- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Thu, 10 Jan 2008 19:17:44 -0500
- To: michael.mccormick@wellsfargo.com
- CC: weburn@hisoftware.com, Anil.Saldhana@redhat.com, public-wsc-wg@w3.org
Yes, this was done by my lab. I'm in the acknowledgments section. If you read the whole thing, the numbers that you're citing are in reference to whether users had previously seen these things prior to the study. For instance, the 85% you cite is merely saying that 85% had claimed to have seen lock icons at some point in their past, not during the course of this study. I suggest you read the Whalen and Inkpen study that's in our shared bookmarks. serge michael.mccormick@wellsfargo.com wrote: > See for example the Carnegie Mellon study > (_http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdf_ > <BLOCKED::http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdf>). > I've come across similar studies (with similar results) but I think CMU > used a pretty rigorous methodology. Users were questioned & observed > while responding to various simulated possible phishing scenarios, but I > don't think they were primed to security. > > If anything the CMU sample was skewed slightly toward younger, computer > savvy users. But even among this group the padlock was a complete mystery: > > * Most participants [85%] had seen lock images on a web site, and > knew that this was meant to signify security, but most had only a > limited understanding of what how to interpret locks, e.g., “I > think that it means secured, it symbolizes some kind of security, > somehow.” Few knew that the lock icon in the chrome (i.e., in the > browser’s border rather than the page content) indicated that the > web site was using encryption or that they could click on the lock > to examine the certificate. Indeed, only 40% of those who were > aware of the lock realized that the lock had to be within the > chrome of the browser. > * Only about a third [35%] had noticed a distinction between > "_http://_ <BLOCKED::http://>" and "_https://_ > <BLOCKED::https://>" URLs. Of those some did not think that the > “s” indicated anything. But those who were aware of the security > connotation of this cue tended to take it as a fairly reliable > indication that it is safe to enter information. For those people > this extra security was often enough to get them beyond their > initial trepidations about sharing sensitive information, e.g., “I > feel funny about putting my credit card number in, but they say it > is a secure server and some of them say ‘https’ and someone said > that it means it’s a secure server.” > * About half [55%] had noticed a URL that was not what they expected > or looked strange. For some, this was a reason to be wary of the > website. For others, it was an annoyance, but no cause for > suspicion. The other half [45%} appeared to completely ignore the > address bar and never noticed even the most suspicious URLs. > * Participants appeared to be especially uncertain what to make of > certificates. Many respondents specifically said that they did > not know what certificates were, and made inferences about how to > respond to any "mysterious message" mentioning certificates. Some > inferred that certificates were a "just a formality". Some used > previous experience as their basis for ignoring it, e.g., “I have > no idea [what it means], because it’s saying something about a > trusted website or the certificate hasn’t, but I think I’ve seen > it on websites that I thought were trustworthy.” > * Almost half [42%] recognized the self-signed certificate warning > message as one they'd seen before. A third [32%] always ignored > this warning, a fourth [26%] consistently avoided entering sites > when this warning was displayed, and the rest responded > inconsistently. > * When asked about warnings generally, only about half of > participants recalled ever having seen a warning before trying to > visit a web site. Their recollections of what they were warned > about were sometimes vague, e.g., “sometimes they say cookies and > all that,” or uncertain, e.g., “Yeah, like the certificate has > expired. I don’t actually know what that means.” When they > remembered warnings about security, they often dismissed them with > logical reasoning, e.g., “Oh yeah, I have [seen warnings], but > funny thing is I get them when I visit my [school] websites, so I > get told that this may not be secure or something, but it’s my > school website so I feel pretty good about it.” > > > -----Original Message----- > From: Serge Egelman [mailto:egelman@cs.cmu.edu] > Sent: Thursday, January 10, 2008 5:17 PM > To: McCormick, Mike > Cc: weburn@hisoftware.com; Anil.Saldhana@redhat.com; public-wsc-wg@w3.org > Subject: Re: Is the padlock a page security score? > > I'm referring to the savvy users who seek the padlock icon without being > primed to security. > > The surveys are priming the users for security, and thus you're going to > get different answers. When asked "what does this thing mean," you're > going to get a superset of the users who would actually notice it on > their own, without being prompted (i.e. in their natural environment). > > Of course, you're also probably right, of that 1% who seek