W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

Re: Is the padlock a page security score?

From: Ian Fette <ifette@google.com>
Date: Thu, 10 Jan 2008 10:43:06 -0800
Message-ID: <bbeaa26f0801101043q241965ack85913f563a18241b@mail.gmail.com>
To: michael.mccormick@wellsfargo.com
Cc: beltzner@mozilla.com, Anil.Saldhana@redhat.com, hahnt@us.ibm.com, public-wsc-wg@w3.org, Mary_Ellen_Zurko@notesdev.ibm.com
We talk a lot about "trust decisions", and this seems like a very nebulous
term to me. I would really like to go back to use cases. The use cases I can
think of are primarily:

a) creating a non commerce account (e.g. a slashdot account, a facebook
account etc)

b) creating a commerce account or a commerce transaction

for a) I can see where this might possibly be useful, but I'm definitely not
convinced. For instance, for facebook I'm much more worried about them
getting hacked, or about some XSS/CSRF attack than I am about a MITM attack.

for b) I really don't think a score would be helpful to me.

-Ian

On Jan 10, 2008 10:39 AM, <michael.mccormick@wellsfargo.com> wrote:

>
> I agree.  But the more variables the security indicator takes into
> account, the more helpful it becomes for users making trust decisions.
>
> -----Original Message-----
> From: Mike Beltzner [mailto:beltzner@mozilla.com]
> Sent: Thursday, January 10, 2008 12:35 PM
> To: McCormick, Mike
> Cc: ifette@google.com; Anil.Saldhana@redhat.com; hahnt@us.ibm.com;
> public-wsc-wg@w3.org; Mary_Ellen_Zurko@notesdev.ibm.com
> Subject: Re: Is the padlock a page security score?
>
> michael.mccormick@wellsfargo.com wrote:
> > I would ask the same question about a binary indicator.  The padlock
> > does not mean it's safe to enter a credit card.
>
> That is a problem with what the padlock indicates, not with the fact
> that it's a binary indicator. There is nothing that we can ever do to
> assure that it's "safe" to enter a credit card number - even if we can
> verify the identity of the endpoint, and the encryption on the wire, and
> that the endpoint has a BBB rating, it's entirely possible that there's
> someone who's installed a backdoor to their database system.
>
> cheers,
> mike
>
>
>
Received on Thursday, 10 January 2008 18:43:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:56 GMT