- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Mon, 11 Dec 2006 12:00:58 -0600
- To: <public-wsc-wg@w3.org>
Hi Michael, Michael Smith wrote: > "Close, Tyler J." <tyler.close@hp.com>, 2006-12-08 17:10 -0600: > > Problems with current user interface > > > > * No chrome area versus page area distinction in user's mind > > * Users ignore the chrome area > > * The chrome area is spoofable > > * Passwords are reused across distinct web sites > > * Domain names are incorrectly read, or interpreted, by users > > * Users assume that a http: URL reliably connects to the > > indicated domain name > > * Certificates Authorities, or certificates, can be readily > > substituted > > As far as items like the "Users ignore the chrome area" one, as Tim > pointed out earlier, we need to spend some time clarifying just > which users we have in mind in making statement like that. I don't > ignore the chrome area and very clearly understand the distinction > between the browser chrome and page area. And the same could be > said about everybody in this working group. So we're not talking > about ourselves, but about some other users. > > I think it would be better to at least qualify those kinds of > statements with "many users" or "most users" instead of just > "users". Though as far as the first two items, I'm not yet > convinced that those are characteristics of most users. I based most of the items in the current list on the phishing studies: "Why Phishing Works" and "Do Security Toolbars Actually Prevent Phishing Attacks?", as well as reports presented at various anti-phishing workshops I have attended, and Amir's commentary on his studies. The paper on "Why Phishing Works" is thorough, and I recommend reading it. Also, Maritza has filled out our wiki's SharedBookmarks page with some excellent summary. See: http://www.w3.org/2006/WSC/wiki/SharedBookmarks I've also found arguments about "locus of attention" very convincing. This argument pertains to both expert and novice users. Even if you know you're supposed to look at the chrome, you sometimes don't if you are sufficiently focused on the task at hand. I've caught myself falling into this trap a few times. The current user interface puts the security indicators far away from where the action is, the form controls, and never directs the user to look at the security indicators. Given that you're not usually under attack, it's easy to get lazy about checking the security indicators. Following up on our discussion about the distinction between chrome and page area, even as an expert, I don't have a simple, and yet correct, statement to make about the distinction between the chrome and the page area in current browsers. It's therefore not surprising to me that regular users don't know what distinction to make. Tyler
Received on Monday, 11 December 2006 18:01:37 UTC