W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

RE: Is the padlock a page security score?

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Mon, 14 Jan 2008 07:04:38 -0500
To: "'Anil Saldhana'" <Anil.Saldhana@redhat.com>, <public-wsc-wg@w3.org>
Cc: "'Dan Schutzer'" <dan.schutzer@fstc.org>
Message-ID: <004e01c856a5$a456be80$6500a8c0@dschutzer>

I think all of this is hard to substantiate until we test how people react,
how reliable the scores are, and how they evolve over time. One thing we
know for sure - today there is no real indication regarding the relative
security of a web page. The best indication the user gets is whether the SSL
path is encrypted (lock), and who the name of the webpage (the web service
provider's name and the users familiarity with the web page). Other than
that all web pages are equally insecure as far as the user is concerned. 

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Anil Saldhana
Sent: Friday, January 11, 2008 5:26 PM
To: public-wsc-wg@w3.org
Subject: Re: Is the padlock a page security score?


Which category of users/websites care a lot about page scores? Is it the 
banking industry? If yes, then we should understand that the banking 
websites are one of the most sensitive systems on the web.

As an user, when they bank, I am sure they care a whole lot about how 
secure the banking site is. If the site is showing a page score that is 
not satisfactory to the user, then it is time for the user to call the 
bank and find out why the score is X.

Many of the US banks are going towards multi-factor knowledge based 
authentication, like displaying a favorite picture of yours and such.

Mike Beltzner wrote:
> 
> michael.mccormick@wellsfargo.com wrote:
>> There seems to still be some lingering misunderstanding about the
>> security score.  It does not specify how the score should be presented
>> in primary chrome.  The UA is free to render it as anything from a
>> padlock to a color-coded address bar to a traffic light to whatever.
>> The raw score is not displayed in the primary UI. 
> 
> The disagreement is in that I don't believe a single "score" will ever 
> hold value. A recommendation or advice based on a score, is what I would 
> suggest we advocate in our document.
> 
> The user who needs a recommendation for action (ie: "Is this page 
> safe?") won't benefit from a score ("72% safe!"), as it won't hold any 
> specific meaning to them.
> 
> The user who wants to know more about why a specific recommendation has 
> been given (ie: "Why are you saying that this page is suspicious, it 
> looks like my bank!") won't benefit from a score ("because it's onlye 
> 72% safe!") because they need more detail.
> 
> Both of these users are served by a system where security risks are 
> called out by the browser ("Note: This page is suspicious! 
> (Details...)") and then further explanation is given (the certificate 
> changed, it's not high on the network of trust, etc).
> 
> cheers,
> mike
> 

-- 
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/
Received on Monday, 14 January 2008 12:04:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:56 GMT