RE: Action Item 18 - understand/visualize the strength of SSL from Dan Schutzer on 2006-12-07 (public-wsc-wg@w3.org from December 2006)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Thu, 7 Dec 2006 08:59:43 -0500
To: "'Amir Herzberg'" <herzbea@macs.biu.ac.il>, "'Michael$tm$ Smith'" <mikes@opera.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <009a01c71a07$f45c9570$6500a8c0@dschutzer>

I think users base trust more on who they are dealing with. They just want
to be sure who they are dealing with. If I shop at Amazon all the time, I
feel a lot more comfortable at an Amazon website than at an unknown discount
web merchant. Same with my bank. We need to find a way of assuring a user
that they are really at the intended website. It doesn't mean that a user
won't want to go to unknown websites, just that they will be more cautious.
Some users actually user two different machines for this purpose. Therefore,
it would be great if a user could put their browser in a mode where they
could be receiving from only known validated web sites for when they want to
do their high risk transactions with only known and trusted sites; and go
into the unknown larger web when they want to do risker things

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Amir Herzberg
Sent: Wednesday, December 06, 2006 9:37 AM
To: Michael(tm) Smith
Cc: public-wsc-wg@w3.org
Subject: Re: Action Item 18 - understand/visualize the strength of SSL

Michael(tm) Smith wrote:
> George Staikos <staikos@kde.org>, 2006-12-04 16:21 +0000:
>
>   
>> We, the  browser developers, have had an ongoing effort to
>> reduce the  complexity of indicators and consolidate the
>> decision making  process.  We don't want users to have to judge
>> if 75% security is  good enough, or if they should go for 80%
>> (whatever those mean  anyway).  We need to have a set of
>> criteria that enable us to make a  boolean decision.
>>     
>
> Regardless of the complexity of the indicators, it ultimately
> comes down to any given user making a boolean decision to either
> trust a particular site or not.
>
> It seems like the old "as simple as possible, but no simpler"
> adage is relevant here. I'd hope that we don't end up taking a
> task (looking at set of security data about a given site, and
> evaluating it in order to make a trust decision), and trying to
> oversimplify it.
>   
But users really want just the simple information of whether a site is 
to be trusted or not, and presenting them with technical details is not 
helping (most) of them. So we have the dillema: do we present such 
information, allowing knowledgeable users to protect themselves (at 
least in theory), or do we omit it, but then make security and trust 
decisions for the user?

I think users do not want to make the trust and security decision, but I 
also don't think that making such a decision should be a browser 
service. Comparing security of browsers based on the security decisions 
made by the blacklist services they use makes no sense.

There is an alternative: allow users to pick a security service, like 
anti-virus. to make such choices. In this way, users can choose a 
browser based on its quality, and select a (often paid) security and 
trust service based on its quality.

Best, Amir Herzberg

Received on Thursday, 7 December 2006 14:01:55 UTC