- From: Eitan Adler <lists@eitanadler.com>
- Date: Thu, 4 Feb 2016 18:26:06 -0800
- To: 0h3rr3r4@gmail.com
- Cc: Security-dev <security-dev@chromium.org>, public-webappsec@w3.org, blink-dev@chromium.org, dev-security@lists.mozilla.org
On 4 February 2016 at 15:28, <0h3rr3r4@gmail.com> wrote: > I've followed most of this discussion with great interest. It is a good initiative, but have other alternatives been explored? > > For instance, why a blacklist approach instead of a whitelist? > > Why not a signal that certifies the name and activity of the company being reached? For example: [XXX Company | Bank] or [YYY Corp. | online retailer] > > Simple signs are easy to understand by users, that is what I like of this initiative. However, you still need to enforce the message. This is demonstrability unhelpful. UI/UX research has shown consistently that people do not notice the absence of positive indicators. Some things to read: - Trust Me: Design Patterns for Constructing Trustworthy Trust Indicators - The emperor’s new security indicators in Proceedings of the 2007 IEEE Symposium on Security and Privacy,. - Use of Visual Security Cues in Web Browsers in Proceedings of the 2005 Conference on Graphics Interface -- Eitan Adler
Received on Friday, 5 February 2016 02:27:06 UTC