W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

RE: Is the padlock a page security score?

From: Robert Yonaitis <ryonaitis@hisoftware.com>
Date: Fri, 11 Jan 2008 09:31:42 -0500
Message-ID: <90F089E131F2B44EAF88F580AD6A8DFE35E237@be26.exg3.exghost.com>
To: "Mike Beltzner" <beltzner@mozilla.com>, "Dan Schutzer" <dan.schutzer@fstc.org>
Cc: "michael mccormick" <michael.mccormick@wellsfargo.com>, <hahnt@us.ibm.com>, <public-wsc-wg@w3.org>, "Ian Fette" <ifette@google.com>
Hello All:

One last note on the scores. I think this is important. Since we have neglected by design to cover the content or applications then the weather analogy does not work. This is because the weather takes into account many items like atmospheric soundings, dew points, trends, pressures and more. (Disclaimer: I received a C in my advanced meteorology course at erau.edu)  Since we are by design ignoring the place where most security flaws can and do happen the application  and or content then clearly our score would be meaningless.

Cheers

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mike Beltzner
Sent: Thursday, January 10, 2008 11:33 PM
To: Dan Schutzer
Cc: michael mccormick; hahnt@us.ibm.com; public-wsc-wg@w3.org; Ian Fette
Subject: Re: Is the padlock a page security score?


----- "Dan Schutzer" <dan.schutzer@fstc.org> wrote:
> I am not sure. If there were scores and competing services so that I
> had a choice then security might actually improve. Suppose I had two
> competing social networks with vastly different security scores; for
> example, One with a 70 and one with a 90 security score – I just might
> not use the service with the 70 security score. Perhaps if we had
> reliable scores and people started picking one service over another
> based upon the scores, we might get services that are more serious
> about security.

I don't think that's where the problem exists, though. It's not the case that people are trying to choose between which of N different social networking sites they want to work with (they'll go to the ones that their friends are using).

Where the number *would* come in handy is when they're used to seeing a "72" for their bank or online shopping site, but all of a sudden they see a "38". It's the change in the security values that become interesting. At that point, though, why would we require that the user remember that theirshoppingsite.com is usually a 72, but all of a sudden became a 36. Why would we not, instead, just alert them to the fact that there's something suspicious, and they shouldn't use the site at this time (with links to more detail for those who wish to know what tipped us off).

Again I say: the message needs to be meaningful and actionable. A summary statistic isn't thus.

(Earlier we talked about 70% chance of rain, and I applauded it as an interesting analogy. I realize, actually, that the liklihood of rain isn't the same as a summary statistic for security, as rain is one aspect of the weather. A more appropriate analogy would be if weather reports told us that tomorrow would be "72% nice".)

cheers,
mike


Received on Friday, 11 January 2008 14:32:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:56 GMT