the padlock > on their own, I'm sure a large percentage doesn't know what it means > exactly (though again, not as large as when prompting them). > > > serge > > michael.mccormick@wellsfargo.com wrote: > > Actually surveys show that most users think the padlock means a site > > is "trustworthy". Few users have any idea what SSL is. > > > > -----Original Message----- > > From: Serge Egelman [mailto:egelman@cs.cmu.edu] > > Sent: Thursday, January 10, 2008 2:35 PM > > To: McCormick, Mike > > Cc: weburn@hisoftware.com; Anil.Saldhana@redhat.com; > > public-wsc-wg@w3.org > > Subject: Re: Is the padlock a page security score? > > > > I'm certainly not an expert in this area, but not to my knowledge. I > > suspect this is because the users who use the icon to make decision > > know that it only means SSL and nothing else. The other 99% of the > > users don't use the icon to make their decisions. > > > > serge > > > > michael.mccormick@wellsfargo.com wrote: > >> Has a browser vendor ever been sued for presenting the padlock on a > >> malicious web site? > >> > >> -----Original Message----- > >> From: public-wsc-wg-request@w3.org > >> [mailto:public-wsc-wg-request@w3.org] > >> On Behalf Of William Eburn > >> Sent: Thursday, January 10, 2008 1:33 PM > >> To: Anil Saldhana; public-wsc-wg@w3.org > >> Subject: RE: Is the padlock a page security score? > >> > >> > >> Hello all, > >> > >> As you may know, HiSoftware has content and application testing tools > >> around privacy, security, accessibility, general content quality, > >> corporate branding, and several factors of site quality. > >> > >> I am concerned that if we give some de facto score but do not > >> consider > > > >> the content or application, then would I not as a user of the browser > >> that gave me the information have the right to sue their corporation > >> if I went to a site, the score said 90% reliable and I entered all my > >> PII and the next user saw that it was 90% secure -- knew that the > >> scoring system was flawed because it didn't consider the content, or > >> the application and in this case used a simple SQL Injection to grab > >> all the PII out of the system (including mine), then opened multiple > >> bank accounts, got car loans, and did whatever, causing me great harm. > > > >> While it's true I was able to cancel the charges as being fraudulent, > >> it took over a year to do so. Would the company that provided the > >> page score be responsible in a court of law? > >> > >> Please note, this would be different depending on which country you > >> were in. > >> > >> I think, from our perspective the education of the user to the state > >> of the different security indicators is important but for us to > >> assign > > > >> any value judgment on them would at best, be foolish. Immediately we > >> could never assign 100%, because as part of the working group we've > >> already said that we aren't examining the content or application > >> being > > > >> viewed by the user agent. So it would be my vote to eliminate the > >> idea of a page score entirely. What I'm suggesting is that we show > >> them the information, educate the user as to what it means, but > >> assign > > no value. > >> This is just my two cents on the page score topic. > >> > >> Thanks, > >> Bill > >> > >> > >> -----Original Message----- > >> From: public-wsc-wg-request@w3.org > >> [mailto:public-wsc-wg-request@w3.org] > >> On Behalf Of Anil Saldhana > >> Sent: Thursday, January 10, 2008 2:18 PM > >> To: public-wsc-wg@w3.org > >> Subject: Re: Is the padlock a page security score? > >> > >> > >> Right on the point, Tim. > >> > >> We have a tendency to quote personal experiences/behavior to equate > >> it > > > >> to the general behavior of the masses. A security indicator to one > >> does not mean an indicator to everyone. > >> > >> WG has had discussions that the padlock is not sufficient to ensure a > >> secure behavior. Hence page security score, ev cert bar etc etc. :) > >> > >> Timothy Hahn wrote: > >>> Hi all, > >>> > >>> This whole discussion is subjective. What is useful for one person > >> could > >>> very well be useless to someone else. > >>> > >>> An analogy - weather forecasts about the possibility of rain today. > >> Does > >>> such a score indicate whether I will get rained on? No. Does it > >>> help > >> me > >>> decide whether or not to wear a hat or carry an umbrella? Yes. > >>> There > >> is > >>> no way that people other than meteorologists (and some would argue, > >> even > >>> them) will accurately interpret isobars, cloud patterns, and doppler > >> radar > >>> to determine whether it will rain. But people can get a feeling for > >> the > >>> chances of rain based on a 0-100% estimate. > >>> > >>> I think the same is true for the notion of a page security score. > >> Does it > >>> imply that the user will definitely, without a doubt, not get > > "taken"? > >> No. > >>> Does it give the user something with which to make a choice? Yes. > >> In > >>> this light, I still feel that page security scores are good things > >>> to > > > >>> consider. > >>> > >>> Regards, > >>> Tim Hahn > >>> IBM Distinguished Engineer > >>> > >>> Internet: hahnt@us.ibm.com > >>> Internal: Timothy Hahn/Durham/IBM@IBMUS > >>> phone: 919.224.1565 tie-line: 8/687.1565 > >>> fax: 919.224.2530 > >>> > >>> > >>> > >>> > >>> From: > >>> <michael.mccormick@wellsfargo.com> > >>> To: > >>> <ifette@google.com>, <Anil.Saldhana@redhat.com> > >>> Cc: > >>> Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, > >>> <Mary_Ellen_Zurko@notesdev.ibm.com> > >>> Date: > >>> 01/10/2008 01:34 PM > >>> Subject: > >>> RE: Is the padlock a page security score? > >>> > >>> > >>> > >>> I would ask the same question about a binary indicator. The padlock > >> does > >>> not mean it's safe to enter a credit card. > >>> > >>> From: Ian Fette [mailto:ifette@google.com] > >>> Sent: Thursday, January 10, 2008 12:26 PM > >>> To: Anil Saldhana > >>> Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; > >>> Mary_Ellen_Zurko@notesdev.ibm.com > >>> Subject: Re: Is the padlock a page security score? > >>> > >>> I still don't understand what anything beyond a binary result is > >> supposed > >>> to tell a user. I'm on a site with "Medium" security - what does > >>> that > > > >>> mean? Does that mean that I should give them my credit card or not? > >>> > >>> On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com> > >> wrote: > >>> Maybe there is an opportunity to associate "High/Medium/Low" or > >>> "Strong/Medium/Low" based on page security score with the padlock. > >>> > >>> michael.mccormick@wellsfargo.com wrote: > >>>> Sure, I agree the padlock is a binary representation of a boolean > >>> security > >>>> score formula based on a single security variable (SSL on main > > page). > >> A > >>>> degenerate case IMHO - but still technically a page security score. > >>>> > >>>> A security score algorithm should take into account most (if not > >>>> all) > >> of > >>> the > >>>> variables we enumerated under "What is a Secure Page?" Perhaps the > >> note > >>>> should state that explicitly. Then padlocks wouldn't qualify. > >>>> > >>>> _____ > >>>> > >>>> From: public-wsc-wg-request@w3.org > >> [mailto:public-wsc-wg-request@w3.org] > >>> On > >>>> Behalf Of Timothy Hahn > >>>> Sent: Thursday, January 10, 2008 10:40 AM > >>>> To: public-wsc-wg@w3.org > >>>> Subject: Re: Is the padlock a page security score? > >>>> > >>>> > >>>> > >>>> Mez, > >>>> > >>>> I'll toss in my view that the padlock is an example of a page > >> security > >>>> score. In most user agents, this seems to be pretty much "binary" > >> (on > >>> or > >>>> off) though I think we've heard from some folks that there are some > >>>> "embellishments" on their display of the icon which would provide > >> more > >>>> gradations based on information received. > >>>> > >>>> On the bright side of such a visible item - it is relatively easy > >>>> to > > > >>>> describe and for people to grasp the meaning of. > >>>> > >>>> On the down side of the padlock - ... well, we've had lots of that > >>>> discussion on this list already - see the archives. > >>>> > >>>> Regards, > >>>> Tim Hahn > >>>> IBM Distinguished Engineer > >>>> > >>>> Internet: hahnt@us.ibm.com > >>>> Internal: Timothy Hahn/Durham/IBM@IBMUS > >>>> phone: 919.224.1565 tie-line: 8/687.1565 > >>>> fax: 919.224.2530 > >>>> > >>>> > >>>> > >>>> > >>>> From: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> > >>>> > >>>> To: public-wsc-wg@w3.org > >>>> > >>>> Date: 01/10/2008 11:10 AM > >>>> > >>>> Subject: Is the padlock a page security score? > >>>> > >>>> _____ > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> If not, why not? > >>>> > >>>> Mez > >>>> > >>>> > >>>> > >>>> > >>>> > >>> -- > >>> Anil Saldhana > >>> Project/Technical Lead, > >>> JBoss Security & Identity Management JBoss, A division of Red Hat > >>> Inc. > >>> http://labs.jboss.com/portal/jbosssecurity/ > >>> > >>> > >>> > >>> > >> -- > >> Anil Saldhana > >> Project/Technical Lead, > >> JBoss Security & Identity Management > >> JBoss, A division of Red Hat Inc. > >> http://labs.jboss.com/portal/jbosssecurity/ > >> > >> > >> > >> > >> The information in this transmittal (including attachments, if any) > >> is > > > >> privileged and confidential and is intended only for the recipient(s) > >> listed above. Any review, use, disclosure, distribution or copying > >> of > > > >> this transmittal is prohibited except by or on behalf of the intended > >> recipient. If you have received this transmittal in error, please > >> notify me immediately by reply email and destroy all copies of the > >> transmittal. Thank you. > >> > >> > >> > >> > > > > -- > > /* > > PhD Candidate > > Vice President for External Affairs, Graduate Student Assembly > > Carnegie Mellon University > > > > Legislative Concerns Chair > > National Association of Graduate-Professional Students */ > > > > > > -- > /* > PhD Candidate > Carnegie Mellon University > > "Whoever said there's no such thing as a free lunch was never a grad > student." > > All views contained in this message, either expressed or implied, are > the views of my employer, and not my own. > */ -- /* PhD Candidate Carnegie Mellon University "Whoever said there's no such thing as a free lunch was never a grad student." All views contained in this message, either expressed or implied, are the views of my employer, and not my own. */
Received on Friday, 11 January 2008 00:18:32 UTC