User (mis)education [was: Problems with the current user interface] from Michael(tm) Smith on 2006-12-11 (public-wsc-wg@w3.org from December 2006)

From: Michael(tm) Smith <mikes@opera.com>
Date: Mon, 11 Dec 2006 16:44:22 +0900
To: public-wsc-wg@w3.org
Message-ID: <20061211074420.GH4816@malware>

Maritza Johnson <maritzaj@cs.columbia.edu>, 2006-12-09 10:11 -0500:

> Would this also be the place to talk about the problems with how  
> users are taught to interpret current security cues?

I think it should be.

> I think part of the reason some of the current security indicators  
> are ignored/misinterpreted by users ( and exploitable by spoofers )  
> is due to users receiving either incomplete information, or incorrect  
> information about what they should be looking for.

Right. And to clarify from whom users are receiving most of that
bad information, I think it might better be said, "...due in large
part to some content providers (or site owners) providing users
with with incomplete information or incorrect information about
what they should be looking for."

> Some examples:
> 
> Users are told if they see a lock icon the page is secure. However, a  
> lot of the time they aren't told *where* it should be. This allows  
> users to associate favicons, and lock icons in the page content with  
> a page's actual security.

Can you cite specific examples of users being told to look for the
padlock, and who is telling them to look for it? I think the
online help provided by most or all browser vendors clearly tells
users where to look for the icon in the browser chrome (not that
most users actually read the online help -- just that that's the
generally the only means we have for provide that kind of guidance
to users).

> This is a very specific example, but I think it illustrates my  
> point ... on Bank of America's site they tell users
> "  If you recognize your SiteKey, you'll know for sure that you are  
> at the valid Bank of America site.''
> 
> The statement puts the user in a position to completely rely on  
> SiteKey, and more or less telling then it's ok to ignore any other  
> security information they might be shown. Not to mention saying  
> "you'll know for sure" completely ignores the possibility of a MITM  
> attack.
> 
> Specific solutions like SiteKey may be out of scope,

Actually, I think that's a really good example that probably ought
to make it into the note.

> my point is  users shouldn't be taught to rely on just one
> security indicator when  there might be many. It completely
> undermines the purpose have having  multiple security cues.

I agree completely.

  --Mike

Received on Monday, 11 December 2006 07:44:50 UTC