W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

RE: Is the padlock a page security score?

From: Robert Yonaitis <ryonaitis@hisoftware.com>
Date: Mon, 14 Jan 2008 09:43:59 -0500
Message-ID: <90F089E131F2B44EAF88F580AD6A8DFE35E5FB@be26.exg3.exghost.com>
To: "Dan Schutzer" <dan.schutzer@fstc.org>, "Mike Beltzner" <beltzner@mozilla.com>
Cc: "michael mccormick" <michael.mccormick@wellsfargo.com>, <hahnt@us.ibm.com>, <public-wsc-wg@w3.org>, "Ian Fette" <ifette@google.com>


That is great and NIST has some good open test cases as well that can be
shared. Perhaps if we consider content and application as any good mark
will do, then we should consider OS. I am only concerned regarding one
thing. Every study I have read says that people have no idea what the
padlock means exactly even if they see it, so why replace this with
another icon that all studies show would most likely be misrepresented.
HiSoftware has been tentative at this point because it is at best
incomplete I have missed the fact that most people don't know what it
means if they look at it (According to what I read on this working group


-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Dan Schutzer
Sent: Monday, January 14, 2008 9:30 AM
To: Robert Yonaitis; 'Mike Beltzner'
Cc: 'michael mccormick'; hahnt@us.ibm.com; public-wsc-wg@w3.org; 'Ian
Subject: RE: Is the padlock a page security score?

The web page application should ultimately be included in the score.
means that two web applications using the same web protocols may not be
equally secure. I am planning to write a short paragraph to explain one
this can be implemented.


-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
Behalf Of Robert Yonaitis
Sent: Friday, January 11, 2008 9:32 AM
To: Mike Beltzner; Dan Schutzer
Cc: michael mccormick; hahnt@us.ibm.com; public-wsc-wg@w3.org; Ian Fette
Subject: RE: Is the padlock a page security score?

Hello All:

One last note on the scores. I think this is important. Since we have
neglected by design to cover the content or applications then the
analogy does not work. This is because the weather takes into account
items like atmospheric soundings, dew points, trends, pressures and
(Disclaimer: I received a C in my advanced meteorology course at
Since we are by design ignoring the place where most security flaws can
do happen the application  and or content then clearly our score would


-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
Behalf Of Mike Beltzner
Sent: Thursday, January 10, 2008 11:33 PM
To: Dan Schutzer
Cc: michael mccormick; hahnt@us.ibm.com; public-wsc-wg@w3.org; Ian Fette
Subject: Re: Is the padlock a page security score?

----- "Dan Schutzer" <dan.schutzer@fstc.org> wrote:
> I am not sure. If there were scores and competing services so that I
> had a choice then security might actually improve. Suppose I had two
> competing social networks with vastly different security scores; for
> example, One with a 70 and one with a 90 security score - I just might
> not use the service with the 70 security score. Perhaps if we had
> reliable scores and people started picking one service over another
> based upon the scores, we might get services that are more serious
> about security.

I don't think that's where the problem exists, though. It's not the case
that people are trying to choose between which of N different social
networking sites they want to work with (they'll go to the ones that
friends are using).

Where the number *would* come in handy is when they're used to seeing a
for their bank or online shopping site, but all of a sudden they see a
It's the change in the security values that become interesting. At that
point, though, why would we require that the user remember that
theirshoppingsite.com is usually a 72, but all of a sudden became a 36.
would we not, instead, just alert them to the fact that there's
suspicious, and they shouldn't use the site at this time (with links to
detail for those who wish to know what tipped us off).

Again I say: the message needs to be meaningful and actionable. A
statistic isn't thus.

(Earlier we talked about 70% chance of rain, and I applauded it as an
interesting analogy. I realize, actually, that the liklihood of rain
the same as a summary statistic for security, as rain is one aspect of
weather. A more appropriate analogy would be if weather reports told us
tomorrow would be "72% nice".)


The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above.  Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient.  If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal.  Thank you.
Received on Monday, 14 January 2008 14:44:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:20 UTC