Re: ACTION-374 - proposed re-written text for 6.3, Page Security Score from Serge Egelman on 2008-01-24 (public-wsc-wg@w3.org from January 2008)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Thu, 24 Jan 2008 09:41:07 -0800
To: Dan Schutzer <dan.schutzer@fstc.org>
CC: "'Ian Fette'" <ifette@google.com>, "'Timothy Hahn'" <hahnt@us.ibm.com>, public-wsc-wg@w3.org
Message-ID: <4798CDB3.3010304@cs.cmu.edu>
The likely thing that will happen in this case is that people will learn 
to distrust the indicator when they start visiting websites with worse 
and worse ratings.  As I mentioned earlier, the issue is that when the 
user falls victim to an attack, they have no idea what action they took 
to cause this (e.g. ignoring the meter and visiting a bad website, 
visiting a bad website that actually didn't have a bad meter, 
unscrupulous cashier, etc.).

So the first time they see a "slightly" bad rating and decide to 
proceed, they won't realize any immediate consequences (if there even 
are any).  Thus, this behavior will continue and likely get worse (i.e. 
they'll start ignoring the meter altogether).  This is very classic 
conditioning.

This is just a hypothesis, but it is based on a wealth of literature. 
If many people disagree with me, I would suggest you provide some actual 
data.

