W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

Re: Is the padlock a page security score?

From: Ian Fette <ifette@google.com>
Date: Fri, 11 Jan 2008 08:22:05 -0800
Message-ID: <bbeaa26f0801110822g6aa572fag329059fd46462f04@mail.gmail.com>
To: "William Eburn" <weburn@hisoftware.com>
Cc: "Doyle, Bill" <wdoyle@mitre.org>, "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Mike Beltzner <beltzner" <beltzner@mozilla.com>, public-wsc-wg@w3.org
Relying on people reading documentation for a browser is also fraught with
peril... people are not going to wait to get "educated" before their copy of
Vista auto-updates to IE8, nor when they download Firefox 3 are they going
to actually sit down and read a manual - they're going to double click the
icon and go at it. If it's not intuitive, that's a problem. I don't think we
can say RTFM, because nobody will...

On Jan 11, 2008 7:15 AM, William Eburn <weburn@hisoftware.com> wrote:

>  Whether we use numbers, or "low, medium, high", at best, it's
> incomplete.  Instead of calling it a "Security Score", if we called it a
> "browser connection security score" and in some kind of education and
> documentation, state that the score ignores both content and/or application
> and any of the security principals around them, then it may have some
> value.  However if someone sees a high score and they land on a horrible
> site that steals all of their information, we would definitely be doing them
> an injustice because at best the high-medium-low is misleading.
>
>
>
> So, if we agree with Ianů and I do, browser real estate is just so limited
> , there is no way we could communicate all of this information.  And
> understanding that benchmarking is only good if you describe what you're
> benchmarking then our benchmark of security score is not useful, and should
> be done away with.
>
>
>
> Bill
>
>
>
> *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> *On Behalf Of *Doyle, Bill
> *Sent:* Friday, January 11, 2008 10:04 AM
> *To:* Mary Ellen Zurko; Mike Beltzner <beltzner
> *Cc:* public-wsc-wg@w3.org
> *Subject:* RE: Is the padlock a page security score?
>
>
>
> I was think that instead of a numeric score it would be simpler to point
> to a robustness or assurance level in terms of high, medium, low. One thing
> to keep in mind is that the capabilities of the protocols and underlying IA
> mechanism keep changing, going to be difficult to keep numeric score
> consistent. What happens to page score when a new TLS/SSL version comes out
> or new ciphers are added.
>
>
>
> Be easier to present a consistent UI if it is noted that site meets high
> assurance, medium assurance or low assurance. This would still alert the
> user that something has changed - 72 to 38 would be a change in assurance
> level.
>
>
>
>
>
>
>
>
>
>
>  ------------------------------
>
> *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> *On Behalf Of *Mary Ellen Zurko
> *Sent:* Friday, January 11, 2008 9:09 AM
> *To:* Mike Beltzner <beltzner
> *Cc:* public-wsc-wg@w3.org
> *Subject:* Re: Is the padlock a page security score?
>
>
> Great conversation, all the way around. I particularly appreciate those
> posts that, while taking a strong stance, also try to explore other points
> of view, how their stance relates to it, and what might be some sort of
> reasonable middle ground. Kudos to all of you!
>
> > Where the number *would* come in handy is when they're used to
> > seeing a "72" for their bank or online shopping site, but all of a
> > sudden they see a "38". It's the change in the security values that
> > become interesting. At that point, though, why would we require that
> > the user remember that theirshoppingsite.com is usually a 72, but
> > all of a sudden became a 36. Why would we not, instead, just alert
> > them to the fact that there's something suspicious, and they
> > shouldn't use the site at this time (with links to more detail for
> > those who wish to know what tipped us off).
>
> That would tie into the Change of Security Level (or CoSL as I started to
> call it in my review comments) in xit.
>
> As I think does some of the discussion of warnings on top of passive
> indicators (although as my review comments indicated, it was hard to find
> the part of CoSL where that was specified, and should be made clearer).
>
>
>
>
> The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above.  Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient.  If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal.  Thank you.
>
>
>
Received on Friday, 11 January 2008 16:22:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:20 UTC