RE: Problems with the current user interface

Hi Michael,

Michael Smith wrote:
> "Close, Tyler J." <tyler.close@hp.com>, 2006-12-08 17:10 -0600:
> > Problems with current user interface
> > 
> >     * No chrome area versus page area distinction in user's mind
> >     * Users ignore the chrome area
> >     * The chrome area is spoofable
> >     * Passwords are reused across distinct web sites
> >     * Domain names are incorrectly read, or interpreted, by users
> >     * Users assume that a http: URL reliably connects to the
> >       indicated domain name
> >     * Certificates Authorities, or certificates, can be readily
> >       substituted
>
> As far as items like the "Users ignore the chrome area" one, as Tim
> pointed out earlier, we need to spend some time clarifying just
> which users we have in mind in making statement like that. I don't
> ignore the chrome area and very clearly understand the distinction
> between the browser chrome and page area. And the same could be
> said about everybody in this working group. So we're not talking
> about ourselves, but about some other users.
>
> I think it would be better to at least qualify those kinds of
> statements with "many users" or "most users" instead of just
> "users". Though as far as the first two items, I'm not yet
> convinced that those are characteristics of most users.

I based most of the items in the current list on the phishing studies:
"Why Phishing Works" and "Do Security Toolbars Actually Prevent Phishing
Attacks?", as well as reports presented at various anti-phishing
workshops I have attended, and Amir's commentary on his studies. The
paper on "Why Phishing Works" is thorough, and I recommend reading it.
Also, Maritza has filled out our wiki's SharedBookmarks page with some
excellent summary. See:

http://www.w3.org/2006/WSC/wiki/SharedBookmarks

I've also found arguments about "locus of attention" very convincing.
This argument pertains to both expert and novice users. Even if you know
you're supposed to look at the chrome, you sometimes don't if you are
sufficiently focused on the task at hand. I've caught myself falling
into this trap a few times. The current user interface puts the security
indicators far away from where the action is, the form controls, and
never directs the user to look at the security indicators. Given that
you're not usually under attack, it's easy to get lazy about checking
the security indicators.

Following up on our discussion about the distinction between chrome and
page area, even as an expert, I don't have a simple, and yet correct,
statement to make about the distinction between the chrome and the page
area in current browsers. It's therefore not surprising to me that
regular users don't know what distinction to make.

Tyler

Received on Monday, 11 December 2006 18:01:37 UTC