Is the padlock a page security score? from Anil Saldhana on 2008-01-10 (public-wsc-wg@w3.org from January 2008)

From: Anil Saldhana <Anil.Saldhana@redhat.com>
Date: Thu, 10 Jan 2008 13:49:05 -0600
To: Robert Yonaitis <ryonaitis@hisoftware.com>
CC: public-wsc-wg@w3.org
Message-ID: <478676B1.7070808@redhat.com>
Bob and Bill, I think what the application does from security/privacy 
perspective is beyond the control of the UA.

I am still trying to understand completely why Facebook wants "date of 
birth" during registration and prominently displays it in personal profile.

Robert Yonaitis wrote:
> Just forwarding this one for bill as it seems his posts from the last
> few times have not gone through
> 
> cheers
> -----Original Message-----
> From: William Eburn 
> Sent: Thursday, January 10, 2008 2:33 PM
> To: 'Anil Saldhana'; public-wsc-wg@w3.org
> Subject: RE: Is the padlock a page security score?
> 
> Hello all,
> 
> As you may know, HiSoftware has content and application testing tools
> around privacy, security, accessibility, general content quality,
> corporate branding, and several factors of site quality.
> 
> I am concerned that if we give some de facto score but do not consider
> the content or application, then would I not as a user of the browser
> that gave me the information have the right to sue their corporation if
> I went to a site, the score said 90% reliable and I entered all my PII
> and the next user saw that it was 90% secure -- knew that the scoring
> system was flawed because it didn't consider the content, or the
> application and in this case used a simple SQL Injection to grab all the
> PII out of the system (including mine), then opened multiple bank
> accounts, got car loans, and did whatever, causing me great harm.  While
> it's true I was able to cancel the charges as being fraudulent, it took
> over a year to do so.  Would the company that provided the page score be
> responsible in a court of law?
> 
> Please note, this would be different depending on which country you were
> in.
> 
> I think, from our perspective the education of the user to the state of
> the different security indicators is important but for us to assign any
> value judgment on them would at best, be foolish.  Immediately we could
> never assign 100%, because as part of the working group we've already
> said that we aren't examining the content or application being viewed by
> the user agent.  So it would be my vote to eliminate the idea of a page
> score entirely.  What I'm suggesting is that we show them the
> information, educate the user as to what it means, but assign no value.
> 
> This is just my two cents on the page score topic.
> 
> Thanks,
> Bill
> 
> 
> -----Original Message-----
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> On Behalf Of Anil Saldhana
> Sent: Thursday, January 10, 2008 2:18 PM
> To: public-wsc-wg@w3.org
> Subject: Re: Is the padlock a page security score?
> 
> 
> Right on the point, Tim.
> 
> We have a tendency to quote personal experiences/behavior to equate it 
> to the general behavior of the masses. A security indicator to one does 
> not mean an indicator to everyone.
> 
> WG has had discussions that the padlock is not sufficient to ensure a 
> secure behavior.  Hence page security score, ev cert bar etc etc. :)
> 
> Timothy Hahn wrote:
>> Hi all,
>>
>> This whole discussion is subjective.  What is useful for one person
> could 
>> very well be useless to someone else.
>>
>> An analogy - weather forecasts about the possibility of rain today.
> Does 
>> such a score indicate whether I will get rained on?  No.  Does it help
> me 
>> decide whether or not to wear a hat or carry an umbrella?  Yes.  There
> is 
>> no way that people other than meteorologists (and some would argue,
> even 
>> them) will accurately interpret isobars, cloud patterns, and doppler
> radar 
>> to determine whether it will rain.  But people can get a feeling for
> the 
>> chances of rain based on a 0-100% estimate.
>>
>> I think the same is true for the notion of a page security score.
> Does it 
>> imply that the user will definitely, without a doubt, not get "taken"?
> No. 
>>  Does it give the user something with which to make a choice?  Yes.
> In 
>> this light, I still feel that page security scores are good things to 
>> consider.
>>
>> Regards,
>> Tim Hahn
>> IBM Distinguished Engineer
>>
>> Internet: hahnt@us.ibm.com
>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>> phone: 919.224.1565     tie-line: 8/687.1565
>> fax: 919.224.2530
>>
>>
>>
>>
>> From:
>> <michael.mccormick@wellsfargo.com>
>> To:
>> <ifette@google.com>, <Anil.Saldhana@redhat.com>
>> Cc:
>> Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, 
>> <Mary_Ellen_Zurko@notesdev.ibm.com>
>> Date:
>> 01/10/2008 01:34 PM
>> Subject:
>> RE: Is the padlock a page security score?
>>
>>
>>
>> I would ask the same question about a binary indicator.  The padlock
> does 
>> not mean it's safe to enter a credit card.
>>
>> From: Ian Fette [mailto:ifette@google.com] 
>> Sent: Thursday, January 10, 2008 12:26 PM
>> To: Anil Saldhana
>> Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; 
>> Mary_Ellen_Zurko@notesdev.ibm.com
>> Subject: Re: Is the padlock a page security score?
>>
>> I still don't understand what anything beyond a binary result is
> supposed 
>> to tell a user. I'm on a site with "Medium" security - what does that 
>> mean? Does that mean that I should give them my credit card or not? 
>>
>> On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com>
> wrote:
>> Maybe there is an opportunity to associate "High/Medium/Low" or
>> "Strong/Medium/Low" based on page security score with the padlock.
>>
>> michael.mccormick@wellsfargo.com wrote:
>>> Sure, I agree the padlock is a binary representation of a boolean 
>> security
>>> score formula based on a single security variable (SSL on main page).
> A
>>> degenerate case IMHO - but still technically a page security score. 
>>>
>>> A security score algorithm should take into account most (if not all)
> of 
>> the
>>> variables we enumerated under "What is a Secure Page?"  Perhaps the
> note
>>> should state that explicitly.  Then padlocks wouldn't qualify. 
>>>
>>>   _____
>>>
>>> From: public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org] 
>> On
>>> Behalf Of Timothy Hahn 
>>> Sent: Thursday, January 10, 2008 10:40 AM
>>> To: public-wsc-wg@w3.org
>>> Subject: Re: Is the padlock a page security score?
>>>
>>>
>>>
>>> Mez, 
>>>
>>> I'll toss in my view that the padlock is an example of a page
> security
>>> score.  In most user agents, this seems to be pretty much "binary"
> (on 
>> or
>>> off) though I think we've heard from some folks that there are some 
>>> "embellishments" on their display of the icon which would provide
> more
>>> gradations based on information received.
>>>
>>> On the bright side of such a visible item - it is relatively easy to 
>>> describe and for people to grasp the meaning of.
>>>
>>> On the down side of the padlock -  ... well, we've had lots of that
>>> discussion on this list already - see the archives.
>>>
>>> Regards, 
>>> Tim Hahn
>>> IBM Distinguished Engineer
>>>
>>> Internet: hahnt@us.ibm.com
>>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>>> phone: 919.224.1565     tie-line: 8/687.1565 
>>> fax: 919.224.2530
>>>
>>>
>>>
>>>
>>> From:         "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
>>>
>>> To:   public-wsc-wg@w3.org
>>>
>>> Date:         01/10/2008 11:10 AM
>>>
>>> Subject:      Is the padlock a page security score?
>>>
>>>   _____
>>>
>>>
>>>
>>>
>>>
>>> If not, why not?
>>>
>>>          Mez
>>>
>>>
>>
> 

-- 
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/
Received on Thursday, 10 January 2008 19:49:21 UTC