RE: ISSUE-161: Be clearer about security indicator images [wsc-xit] from michael.mccormick@wellsfargo.com on 2008-01-08 (public-wsc-wg@w3.org from January 2008)

From: <michael.mccormick@wellsfargo.com>
Date: Tue, 8 Jan 2008 10:08:13 -0600
To: <ifette@google.com>, <egelman@cs.cmu.edu>, <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: <public-wsc-wg@w3.org>, <goldenbj@wellsfargo.com>
Message-ID: <9D471E876696BE4DA103E939AE64164DAD17DE@msgswbmnmsp17.wellsfargo.com>

At least the Wells Fargo site is under SSL, so I think our padlock is
less confusing than padlocks on http:// sites.  Padlocks in content MUST
not be displayed on http:// pages, and SHOULD not be displayed on
https:// pages.

FWIW I agree malicious sites will continue to abuse trust icons in this
fashion.  But that's OK.  If we can get trustworthy sites to stop, then
the bad sites will start to stick out like a sore thumb.

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Ian Fette
Sent: Saturday, January 05, 2008 12:00 PM
To: Serge Egelman
Cc: Web Security Context Working Group WG
Subject: Re: ISSUE-161: Be clearer about security indicator images
[wsc-xit]

That's where we're currently at anyways. According to 3rd party research
(i.e. I'm not talking about any Google data here), sites with the TRUSTe
seal of approval are 2x as likely to be spammy / have spyware or malware
than sites without the seal. (
http://www.theregister.co.uk/2006/09/26/truste_privacy_seal_row/  -
granted, it's the register, but links to the original study). And that's
only looking at sites that can legitimately use the seal of approval...
that's saying nothing about the sites that just rip off the image and
shove it on there. I'm guessing you can figure out for yourself whether
those sites are likely to be "behaving sites" or "malicious sites". 

Not that I think that "banning" the lock in content area is going to
make a difference - sites will do it anyways, I can't honestly imagine
Bank of America or US Bank or Wells Fargo really agreeing to take the
plunge and remove it - but I just wanted to point out that we're already
in that murky situation. 

On Jan 5, 2008 2:46 AM, Serge Egelman <egelman@cs.cmu.edu> wrote:

	>
	> ISSUE-161: Be clearer about security indicator images
[wsc-xit]
	>
	> http://www.w3.org/2006/WSC/track/issues/ 
	>
	> Raised by: Mary Ellen Zurko On product: wsc-xit
	>
	> 9.1
	>
	> "trust indicating images" is way too general. Sites want to
look
	> trustworthy. If only behaving sites don't look trustworthy,
only 
	> malicious sites will. My proposal:
	>
	> Web pages MUST NOT include images used by widely deployed web
user agents
	> to represent specific security context states or values. For
example,
	> padlocks in the web content. 
	>

	But then aren't we still in the same place where "only behaving
sites don't look trustworthy, only malicious sites will."  This would
mean that only malicious sites will show padlocks in the content. 

	serge

Received on Tuesday, 8 January 2008 16:09:13 UTC