RE: New use case for malware at previously visited site from Dan Schutzer on 2007-08-02 (public-wsc-wg@w3.org from August 2007)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Thu, 2 Aug 2007 05:41:22 -0400
To: "'Ian Fette'" <ifette@google.com>, <public-wsc-wg@w3.org>
Message-ID: <012d01c7d4e9$4a643c60$6500a8c0@dschutzer>

Looks okay to me

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Ian Fette
Sent: Wednesday, August 01, 2007 5:47 PM
To: public-wsc-wg@w3.org
Subject: [Norton AntiSpam] New use case for malware at previously visited
site

Hi all,

I took on an action item in today's distributed meeting to add a use case
for a user browsing to a known malware site which has been previously
visited. I wanted to send this out to the list for comments, since I know
we're trying to come to consensus on the scope and use cases document.
Here's the use case I would like to add: 

Betty tries to connect to a web site at <http://www.example.com/>. She
visits this site frequently to read various news and articles. Since her
last visit, the site example.com <http://example.com/>  has been compromised
by some method, and visitors are now being infected with malware. A
blacklist used by her user agent has since listed example.com
<http://example.com/>  as a known bad site, what warnings should Betty be
presented with?

Destination Site
- Known, Prior visit 
Navigation
- any
Intended interaction
- Information retrieval
Actual interaction
- software installation
Note
- This is slightly different than use case 19. It still deals with how to
present results obtained from reputation services, but in the case of a user
returning to a site that they believe to be "good" when that site is now
believed to be compromised. 

(If anyone has questions about whether this should be in scope, I would
emphatically say yes...  it falls under 4.4 in the use case document
(Third-party recommendation) in the case of blacklists, can potentially fall
under 4.5 if a user agent takes history into account (i.e. you're navigating
to example.com <http://example.com/>  which you visit daily, but now for
some reason it's on a blacklist your browser uses). This is not meant to be
detection, but how to display a warning that you're navigating to a site
known to be malicious by a trusted (3rd) party. 

Further, the document states "The Working Group will only consider Web
interactions in which a human participates in making a trust decision" -
visiting a site that is on a malware blacklist presents a trust decision -
do I trust this site to be safe to visit, or do I believe the warning that
my browser and system are about to be owned if I actually visit this site? 

If anyone has questions / concerns / suggestions regarding this proposed use
case, I'd love to hear them. 

Regards,
Ian Fette

Received on Thursday, 2 August 2007 09:41:54 UTC