Re: Problems with the current user interface from Amir Herzberg on 2006-12-12 (public-wsc-wg@w3.org from December 2006)

From: Amir Herzberg <herzbea@macs.biu.ac.il>
Date: Tue, 12 Dec 2006 10:14:32 +0200
To: "Close, Tyler J." <tyler.close@hp.com>
CC: W3 Work Group <public-wsc-wg@w3.org>
Message-ID: <457E64E8.90806@cs.biu.ac.il>

Close, Tyler J. wrote:
> Hi Amir,
>  
> Amir Herzberg wrote:
>   
>> Close, Tyler J. wrote:
>>     
>>> I have started a list at:
>>>
>>> http://www.w3.org/2006/WSC/wiki/NoteProblemsWithCurrentUserInterface
>>>
>>> The initial text of the wiki page is:
>>>
>>> This section lists problems with the display of security context 
>>> information in current web browsers. Entries in this section should
>>>       
> be 
>   
>>> culled for user interface studies, and so be accompanied by
>>>       
> citations.
>   
>>> Problems with current user interface
>>>
>>>     * No chrome area versus page area distinction in user's mind
>>>       
>>   
>> This is a bit too strong, imho. I think, it is fair to say that
>> the distinction is not complete - not in user's mind, and
>> unfortunately not even in reality.
>>     
>
> In a recent email you wrote:
>
>   
>> Our experiments show quite clearly: users do not make the
>> distinction between the chrome and the web page.
>>     
>
> See:
> <http://lists.w3.org/Archives/Public/public-wsc-wg/2006Dec/0045.html>
>
> Could you clarify your results and how they should be interpreted
> Independent of your studies, a number of phishing studies have shown
> that users do not consult the chrome, or rely more on page content.
>   
I'm not saying users make a good distinction - they don't; and I agree 
that users rely on page content for trust decisions (which is a big 
problem).

I was just saying that I think you put the statement too strongly; users 
do not completely ignore the chrome, and are able to utilize security 
mechanisms in the chrome. Otherwise, it seems one would have to conclude 
that any `toolbar` (addition to chrome) solution is worthless, and our 
only option is some drastic change that will enforce the distinction. 
This may seem to be implied from the results of Wu et al. , but this is 
not necessarily a correct interpretation of their results; and certainly 
such a conclusion is falsified by our results, showing a very 
significant advantage to the use of site identification widgets (btw, 
with a small but significant advantage to the user-defined identifiers, 
i.e. petnames and `pet-images` - we hope to make the distinction clearer 
in our current experiment).

I'm sure you also believe that even with current browsers, a good site 
identification toolbar can add security.

Best, Amir

Received on Tuesday, 12 December 2006 08:15:13 UTC