serge

Dan Schutzer wrote:
> I agree the issue is what sort of action will people take based upon the 
> bar. If there were some adverse result from not going to a site with a 
> low security indicator, then people might learn (based upon their risk 
> adversity) what action to take when they see a bar; e.g. they go to an 
> insecure web page and something bad and immediately observable happens 
> to them. However, in the world of insure web pages, it is not clear that 
> people will get this sort of enforcement. So, maybe we ought to think 
> about some companion warning. For example, if when I go to web sites 
> with a low security score, I frequently get a warning, when the site 
> comes up, that this is a known phishing site or has unsafe content, I 
> might begin to pay attention to the low security score.
> 
>  
> 
> ------------------------------------------------------------------------
> 
> *From:* public-wsc-wg-request@w3.org 
> [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Ian Fette
> *Sent:* Thursday, January 24, 2008 1:27 AM
> *To:* Timothy Hahn
> *Cc:* public-wsc-wg@w3.org
> *Subject:* Re: ACTION-374 - proposed re-written text for 6.3, Page 
> Security Score
> 
>  
> 
> By saying that a user agent MAY elect not to display the indicator, but 
> that it SHOULD display the indicator, we're saying we think it's useful, 
> but if one wants to ignore that go ahead. I don't think that I'm yet 
> willing to go along and say that I think it's useful.
> 
> I really want to know what a person is supposed to do when they see this 
> indicator. If they see 3/4 bars, what do they do? If they see a meter 
> that's somewhere towards the right, what do they do? God forbid they see 
> a "78" and have to figure that out. None of these representations seem 
> like a good idea to me, and until we can come up with an indicator that 
> is actually going to inform user action, I really don't think we be 
> saying SHOULD about any of this, with the possible exception of noticing 
> a change.
> 
> Let's say that I go to my company's webmail, and it has 2/4 bars. I'm 
> still going to log in. Let's say I go to a e-commerce site and it has 
> 3/4 bars. What does that mean? Is it safe or not? (and I seriously doubt 
> that anyone is going to take on the liability of an indicator that 
> answers that question in a binary fashion, which is the only way this 
> might be useful, if we actually had the data to make that decision which 
> we do not).
> 
> This still seems way too strong to me.
> 
> On Jan 23, 2008 6:46 PM, Timothy Hahn <hahnt@us.ibm.com 
> <mailto:hahnt@us.ibm.com>> wrote:
> 
> 
> Ian,
> 
> In addition to the level of indirection I referred to below, I also 
> added this clause:
> 
> 
> 
>>   > The user agent MAY elect to display a visual indicator in primary 
> chrome
>>   > only when a change in "security confidence estimate" values is 
> observed.
>>   >
> 
> I added this upon reflection of your and Jonathan's comments on the 16 
> January call where you seemed to desire to not always show a visual 
> indicator.
> 
> I still believe that some type of meter that has more than 0/1 
> gradations is better than a meter that is binary and also better than no 
> meter at all.
> 
> 
> 
> Regards,
> Tim Hahn
> IBM Distinguished Engineer
> 
> Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565
> fax: 919.224.2530
> 
> 
> From:
> 
> 	
> 
> "Ian Fette" <ifette@google.com <mailto:ifette@google.com>>
> 
> To:
> 
> 	
> 
> Timothy Hahn/Durham/IBM@IBMUS
> 
> Cc:
> 
> 	
> 
> public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
> 
> Date:
> 
> 	
> 
> 01/23/2008 05:24 PM
> 
> Subject:
> 
> 	
> 
> Re: ACTION-374 - proposed re-written text for 6.3, Page Security Score
> 
>  
> 
> ------------------------------------------------------------------------
> 
> 
> 
> 
> I think that what I was saying on the call, and I heard the same from
> at least Johnathan, was that it's unclear what it means even if you
> have a dial, or "3 bars out of 4". At the end, it doesn't help me
> decide whether to proceed or not. The indirection didn't solve this
> problem.
> 
> On Jan 23, 2008 2:13 PM, Timothy Hahn <hahnt@us.ibm.com 
> <mailto:hahnt@us.ibm.com>> wrote:
>>
>>  Ian,
>>
>>  Thanks for the feedback.
>>
>>  I tried to express a level of indirection between what is displayed (I
>>  referred to this as a "visual indicator") and the value itself (which I
>>  referred to as the "value").  This indirection was meant to allow for a
>>  difference between what is displayed and the "raw score" value itself.
>>
>>  I welcome suggestions on making this more clear in the write-up.
>>
>>  Relative to your desire for MAY vs. SHOULD - given the different 
> opinions of
>>  the people that have been discussing this, I made the bold decision that
>>  SHOULD seemed appropriate.
>>
>>
>>  Regards,
>>  Tim Hahn
>>   IBM Distinguished Engineer
>>
>>   Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>>   Internal: Timothy Hahn/Durham/IBM@IBMUS
>>   phone: 919.224.1565     tie-line: 8/687.1565
>>   fax: 919.224.2530
>>
>>
>>
>>
>>   From: "Ian Fette" <ifette@google.com <mailto:ifette@google.com>>
>>   To:
>>  Timothy Hahn/Durham/IBM@IBMUS
>>   Cc:
>>  public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>>   Date: 01/23/2008 04:55 PM
>>
>>   Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page Security
>>  Score
>>
>>
>>   ________________________________
>>
>>
>>
>>  I'm still unclear on the following two points:
>>
>>   The user agent SHOULD provide a visual indicator in primary chrome
>>   which varies relative to the "security confidence estimate" value.
>>   Examples of such visual indicators (non-normative) are gauges,
>>   thermometers, a selection of several textual descriptions, and
>>   color-gradations.
>>
>>   The visual indicator SHOULD be especially conspicuous in display when
>>   the "security confidence estimate" value is different than the value
>>   which was observed for the loaded page in previous visits to the
>>   loaded page.
>>
>>   It sounds to me like there was a lot of agreement on the call that
>>   changes in this score might be informative. I don't think there was
