- From: Amir Herzberg <herzbea@macs.biu.ac.il>
- Date: Mon, 27 Nov 2006 13:12:24 +0200
- To: "Michael(tm) Smith" <mikes@opera.com>
- CC: public-wsc-wg@w3.org
Michael(tm) Smith wrote: > Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, 2006-11-24 10:22 -0500: > > [quoting Michael(tm) Smith] > >>> So to answer your question, No, we don't have explicit actionable >>> advice associated with each of the levels. I don't see how we >>> could, practically, associate specific guidance with each of them. >>> The expectation is basically that you'll use the numbered security >>> level as another data point (along with other security context >>> information) in making a decision about the degree of confidence >>> you want to have sharing personal information with the site. >>> >> Thanks Mike. I don't think that matches any practical or >> realistic user model for the majority of users. >> > > Why exactly doesn't it? I would think intuitively that having an > indicator that provides a greater level of granularity than just a > binary secure/insecure padlock would be helpful to users. > No. In (secure) usability, often `more is less`. Users can understand that some sites are protected and some are not. But a user has no way to know if `level 2` is sufficient. Furthermore, one big source of confusion for users is between security and trustworthiness of a site. Users often think higher rating implies `more trustworthy`, they don't really think of resistance to cryptanalysis... Of course a spoofed site can easily get `level 3` (by using 1024b RSA, etc.). Here, at least, the `extended validation` certs would be more meaningful (but mixing that with four or three `security levels` would be a sure way to confuse most users). In fact, my conclusion from our experiments is that a `security indicator` (like padlock) is already problematic, since users often confuse it with trustworthiness, or- simply ignore it. Making a more complex padlock is, imho, a wrong approach. > It gives users a simple way to visually evaluate the security of a > particular site relative to the security of other sites in a > particular security category (sites that have SSL/TLS certificates). > Not really, imho. > It's true that the numbers are potentially ambiguous and > confusable (which is more secure: a 1 or a 3?), which is why one > other thing that we do is to show the lock in various stages of > being completely open (an https site with 0 security), partially > closed/open (a site with a 1 or 2) or or completely closed (3). > Great, so now a user is expected to realize that the three phases of the lock (not to mention backgrounds etc.) are related to the four security levels. Of course, many browsers used `broken lock/key` for sites with `weak crypto SSL` - even that is not understood or noticed. > I agree that a lot of these kinds of indicators have the > fundamental problem of being ignorable by users. But we have the > same kinds of problems with similar indicators in the real world: > people also ignore things like stop signs and traffic lights and > many other indicators that a designed to help protect them. > I really don't think that our problems are due to people not caring or willing/able to use indicators. Given useful, simple indicators, the detection rates change dramatically. I'll be happy to provide a copy (of our paper with the experiment results, to appear in IEEE Transactions on Internet Technology). > Along with that, we have the problem of certain sites that > actually teach users that it's OK to ignore warnings that browsers > emit and to ignore absence of certain security indicators (for > example, the bank sites I mentioned in my earlier message which > have login pages for which not padlock is displyed by browsers). > Absolutely, and I hope the group recommendations will cover this. >> That's one of the problems with security indicators; users >> haven't got a clue what to do with them. Having the indicators >> can be better than not having them, but only if there is some >> model of how to use them. >> <skip> > But I will have to admit that at this point, it's hard for me to > imagine a model that doesn't assume that users will need to put > some degree of thought into trust and security, and what kind of > security mechanisms there might be that could be practically > implemented in browsers and that would not rely on users thinking > a bit about trust and security. > Users care about security, and will more and more, thanks to the phishers... but this does not mean, they have to understand security mechanisms or indicators. As long as the indicators and their use are simple and non-obtrusive, users will use them. Best, Amir Herzberg
Received on Monday, 27 November 2006 11:13:58 UTC