W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

Re: Is the padlock a page security score?

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Thu, 10 Jan 2008 15:34:35 -0500
Message-ID: <4786815B.1000903@cs.cmu.edu>
To: michael.mccormick@wellsfargo.com
CC: weburn@hisoftware.com, Anil.Saldhana@redhat.com, public-wsc-wg@w3.org

I'm certainly not an expert in this area, but not to my knowledge.  I 
suspect this is because the users who use the icon to make decision know 
that it only means SSL and nothing else.  The other 99% of the users 
don't use the icon to make their decisions.

serge

michael.mccormick@wellsfargo.com wrote:
> Has a browser vendor ever been sued for presenting the padlock on a
> malicious web site? 
> 
> -----Original Message-----
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> On Behalf Of William Eburn
> Sent: Thursday, January 10, 2008 1:33 PM
> To: Anil Saldhana; public-wsc-wg@w3.org
> Subject: RE: Is the padlock a page security score?
> 
> 
> Hello all,
> 
> As you may know, HiSoftware has content and application testing tools
> around privacy, security, accessibility, general content quality,
> corporate branding, and several factors of site quality.
> 
> I am concerned that if we give some de facto score but do not consider
> the content or application, then would I not as a user of the browser
> that gave me the information have the right to sue their corporation if
> I went to a site, the score said 90% reliable and I entered all my PII
> and the next user saw that it was 90% secure -- knew that the scoring
> system was flawed because it didn't consider the content, or the
> application and in this case used a simple SQL Injection to grab all the
> PII out of the system (including mine), then opened multiple bank
> accounts, got car loans, and did whatever, causing me great harm.  While
> it's true I was able to cancel the charges as being fraudulent, it took
> over a year to do so.  Would the company that provided the page score be
> responsible in a court of law?
> 
> Please note, this would be different depending on which country you were
> in.
> 
> I think, from our perspective the education of the user to the state of
> the different security indicators is important but for us to assign any
> value judgment on them would at best, be foolish.  Immediately we could
> never assign 100%, because as part of the working group we've already
> said that we aren't examining the content or application being viewed by
> the user agent.  So it would be my vote to eliminate the idea of a page
> score entirely.  What I'm suggesting is that we show them the
> information, educate the user as to what it means, but assign no value.
> 
> This is just my two cents on the page score topic.
> 
> Thanks,
> Bill
> 
> 
> -----Original Message-----
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> On Behalf Of Anil Saldhana
> Sent: Thursday, January 10, 2008 2:18 PM
> To: public-wsc-wg@w3.org
> Subject: Re: Is the padlock a page security score?
> 
> 
> Right on the point, Tim.
> 
> We have a tendency to quote personal experiences/behavior to equate it
> to the general behavior of the masses. A security indicator to one does
> not mean an indicator to everyone.
> 
> WG has had discussions that the padlock is not sufficient to ensure a
> secure behavior.  Hence page security score, ev cert bar etc etc. :)
> 
> Timothy Hahn wrote:
>> Hi all,
>>
>> This whole discussion is subjective.  What is useful for one person
> could 
>> very well be useless to someone else.
>>
>> An analogy - weather forecasts about the possibility of rain today.
> Does 
>> such a score indicate whether I will get rained on?  No.  Does it help
> me 
>> decide whether or not to wear a hat or carry an umbrella?  Yes.  There
> is 
>> no way that people other than meteorologists (and some would argue,
> even 
>> them) will accurately interpret isobars, cloud patterns, and doppler
> radar 
>> to determine whether it will rain.  But people can get a feeling for
> the 
>> chances of rain based on a 0-100% estimate.
>>
>> I think the same is true for the notion of a page security score.
> Does it 
>> imply that the user will definitely, without a doubt, not get "taken"?
> No. 
>>  Does it give the user something with which to make a choice?  Yes.
> In 
>> this light, I still feel that page security scores are good things to 
