RE: Is the padlock a page security score?

Bill and others,

I agree with your comments just below here.  That the indicator (what I 
had called the "score") would just be a "starting place" to go see 
additional information is exactly how I was envisioning such a display. It 
would be a launch point to learn/see more (if you - the user - wanted to 
do so).

On the one hand, I've been very happy to see the wealth of discussion this 
chain/question has developed on the mailing list!  On the other, I've been 
frustrated that we seem to be very willing to do away with the notion 
because we can't be sure that we could make it "rock solid".

I've been envisioning such a "score" as more of a "confidence level" - as 
in "given the information seen, this score calculator has a 80% confidence 
level in the connection and site you've just landed on".

Further, by allowing a user to pick which "confidence calculator" was 
used, they could choose one from someone or something ... or even written 
by themselves.  Ok - this would really be getting into a savvy user, I 
admit.  But hopefully this gets explains why I think the notion of a 
"score" could still work and be useful.  Having such separation might also 
help some organizations deal with whether or not they might be held liable 
for the scores provided.

One other useful discussion over the past day on this topic is the aspect 
of "change in the score from the last time you were here".  I think this 
is also quite powerful and shouldn't be overlooked.  A change in score is 
perhaps more important to point out than the score itself.  (The "drill 
down" could then itemize the details on what is different).

I still feel that giving such things in a "simple cue" (with more "drill 
down" available) is better than not giving any cues at all.

Regards,
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From:
"William Eburn" <weburn@hisoftware.com>
To:
"Ian Fette" <ifette@google.com>
Cc:
"Doyle, Bill" <wdoyle@mitre.org>, "Mary Ellen Zurko" 
<Mary_Ellen_Zurko@notesdev.ibm.com>, "Mike Beltzner <beltzner" 
<beltzner@mozilla.com>, <public-wsc-wg@w3.org>
Date:
01/11/2008 11:55 AM
Subject:
RE: Is the padlock a page security score?



Hello all,
 
Just a couple quick notes on Ian’s mail.  As a software engineer.  I am 
constantly beat against the head to not make general assumptions. Anything 
that I propose has to be pretty much black and white.  To say that no one 
would read the manual is a very black and white statement and yesterday we 
talked about the difference between engineers and every day users.  Both 
of these may look at the manual in a different manner.  But unless I 
wanted to be turned into a junior engineer or fired, I would never claim 
that no one would read our manuals, or our help.  We pride ourselves on 
our documentation (based on the number of bugs found in our documentation 
that are reported by our users, we’re positive that the users are reading 
the documentation).  I can say this in a “black and white” manner, just by 
looking at our defect tracking database.
 
Also.  To say that someone getting updates to Vista or IE would not wait 
to get educated to receive that update, again is a bit of a false 
argument.  I say that, not that you’re argument doesn’t have some 
validity, but I say it because the Vista updates that the end user is 
receiving, while, the user may not be looking at the lock but instead it 
is the trust relationship that they have with the vendor such as Microsoft 
that they use as the deciding factor (I am not stating whether someone 
should trust or distrust Microsoft). 
 
In looking at existing browsers, in this case the latest version of Opera. 
 I went to the HiSoftware secure site.  The padlock did not take up much 
browser real estate, which everyone agrees is a concern.  I clicked on the 
padlock, and what I received was unlimited information about the padlock. 
I also was given opportunities to run additional checks, like to see if 
the site was fraudulent, and help on what everything meant.  I like the 
help because it was online and in that format accessible to people 
regardless of their physical abilities.
 
After looking at the Opera browser, perhaps this is our solution, perhaps 
we should recommend a new mark / indicator, or even keep the padlock, but 
suggest that all vendors do what Opera is doing and suggest that the 
vendors like Opera develop this additional window as either open or shared 
source.  So that while the browser companies are validating the sites and 
the connection to that site, other companies like Compuware (my old 
company) or HiSoftware (my new company) could include a whole slew of 
other security tests providing application or content benchmarks to 
augment what the vendors are already providing.  This may be a more 
complete solution.  What does everyone think?
 
Bill
 
p.s.  If they choose not to read the help, fine, but at least we’ve now 
accomplished something with the indicator, and the information is 
available if they choose to read it.
 
