- From: Omar Herrera Reyna <0h3rr3r4@gmail.com>
- Date: Fri, 5 Feb 2016 09:49:17 -0600
- To: Eitan Adler <lists@eitanadler.com>
- Cc: Security-dev <security-dev@chromium.org>, public-webappsec@w3.org, blink-dev@chromium.org, dev-security@lists.mozilla.org
- Message-ID: <CAO2EpcajR0W=CFkuWU_sz4bcxixbMDnaYX3dzz_szSMgZjBEbg@mail.gmail.com>
Thank you for your comments and the suggested references Eitan. Sorry for touching on a topic that might have been heavily discussed in the past. I see your point now. Still, from the references I see that simple but persistent security cues are still noticed by users (security lock is noted by 2/3 of people), even if they ignore their interactive capabilities. Would a small set of simple and persistent security indicators have a different effect? The security lock signals a secure connection, but it does not certify the type of online transactions that user might do there with some degree of trust. Let me rephrase my proposal: 3 small and persistent icons and a text field: 1) A lock (just like we have now) 2) A credit card - to indicate that this site is in a certified white list to do online shopping 3) A bag of coins with the dollar sign - to indicate that this site is in a certified list to do online banking transactions Locks turn green when they satisfy the corresponding security indicators, otherwise they remain red (or even red and crossed). The text field would contain a word with the certified brand name (for indicators 2 and 3). This might actually not be necessary, but I would still like to know what other things. There we have a mix of both positive and negative indicators, that are simple, require no interaction from the user and are persistent. Regards, Omar On Thu, Feb 4, 2016 at 8:26 PM, Eitan Adler <lists@eitanadler.com> wrote: > On 4 February 2016 at 15:28, <0h3rr3r4@gmail.com> wrote: > > I've followed most of this discussion with great interest. It is a good > initiative, but have other alternatives been explored? > > > > For instance, why a blacklist approach instead of a whitelist? > > > > Why not a signal that certifies the name and activity of the company > being reached? For example: [XXX Company | Bank] or [YYY Corp. | online > retailer] > > > > Simple signs are easy to understand by users, that is what I like of > this initiative. However, you still need to enforce the message. > > This is demonstrability unhelpful. UI/UX research has shown > consistently that people do not notice the absence of positive > indicators. > > Some things to read: > - Trust Me: Design Patterns for Constructing Trustworthy Trust Indicators > - The emperor’s new security indicators in Proceedings of the 2007 > IEEE Symposium on Security and Privacy,. > - Use of Visual Security Cues in Web Browsers in Proceedings of the > 2005 Conference on Graphics Interface > > -- > Eitan Adler >
Received on Friday, 5 February 2016 16:23:33 UTC