>> consider.
>>
>> Regards,
>> Tim Hahn
>> IBM Distinguished Engineer
>>
>> Internet: hahnt@us.ibm.com
>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>> phone: 919.224.1565     tie-line: 8/687.1565
>> fax: 919.224.2530
>>
>>
>>
>>
>> From:
>> <michael.mccormick@wellsfargo.com>
>> To:
>> <ifette@google.com>, <Anil.Saldhana@redhat.com>
>> Cc:
>> Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, 
>> <Mary_Ellen_Zurko@notesdev.ibm.com>
>> Date:
>> 01/10/2008 01:34 PM
>> Subject:
>> RE: Is the padlock a page security score?
>>
>>
>>
>> I would ask the same question about a binary indicator.  The padlock
> does 
>> not mean it's safe to enter a credit card.
>>
>> From: Ian Fette [mailto:ifette@google.com]
>> Sent: Thursday, January 10, 2008 12:26 PM
>> To: Anil Saldhana
>> Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; 
>> Mary_Ellen_Zurko@notesdev.ibm.com
>> Subject: Re: Is the padlock a page security score?
>>
>> I still don't understand what anything beyond a binary result is
> supposed 
>> to tell a user. I'm on a site with "Medium" security - what does that 
>> mean? Does that mean that I should give them my credit card or not?
>>
>> On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com>
> wrote:
>> Maybe there is an opportunity to associate "High/Medium/Low" or 
>> "Strong/Medium/Low" based on page security score with the padlock.
>>
>> michael.mccormick@wellsfargo.com wrote:
>>> Sure, I agree the padlock is a binary representation of a boolean
>> security
>>> score formula based on a single security variable (SSL on main page).
> A
>>> degenerate case IMHO - but still technically a page security score. 
>>>
>>> A security score algorithm should take into account most (if not all)
> of 
>> the
>>> variables we enumerated under "What is a Secure Page?"  Perhaps the
> note
>>> should state that explicitly.  Then padlocks wouldn't qualify. 
>>>
>>>   _____
>>>
>>> From: public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org] 
>> On
>>> Behalf Of Timothy Hahn
>>> Sent: Thursday, January 10, 2008 10:40 AM
>>> To: public-wsc-wg@w3.org
>>> Subject: Re: Is the padlock a page security score?
>>>
>>>
>>>
>>> Mez,
>>>
>>> I'll toss in my view that the padlock is an example of a page
> security
>>> score.  In most user agents, this seems to be pretty much "binary"
> (on 
>> or
>>> off) though I think we've heard from some folks that there are some 
>>> "embellishments" on their display of the icon which would provide
> more
>>> gradations based on information received.
>>>
>>> On the bright side of such a visible item - it is relatively easy to 
>>> describe and for people to grasp the meaning of.
>>>
>>> On the down side of the padlock -  ... well, we've had lots of that 
>>> discussion on this list already - see the archives.
>>>
>>> Regards,
>>> Tim Hahn
>>> IBM Distinguished Engineer
>>>
>>> Internet: hahnt@us.ibm.com
>>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>>> phone: 919.224.1565     tie-line: 8/687.1565 
>>> fax: 919.224.2530
>>>
>>>
>>>
>>>
>>> From:         "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
>>>
>>> To:   public-wsc-wg@w3.org
>>>
>>> Date:         01/10/2008 11:10 AM
>>>
>>> Subject:      Is the padlock a page security score?
>>>
>>>   _____
>>>
>>>
>>>
>>>
>>>
>>> If not, why not?
>>>
>>>          Mez
>>>
>>>
>>>
>>>
>>>
>> --
>> Anil Saldhana
>> Project/Technical Lead,
>> JBoss Security & Identity Management
>> JBoss, A division of Red Hat Inc.
>> http://labs.jboss.com/portal/jbosssecurity/
>>
>>
>>
>>
> 
> --
> Anil Saldhana
> Project/Technical Lead,
> JBoss Security & Identity Management
> JBoss, A division of Red Hat Inc.
> http://labs.jboss.com/portal/jbosssecurity/
> 
> 
> 
> 
> The information in this transmittal (including attachments, if any) is
> privileged and confidential and is intended only for the recipient(s)
> listed above.  Any review, use, disclosure, distribution or copying of
> this transmittal is prohibited except by or on behalf of the intended
> recipient.  If you have received this transmittal in error, please
> notify me immediately by reply email and destroy all copies of the
> transmittal.  Thank you.
> 
> 
> 
> 

-- 
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Thursday, 10 January 2008 20:35:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:20 UTC