RE: New use case for malware at previously visited site

Looks okay to me



From: [] On
Behalf Of Ian Fette
Sent: Wednesday, August 01, 2007 5:47 PM
Subject: [Norton AntiSpam] New use case for malware at previously visited


Hi all,

I took on an action item in today's distributed meeting to add a use case
for a user browsing to a known malware site which has been previously
visited. I wanted to send this out to the list for comments, since I know
we're trying to come to consensus on the scope and use cases document.
Here's the use case I would like to add: 

Betty tries to connect to a web site at <>. She
visits this site frequently to read various news and articles. Since her
last visit, the site <>  has been compromised
by some method, and visitors are now being infected with malware. A
blacklist used by her user agent has since listed
<>  as a known bad site, what warnings should Betty be
presented with?

Destination Site
- Known, Prior visit 
- any
Intended interaction
- Information retrieval
Actual interaction
- software installation
- This is slightly different than use case 19. It still deals with how to
present results obtained from reputation services, but in the case of a user
returning to a site that they believe to be "good" when that site is now
believed to be compromised. 

(If anyone has questions about whether this should be in scope, I would
emphatically say yes...  it falls under 4.4 in the use case document
(Third-party recommendation) in the case of blacklists, can potentially fall
under 4.5 if a user agent takes history into account (i.e. you're navigating
to <>  which you visit daily, but now for
some reason it's on a blacklist your browser uses). This is not meant to be
detection, but how to display a warning that you're navigating to a site
known to be malicious by a trusted (3rd) party. 

Further, the document states "The Working Group will only consider Web
interactions in which a human participates in making a trust decision" -
visiting a site that is on a malware blacklist presents a trust decision -
do I trust this site to be safe to visit, or do I believe the warning that
my browser and system are about to be owned if I actually visit this site? 

If anyone has questions / concerns / suggestions regarding this proposed use
case, I'd love to hear them. 

Ian Fette

Received on Thursday, 2 August 2007 09:41:54 UTC