>>   any agreement that the raw score itself was informative. I don't
>>   understand why we're saying that the score SHOULD be indicated in
>>   primary chrome, nor do I understand why it makes sense to show it if
>>   the score has changed (i.e. "Hey, this was 78 and now it's 68" -
>>   "Great, what does that mean"). I think it may make sense (MAY) to call
>>   out what changed, but calling out the score (either normally, or even
>>   when it changes) still makes no sense to me.
>>
>>   I would love to see these SHOULD -> MAY
>>
>>   -Ian
>>
>>   On Jan 23, 2008 10:41 AM, Timothy Hahn <hahnt@us.ibm.com 
> <mailto:hahnt@us.ibm.com>> wrote:
>>   >
>>   > To Mez:
>>   >
>>   > I agree with your proposal and will make that be so in the draft.
>>   >
>>   > To Mike:
>>   >
>>   > While I, myself, would prefer stronger language, I worded the 
> updates per
>>   > the discussion from the group (during the weekly conference call as 
> well
>>  as
>>   > on the mailing list).
>>   >
>>   > Regards,
>>   >
>>   > Tim Hahn
>>   >  IBM Distinguished Engineer
>>   >
>>   >  Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>>   >  Internal: Timothy Hahn/Durham/IBM@IBMUS
>>   >  phone: 919.224.1565     tie-line: 8/687.1565
>>   >  fax: 919.224.2530
>>   >
>>   >
>>   >
>>   >
>>   >  From: Mary Ellen Zurko/Westford/IBM@IRIS
>>   >  To:
>>   > Timothy Hahn/Durham/IBM@IBMUS
>>   >  Cc:
>>   > public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>>   >  Date: 01/23/2008 01:29 PM
>>   >  Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page
>>  Security
>>   > Score
>>   >  ________________________________
>>   >
>>   >
>>   >
>>   > I propose that you also change the title of the section to "Security
>>   > Confidence Estimate"
>>   >
>>   >           Mez
>>   >
>>   >
>>   >
>>   >
>>   >
>>   >
>>   >  From:
>>   > Timothy Hahn/Durham/IBM@IBMUS
>>   >  To:
>>   > public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>>   >  Date:
>>   > 01/23/2008 11:29 AM
>>   >  Subject: ACTION-374 - proposed re-written text for 6.3, Page Security
>>  Score
>>   >  ________________________________
>>   >
>>   >
>>   >
>>   >
>>   >
>>   > Hi all,
>>   >
>>   > From last week's meeting (16 January 2008) I took an action to propose
>>   > re-written text for the "Page Security Score" section.
>>   >
>>   > From the latest wsc-xit draft, the current text reads:
>>   >
>>   > --- Start ---
>>   > 6.3 Page Security Score
>>   >
>>   > See also: ISSUE-129
>>   >
>>   > Please refer to the following entries in the Working Group's Wiki for
>>   > relevant background information: 
> RecommendationDisplayProposals/PageScore
>>   >
>>   > The user agent MUST reduce the state of all security context 
> information
>>   > made available to a single value. A partial order MUST be defined 
> on the
>>  set
>>   > of possible values.
>>   >
>>   > The user agent MUST make the security context information value 
> available
>>  to
>>   > the end user, in either primary or secondary chrome.
>>   >
>>   > The user agent MUST make the formula by which the value is calculated
>>   > available to the end user. Documentation of the user agent is the
>>  likeliest
>>   > place.
>>   >
>>   > The form of the indicator of this value will depend on the user 
> agent and
>>   > end user abilities. The user agent SHOULD provide a a primary chrome
>>   > indicator
>>   >
>>   > --- End ---
>>   >
>>   > Here is my proposed re-written text:
>>   >
>>   > --- Start ---
>>   > 6.3 Page Security Score
>>   >
>>   > See also: ISSUE-129
>>   >
>>   > Please refer to the following entries in the Working Group's Wiki for
>>   > relevant background information: 
> RecommendationDisplayProposals/PageScore
>>   >
>>   > The user agent SHOULD provide a means of reducing the collection of
>>  security
>>   > context information which is available for any loaded page to a numeric
>>   > value (termed a "security confidence estimate").
>>   >
>>   > The calculation algorithm for the "security confidence estimate" MAY be
>>  made
>>   > selectable by the end user or offered by separately installed user 
> agent
>>   > plug-ins.
>>   >
>>   > The user agent SHOULD provide a visual indicator in primary chrome 
> which
>>   > varies relative to the "security confidence estimate" value. 
>  Examples of
>>   > such visual indicators (non-normative) are gauges, thermometers, a
>>  selection
>>   > of several textual descriptions, and color-gradations.
>>   >
>>   > The visual indicator SHOULD be especially conspicuous in display 
> when the
>>   > "security confidence estimate" value is different than the value which
>>  was
>>   > observed for the loaded page in previous visits to the loaded page.
>>   >
>>   > The user agent MAY elect to display a visual indicator in primary 
> chrome
>>   > only when a change in "security confidence estimate" values is 
> observed.
>>   >
>>   > The user agent MUST make the details of all available security context
>>   > information available to the end user, in either primary or secondary
>>   > chrome.
>>   >
>>   > If a "security confidence estimate" is provided, the provider of the
>>   > implementation MUST make the calculation algorithm by which the 
> "security
>>   > confidence estimate" value is calculated available to the end user.
>>   > Documentation for the user agent or plug-in which is employed is the
>>   > likeliest place.
>>   >
>>   > The visual realization of the "security confidence estimate" value will
>>   > depend on the user agent and end user abilities.
>>   >
>>   > --- End ---
>>   >
>>   >
>>   > Tim Hahn
>>   > IBM Distinguished Engineer
>>   >
>>   > Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>>   > Internal: Timothy Hahn/Durham/IBM@IBMUS
>>   > phone: 919.224.1565     tie-line: 8/687.1565
>>   > fax: 919.224.2530
>>   >
>>   > [attachment "smime.p7s" deleted by Mary Ellen Zurko/Westford/IBM]
>>   >
>>   >
>>   >
>>
>>
>>
> 
>  
> 

-- 
/*
PhD Candidate
Carnegie Mellon University

"Whoever said there's no such thing as a free lunch was never a grad 
student."

All views contained in this message, either expressed or implied, are 
the views of my employer, and not my own.
*/
Received on Thursday, 24 January 2008 17:42:24 UTC