Re: New use case for malware at previously visited site from Ian Fette on 2007-08-16 (public-wsc-wg@w3.org from August 2007)

From: Ian Fette <ifette@google.com>
Date: Thu, 16 Aug 2007 09:45:34 -0700
To: "Luis Barriga (KI/EAB)" <luis.barriga@ericsson.com>
Cc: public-wsc-wg@w3.org
Message-ID: <bbeaa26f0708160945p3b50947flee1cb1420f30f7f7@mail.gmail.com>

Good point... I would agree that the point in time where the site has been
cleaned up is yet another distinct case.

On 8/16/07, Luis Barriga (KI/EAB) <luis.barriga@ericsson.com> wrote:
>
>  More than that. How does Betty can re-gain trust on this site once it has
> been sanitized? Should the user agent just transparently allow access to the
> site upon visit after the site is clean? Or should the UA inform Betty?
>
> Note the life cycle difference with (temporal) malicious sites that have
> been created with bad purposes from the beginning. The use case below starts
> witha good trusted site, that was infected and untrusted, but once sanitized
> it would certainly want to be back in business again.
>
> Luis
>
>  ------------------------------
> *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> *On Behalf Of *Ian Fette
> *Sent:* den 1 augusti 2007 23:47
> *To:* public-wsc-wg@w3.org
> *Subject:* New use case for malware at previously visited site
>
>  Hi all,
>
> I took on an action item in today's distributed meeting to add a use case
> for a user browsing to a known malware site which has been previously
> visited. I wanted to send this out to the list for comments, since I know
> we're trying to come to consensus on the scope and use cases document.
> Here's the use case I would like to add:
>
> Betty tries to connect to a web site at <http://www.example.com/>. She
> visits this site frequently to read various news and articles. Since her
> last visit, the site example.com has been compromised by some method, and
> visitors are now being infected with malware. A blacklist used by her user
> agent has since listed example.com as a known bad site, what warnings
> should Betty be presented with?
>
> Destination Site
> - Known, Prior visit
> Navigation
> - any
> Intended interaction
> - Information retrieval
> Actual interaction
> - software installation
> Note
> - This is slightly different than use case 19. It still deals with how to
> present results obtained from reputation services, but in the case of a user
> returning to a site that they believe to be "good" when that site is now
> believed to be compromised.
>
>
> (If anyone has questions about whether this should be in scope, I would
> emphatically say yes...  it falls under 4.4 in the use case document
> (Third-party recommendation) in the case of blacklists, can potentially fall
> under 4.5 if a user agent takes history into account (i.e. you're
> navigating to example.com which you visit daily, but now for some reason
> it's on a blacklist your browser uses). This is not meant to be detection,
> but how to display a warning that you're navigating to a site known to be
> malicious by a trusted (3rd) party.
>
> Further, the document states "The Working Group will only consider Web
> interactions in which a human participates in making a trust decision" -
> visiting a site that is on a malware blacklist presents a trust decision -
> do I trust this site to be safe to visit, or do I believe the warning that
> my browser and system are about to be owned if I actually visit this site?
>
> If anyone has questions / concerns / suggestions regarding this proposed
> use case, I'd love to hear them.
>
> Regards,
> Ian Fette
>

Received on Thursday, 16 August 2007 16:46:05 UTC