Close, Tyler J." <tyler.close@hp.com> wrote: > > In another forum, I received feedback from Don > Norman on the WSC FPWD. I > am forwarding it to our public feedback list with > his permission. > There's a second email I'll be forwarding after this > one. His comments > start below. > > Tyler > > --- Begin Don Norman's comments ---- > > I'd like to suggest three more use cases for your > group's consideration. > > All the use cases you provide are for potential > rogue sites, which fool > the user into accepting them. > > In my experience, there is also the problem of > over-caution. > > I have watched the incidents below happen. People > who have been warned > about all the mischief are now overcautious and > refuse to accept > legitimate sites or actions. > > Therefore, as your committee goes forth, it is > important to consider not > only how to detect illegitimate sites, but how to > make t possible for > the average, non-technical user to be reassured that > something is > legitimate and proper? I think one of the imp. point. ! > 3B, below, is one of the many problems because > people do not understand > the architecture of compute and web applications and > confuse the > messenger with the message. > > If they use Internet Explorer for activities, they > identify the activity > (mail, banking) with the browser and do not > understand that the actual > service is hosted somewhere in the cloud, so any > browser yields the same > result. > > -- > I myself have tried to tell banks that their > legitimate emails look > identical to scams, and if the respond at al, it is > to assure me that > they would never do anything wrong. That wasn't my > point. My point is, > illegitimate emails often look legitimate. I agree, and still illegitimate E-mails also porviding 1. sign of SSL-Lock and https 2. simillar name of url in addressbar, which fool the user to trust the site. > Therefore, legitimate emails > look illegitimate. How is the recipient to know? > Why do legitimate > emails still have clickable URLs? I think this is Good question, -I think, because of clickable URLs , the overall process is became more User Friendly (for actual site as well as Fake Site ! ), -If Banks have more url hit, they have more business (theoritically atleast), (i.e. giving Credit card offer E-mail and put a clickable link in e-mail) -If no Clickable link then chances are **rare** that Enduser will type the url and visit the site.! -Many times instead of clickable url,if one type the url, its error prone, and many times URL-Naming is not easy, i.e. url having some session id , query parameter and some other stuff, I was having some suggestion (on Clickabl/Embedded URL & User Agents) posted in this group, that may find useful to WG. http://lists.w3.org/Archives/Public/public-usable-authentication/2007Mar/0012.html below three points are still interesting, and i think very much valid (for Normal-Basic computer literate User) > ==================== > > 1. The legitimate financial institution sends out a > legitimate note > stating that some action is required. Jane, the > recipient, knows not to > trust such legitimate-looking documents, and > immediately deletes it, > without acting. > > 2. A window pops up on the screen stating that an > important security > update is now available. The message is legitimate > (e.g., it is a > Microsoft standard message). Henry wonders why his > various malware > detectors didn't stop it, but immediately closes the > window. Over the > months, his system falls further and further behind > in security updates. > > 3A. Helen proudly tells her spouse that using > Microsoft tried to fool > her into using a bank site, so she isn't using > Microsoft anymore but > instead is using Firefox to do her banking. > (Confusion between the > browser and the financial institution) > > 3B. Helen is concerned though. Microsoft is how she > reads her mail, and > now she doesn't know what to do. She doesn't trust > Microsoft mail > anymore. What should she do? (Because she reads her > web-based email > through a particular browser, she identifies the > email service with the > browser) > > Thanks, Raxit Sheth ____________________________________________________________________________________ 8:00? 8:25? 8:40? Find a flick in no time with the Yahoo! Search movie showtime shortcut. http://tools.search.yahoo.com/shortcuts/#news
Received on Tuesday, 20 March 2007 07:20:48 UTC