From: Ian Fette [mailto:ifette@google.com] 
Sent: Friday, January 11, 2008 11:22 AM
To: William Eburn
Cc: Doyle, Bill; Mary Ellen Zurko; Mike Beltzner <beltzner; 
public-wsc-wg@w3.org
Subject: Re: Is the padlock a page security score?
 
Relying on people reading documentation for a browser is also fraught with 
peril... people are not going to wait to get "educated" before their copy 
of Vista auto-updates to IE8, nor when they download Firefox 3 are they 
going to actually sit down and read a manual - they're going to double 
click the icon and go at it. If it's not intuitive, that's a problem. I 
don't think we can say RTFM, because nobody will... 
On Jan 11, 2008 7:15 AM, William Eburn <weburn@hisoftware.com> wrote:
Whether we use numbers, or "low, medium, high", at best, it's incomplete. 
Instead of calling it a "Security Score", if we called it a "browser 
connection security score" and in some kind of education and 
documentation, state that the score ignores both content and/or 
application and any of the security principals around them, then it may 
have some value.  However if someone sees a high score and they land on a 
horrible site that steals all of their information, we would definitely be 
doing them an injustice because at best the high-medium-low is misleading. 
 
 
So, if we agree with Ian… and I do, browser real estate is just so limited 
, there is no way we could communicate all of this information.  And 
understanding that benchmarking is only good if you describe what you're 
benchmarking then our benchmark of security score is not useful, and 
should be done away with.
 
Bill
 
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Doyle, Bill
Sent: Friday, January 11, 2008 10:04 AM
To: Mary Ellen Zurko; Mike Beltzner <beltzner

Cc: public-wsc-wg@w3.org
Subject: RE: Is the padlock a page security score?
 
I was think that instead of a numeric score it would be simpler to point 
to a robustness or assurance level in terms of high, medium, low. One 
thing to keep in mind is that the capabilities of the protocols and 
underlying IA mechanism keep changing, going to be difficult to keep 
numeric score consistent. What happens to page score when a new TLS/SSL 
version comes out or new ciphers are added. 
 
Be easier to present a consistent UI if it is noted that site meets high 
assurance, medium assurance or low assurance. This would still alert the 
user that something has changed - 72 to 38 would be a change in assurance 
level.
 
 
 
 
 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Mary Ellen Zurko
Sent: Friday, January 11, 2008 9:09 AM
To: Mike Beltzner <beltzner
Cc: public-wsc-wg@w3.org
Subject: Re: Is the padlock a page security score?

Great conversation, all the way around. I particularly appreciate those 
posts that, while taking a strong stance, also try to explore other points 
of view, how their stance relates to it, and what might be some sort of 
reasonable middle ground. Kudos to all of you!

> Where the number *would* come in handy is when they're used to 
> seeing a "72" for their bank or online shopping site, but all of a 
> sudden they see a "38". It's the change in the security values that 
> become interesting. At that point, though, why would we require that
> the user remember that theirshoppingsite.com is usually a 72, but 
> all of a sudden became a 36. Why would we not, instead, just alert 
> them to the fact that there's something suspicious, and they 
> shouldn't use the site at this time (with links to more detail for 
> those who wish to know what tipped us off).

That would tie into the Change of Security Level (or CoSL as I started to 
call it in my review comments) in xit. 

As I think does some of the discussion of warnings on top of passive 
indicators (although as my review comments indicated, it was hard to find 
the part of CoSL where that was specified, and should be made clearer). 
 


The information in this transmittal (including attachments, if any) is 
privileged and confidential and is intended only for the recipient(s) 
listed above.  Any review, use, disclosure, distribution or copying of 
this transmittal is prohibited except by or on behalf of the intended 
recipient. 
 If you have received this transmittal in error, please notify me 
immediately by reply email and destroy all copies of the transmittal. 
Thank you.
 
 



The information in this transmittal (including attachments, if any) is 
privileged and confidential and is intended only for the recipient(s) 
listed above.  Any review, use, disclosure, distribution or copying of 
this transmittal is prohibited except by or on behalf of the intended 
recipient.  If you have received this transmittal in error, please notify 
me immediately by reply email and destroy all copies of the transmittal. 
Thank you.