New use case for malware at previously visited site from Ian Fette on 2007-08-01 (public-wsc-wg@w3.org from August 2007)

From: Ian Fette <ifette@google.com>
Date: Wed, 1 Aug 2007 14:47:14 -0700
To: public-wsc-wg@w3.org
Message-ID: <bbeaa26f0708011447n42d0596bu941e18211a92d4fb@mail.gmail.com>

Hi all,

I took on an action item in today's distributed meeting to add a use case
for a user browsing to a known malware site which has been previously
visited. I wanted to send this out to the list for comments, since I know
we're trying to come to consensus on the scope and use cases document.
Here's the use case I would like to add:

Betty tries to connect to a web site at <http://www.example.com/>. She
visits this site frequently to read various news and articles. Since her
last visit, the site example.com has been compromised by some method, and
visitors are now being infected with malware. A blacklist used by her user
agent has since listed example.com as a known bad site, what warnings should
Betty be presented with?

Destination Site
- Known, Prior visit
Navigation
- any
Intended interaction
- Information retrieval
Actual interaction
- software installation
Note
- This is slightly different than use case 19. It still deals with how to
present results obtained from reputation services, but in the case of a user
returning to a site that they believe to be "good" when that site is now
believed to be compromised.


(If anyone has questions about whether this should be in scope, I would
emphatically say yes...  it falls under 4.4 in the use case document
(Third-party recommendation) in the case of blacklists, can potentially fall
under 4.5 if a user agent takes history into account (i.e. you're navigating
to example.com which you visit daily, but now for some reason it's on a
blacklist your browser uses). This is not meant to be detection, but how to
display a warning that you're navigating to a site known to be malicious by
a trusted (3rd) party.

Further, the document states "The Working Group will only consider Web
interactions in which a human participates in making a trust decision" -
visiting a site that is on a malware blacklist presents a trust decision -
do I trust this site to be safe to visit, or do I believe the warning that
my browser and system are about to be owned if I actually visit this site?

If anyone has questions / concerns / suggestions regarding this proposed use
case, I'd love to hear them.

Regards,
Ian Fette

Received on Wednesday, 1 August 2007 21:47:25 UTC