RE: New use case for malware at previously visited site from Luis Barriga (KI/EAB) on 2007-08-16 (public-wsc-wg@w3.org from August 2007)

From: Luis Barriga (KI/EAB) <luis.barriga@ericsson.com>
Date: Thu, 16 Aug 2007 18:19:33 +0200
To: "Ian Fette" <ifette@google.com>, <public-wsc-wg@w3.org>
Message-ID: <1C6A13C92F510849B72272A71F9F3BCB0187885A@esealmw105.eemea.ericsson.se>

More than that. How does Betty can re-gain trust on this site once it
has been sanitized? Should the user agent just transparently allow
access to the site upon visit after the site is clean? Or should the UA
inform Betty?
 
Note the life cycle difference with (temporal) malicious sites that have
been created with bad purposes from the beginning. The use case below
starts witha good trusted site, that was infected and untrusted, but
once sanitized it would certainly want to be back in business again.
 
Luis

________________________________

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Ian Fette
Sent: den 1 augusti 2007 23:47
To: public-wsc-wg@w3.org
Subject: New use case for malware at previously visited site


Hi all,

I took on an action item in today's distributed meeting to add a use
case for a user browsing to a known malware site which has been
previously visited. I wanted to send this out to the list for comments,
since I know we're trying to come to consensus on the scope and use
cases document. Here's the use case I would like to add: 

Betty tries to connect to a web site at <http://www.example.com/>. She
visits this site frequently to read various news and articles. Since her
last visit, the site example.com <http://example.com/>  has been
compromised by some method, and visitors are now being infected with
malware. A blacklist used by her user agent has since listed example.com
<http://example.com/>  as a known bad site, what warnings should Betty
be presented with?

Destination Site
- Known, Prior visit 
Navigation
- any
Intended interaction
- Information retrieval
Actual interaction
- software installation
Note
- This is slightly different than use case 19. It still deals with how
to present results obtained from reputation services, but in the case of
a user returning to a site that they believe to be "good" when that site
is now believed to be compromised. 


(If anyone has questions about whether this should be in scope, I would
emphatically say yes...  it falls under 4.4 in the use case document
(Third-party recommendation) in the case of blacklists, can potentially
fall under 4.5 if a user agent takes history into account (i.e. you're
navigating to example.com <http://example.com/>  which you visit daily,
but now for some reason it's on a blacklist your browser uses). This is
not meant to be detection, but how to display a warning that you're
navigating to a site known to be malicious by a trusted (3rd) party. 

Further, the document states "The Working Group will only consider Web
interactions in which a human participates in making a trust decision" -
visiting a site that is on a malware blacklist presents a trust decision
- do I trust this site to be safe to visit, or do I believe the warning
that my browser and system are about to be owned if I actually visit
this site? 

If anyone has questions / concerns / suggestions regarding this proposed
use case, I'd love to hear them. 

Regards,
Ian Fette

Received on Thursday, 16 August 2007 16:20:08 UTC