W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

RE: Is the padlock a page security score?

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Mon, 14 Jan 2008 09:30:09 -0500
To: "'Robert Yonaitis'" <ryonaitis@hisoftware.com>, "'Mike Beltzner'" <beltzner@mozilla.com>
Cc: "'michael mccormick'" <michael.mccormick@wellsfargo.com>, <hahnt@us.ibm.com>, <public-wsc-wg@w3.org>, "'Ian Fette'" <ifette@google.com>
Message-ID: <006c01c856ba$013622d0$6500a8c0@dschutzer>

The web page application should ultimately be included in the score. This
means that two web applications using the same web protocols may not be
equally secure. I am planning to write a short paragraph to explain one way
this can be implemented.


-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Robert Yonaitis
Sent: Friday, January 11, 2008 9:32 AM
To: Mike Beltzner; Dan Schutzer
Cc: michael mccormick; hahnt@us.ibm.com; public-wsc-wg@w3.org; Ian Fette
Subject: RE: Is the padlock a page security score?

Hello All:

One last note on the scores. I think this is important. Since we have
neglected by design to cover the content or applications then the weather
analogy does not work. This is because the weather takes into account many
items like atmospheric soundings, dew points, trends, pressures and more.
(Disclaimer: I received a C in my advanced meteorology course at erau.edu)
Since we are by design ignoring the place where most security flaws can and
do happen the application  and or content then clearly our score would be


-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Mike Beltzner
Sent: Thursday, January 10, 2008 11:33 PM
To: Dan Schutzer
Cc: michael mccormick; hahnt@us.ibm.com; public-wsc-wg@w3.org; Ian Fette
Subject: Re: Is the padlock a page security score?

----- "Dan Schutzer" <dan.schutzer@fstc.org> wrote:
> I am not sure. If there were scores and competing services so that I
> had a choice then security might actually improve. Suppose I had two
> competing social networks with vastly different security scores; for
> example, One with a 70 and one with a 90 security score - I just might
> not use the service with the 70 security score. Perhaps if we had
> reliable scores and people started picking one service over another
> based upon the scores, we might get services that are more serious
> about security.

I don't think that's where the problem exists, though. It's not the case
that people are trying to choose between which of N different social
networking sites they want to work with (they'll go to the ones that their
friends are using).

Where the number *would* come in handy is when they're used to seeing a "72"
for their bank or online shopping site, but all of a sudden they see a "38".
It's the change in the security values that become interesting. At that
point, though, why would we require that the user remember that
theirshoppingsite.com is usually a 72, but all of a sudden became a 36. Why
would we not, instead, just alert them to the fact that there's something
suspicious, and they shouldn't use the site at this time (with links to more
detail for those who wish to know what tipped us off).

Again I say: the message needs to be meaningful and actionable. A summary
statistic isn't thus.

(Earlier we talked about 70% chance of rain, and I applauded it as an
interesting analogy. I realize, actually, that the liklihood of rain isn't
the same as a summary statistic for security, as rain is one aspect of the
weather. A more appropriate analogy would be if weather reports told us that
tomorrow would be "72% nice".)

Received on Monday, 14 January 2008 14:31:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:20 UTC