W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

Re: Is the padlock a page security score?

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Thu, 10 Jan 2008 14:07:30 -0500
Message-ID: <47866CF2.4090408@cs.cmu.edu>
To: michael.mccormick@wellsfargo.com
CC: ifette@google.com, Anil.Saldhana@redhat.com, hahnt@us.ibm.com, public-wsc-wg@w3.org, Mary_Ellen_Zurko@notesdev.ibm.com

No, the more variables it takes into account, the more likely it's going 
to be in a "medium" or "unknown" state for most of the sites that users 
regularly visit.  Thus, the users get habituated and ignore the 
indicator altogether (assuming they ever took notice of it and then 
trusted it to begin with).

Using the padlock as an example really isn't the best place to begin 
arguing in favor of this.  The padlock is an utter failure.  Most users 
(i.e. >90%) simply do not notice it.  Of those who do, many do not have 
any clue as to what it means.  Additionally, when confronted with a 
missing or broken padlock, and a page which looks really well designed, 
the users are going to trust the website over the padlock (see BJ Fogg's 
work).

Instead, we should be using these variables to determine when to warn 
the user, since that's been observed to be far more effective in practice.

With this being said (the fact that I think this is a terrible, terrible 
idea), this could be slightly more helpful by focusing attention on the 
presentation.  Before discussing implementation, there should be a 
concrete design for how it is to be presented to the user.  This design 
can then be tested, and only after we see that it's effective should we 
start deciding how to implement it.  The corollary to that is, if we 
spend weeks and weeks figuring out the implementation details only to 
find that there's no way of effectively presenting the information to 
the user, we've just wasted twice as much time.

serge

michael.mccormick@wellsfargo.com wrote:
> I agree. But the more variables the security indicator takes into 
> account, the more helpful it becomes for users making trust decisions.
> 
> ------------------------------------------------------------------------
> *From:* Ian Fette [mailto:ifette@google.com]
> *Sent:* Thursday, January 10, 2008 12:37 PM
> *To:* McCormick, Mike
> *Cc:* Anil.Saldhana@redhat.com; hahnt@us.ibm.com; public-wsc-wg@w3.org; 
> Mary_Ellen_Zurko@notesdev.ibm.com
> *Subject:* Re: Is the padlock a page security score?
> 
> No, but quite frankly neither does any of the information we've talked 
> about in the page security scoring. The reality is that you have no idea 
> if when you post the form it just sends stuff off to orders@somesite.com 
> <mailto:orders@somesite.com> via email, if it's stored in a MySQL 
> database with the default root password, if it's a shared server where 
> root is not locked down - all of this worries me much more than whether 
> it's EV-SSL, using DNSSEC, etc. The reality is that Visa and MasterCard 
> have guidelines for how merchants should handle customer data, and 
> that's about the only thing that I would really care about as a 
> customer. However, I have no way of verifying that said guidelines are 
> being followed, but I have very little risk anyways because I can just 
> call US Bank and tell them that someone is making fraudulent charges 
> against my Northwest WorldPerks Visa Signature card and they're going to 
> take care of me.
> 
> So, I guess my point is that I really don't understand the end goal 
> here. I thought we wanted to get to the point where someone could 
> determine whether or not it was safe to make an e-commerce transaction 
> at a site, but frankly I don't really know that I find the information 
> we have to be sufficient to actually answer that in a satisfactory manner.
> 
> -Ian
> 
> On Jan 10, 2008 10:31 AM, <michael.mccormick@wellsfargo.com 
> <mailto:michael.mccormick@wellsfargo.com>> wrote:
> 
>     I would ask the same question about a binary indicator.  The padlock
>     does not mean it's safe to enter a credit card.
> 
>     ------------------------------------------------------------------------
>     *From:* Ian Fette [mailto:ifette@google.com <mailto:ifette@google.com>]
>     *Sent:* Thursday, January 10, 2008 12:26 PM
>     *To:* Anil Saldhana
>     *Cc:* McCormick, Mike; hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>;
>     public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>;
>     Mary_Ellen_Zurko@notesdev.ibm.com
>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>
> 
>     *Subject:* Re: Is the padlock a page security score?
> 
>     I still don't understand what anything beyond a binary result is
>     supposed to tell a user. I'm on a site with "Medium" security - what
>     does that mean? Does that mean that I should give them my credit
>     card or not?
> 
>     On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com
>     <mailto:Anil.Saldhana@redhat.com>> wrote:
> 
> 
>         Maybe there is an opportunity to associate "High/Medium/Low" or
>         "Strong/Medium/Low" based on page security score with the padlock.
> 
>         michael.mccormick@wellsfargo.com
>         <mailto:michael.mccormick@wellsfargo.com> wrote:
>          > Sure, I agree the padlock is a binary representation of a
>         boolean security
>          > score formula based on a single security variable (SSL on
>         main page).  A
>          > degenerate case IMHO - but still technically a page security
>         score.
>          >
>          > A security score algorithm should take into account most (if
>         not all) of the
>          > variables we enumerated under "What is a Secure Page?"
>          Perhaps the note
>          > should state that explicitly.  Then padlocks wouldn't qualify.
>          >
>          >   _____
>          >
>          > From: public-wsc-wg-request@w3.org
>         <mailto:public-wsc-wg-request@w3.org>
>         [mailto:public-wsc-wg-request@w3.org
>         <mailto:public-wsc-wg-request@w3.org>] On
>          > Behalf Of Timothy Hahn
>          > Sent: Thursday, January 10, 2008 10:40 AM
>          > To: public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>          > Subject: Re: Is the padlock a page security score?
>          >
>          >
>          >
>          > Mez,
>          >
>          > I'll toss in my view that the padlock is an example of a page
>         security
>          > score.  In most user agents, this seems to be pretty much
>         "binary" (on or
>          > off) though I think we've heard from some folks that there
>         are some
>          > "embellishments" on their display of the icon which would
>         provide more
>          > gradations based on information received.
>          >
>          > On the bright side of such a visible item - it is relatively
>         easy to
>          > describe and for people to grasp the meaning of.
>          >
>          > On the down side of the padlock -  ... well, we've had lots
>         of that
>          > discussion on this list already - see the archives.
>          >
>          > Regards,
>          > Tim Hahn
>          > IBM Distinguished Engineer
>          >
>          > Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>          > Internal: Timothy Hahn/Durham/IBM@IBMUS
>          > phone: 919.224.1565     tie-line: 8/687.1565
>          > fax: 919.224.2530
>          >
>          >
>          >
>          >
>          > From:         "Mary Ellen Zurko"
>         <Mary_Ellen_Zurko@notesdev.ibm.com
>         <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>>
>          >
>          > To:   public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>          >
>          > Date:         01/10/2008 11:10 AM
>          >
>          > Subject:      Is the padlock a page security score?
>          >
>          >   _____
>          >
>          >
>          >
>          >
>          >
>          > If not, why not?
>          >
>          >          Mez
>          >
>          >
>          >
>          >
>          >
> 
>         --
>         Anil Saldhana
>         Project/Technical Lead,
>         JBoss Security & Identity Management
>         JBoss, A division of Red Hat Inc.
>         http://labs.jboss.com/portal/jbosssecurity/
> 
> 
> 

-- 
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Thursday, 10 January 2008 19:19:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:20 UTC