Re: New Use Case for W3C WSC

I would be very surprised if this was happening. It sounds much more like a
configuration error to me. Trying to figure out what certificates will be
presented is likely very hard, mainly because following links can have
side-effects and that's bad - you don't want your mail client "clicking" on
links to find out what happens. Your client could establish a connection to
the host for the link (i.e. if the link is
https://www.example.com/dostuff.php?id=123 it could establish a SSL
connection with example.com), but actually requesting dostuff.php?id=123
might have side-effects, so the client should not do this. (This also means
that you don't really know where the user is going to end up, because
dostuff.php?id=123 might generate a redirect to another
server/site/whatever, and so you really don't know the end state at which
the user will arrive.)

Just to verify, I booted up my virtual machine with Outlook 2003 and IE7. I
set IE7 as the default browser. I launched Outlook 2003. I was able to click
links in email that were http:// and https:// (the https link was definitely
not EV) and I never had any issues.

It would be absolutely crazy for MS to disable clicking on links that don't
terminate at an EV certificate because 1) they have no way of figuring out
where a given link will terminate without actually following it (which would
be bad) and 2) the HUGE majority of links in emails probably don't go to
EV-protected sites, so you would be basically killing almost all links in
email. I really think that you have a configuration problem...

On 8/24/07, Dan Schutzer <dan.schutzer@fstc.org> wrote:
>
>  I am using Outlook 2003 with IE7. Maybe you need to link Outlook with
> IE7. Also it only warns me and disables certain links and not others. I
> believe, unconfirmed, that this disabling of the link within the email only
> occurs for links that are not EV certified.
>
>
>  ------------------------------
>
> *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> *On Behalf Of *Ian Fette
> *Sent:* Friday, August 24, 2007 1:21 PM
> *To:* Dan Schutzer
> *Cc:* Bob Pinheiro; public-wsc-wg@w3.org
> *Subject:* Re: New Use Case for W3C WSC
>
>
>
> I don't know what version of Outlook you're using, or how you have it
> configured, but I just launched Outlook 2003 and set up a mail account
> (painful), clicked on an email, it had a http:// link, I clicked on it, and
> up popped Firefox with that page. So I don't really know what you mean by
> "an alt control sequence or clicking on a bar" - i just clicked the link and
> it worked. Perhaps there's a problem with your configuration?
>
> (I could install Office 2007 and try it out in the newer version of
> Outlook, but I really don't have a great desire to spend my time doing
> that.)
>
> On 8/24/07, *Dan Schutzer* <dan.schutzer@fstc.org> wrote:
>
> I don't know if your assumptions are correct. I use Outlook and today when
> I get embedded links in my email, I am unable to open the link without going
> through an alt control sequence or clicking on a bar in the email chrome.
> So, I am already doing something like what has been described, and so are I
> suppose most of the current Outlook users
>
>
>
> Dan
>
>
>  ------------------------------
>
> *From:* public-wsc-wg-request@w3.org [mailto: public-wsc-wg-request@w3.org]
> *On Behalf Of *Ian Fette
> *Sent:* Friday, August 24, 2007 11:56 AM
> *To:* Bob Pinheiro
> *Cc:* public-wsc-wg@w3.org
> *Subject:* Re: New Use Case for W3C WSC
>
>
>
> This is going to rapidly take me down a divergent path, but I shall follow
> said path anyways.
>
> One of the biggest problems I have with SBM is invocation. You can't
> really expect users to invoke SBM before clicking a link in their email,
> because when they're reading their email their browser might not even be
> open (except for all the wonderful gmail users out there ;-). But seriously,
> when you click on a link in Thunderbird or Outlook or Lotus Notes or
> whatever it is that you use to read email, that email program just knows
> that it's supposed to open that link in a browser (sometimes... if it has no
> clue, it might just shellexecute the URL and let the OS figure out what to
> do with it). Either way, unless the default browser is set to "Browser with
> SBM Mode Turned On", links from email are going to get loaded in non-SBM
> mode.
>
> So, let's now go back to your response. Let's say that the user is
> educated enough to understand that SBM should be invoked before visiting any
> banking websites. (I personally find this a troublesome assumption, but
> let's run with it). Is the user then supposed to start a web browser, enter
> SBM mode, and then cut and paste the link from their email? That's a
> usability disaster, and I doubt anyone would actually figure out that those
> steps were required. Even if a user opens a browser and starts SBM, clicking
> on a link in an email program would very likely just start a new browser
> window (probably without SBM enabled... and when a user is in SBM mode, do
> you really want links from external programs to be able to clobber the
> current window?).  In my mind, we're heading for a usability disaster here.
>
> Further, in your use case below, you're assuming a strong tie-in between a
> user's MUA (email client) and their browser, which is often not the case. In
> some cases the two are strongly tied together, but in many cases when an
> email client gets a URL and the user clicks on it, it just throws the URL to
> the operating system and says "deal with it". And we're already well down
> the path of suggesting extensions to MUAs (email clients) to do machine
> learning to detect possible bank-like emails, and I fear this is getting way
> out of scope of the WG...
>
> On 8/24/07, *Bob Pinheiro* <Bob.Pinheiro@fstc.org> wrote:
>
> I think there may be a tie-in here with Safe Browsing Mode.  Suppose the
> user is educated enough to understand that SBM should be invoked before
> visiting any banking websites.  Then upon seeing the email, the user should
> invoke SBM before clicking on the apparent banking link.  If that is done,
> then instead of displaying the ERROR 404 message, the user should see
> whatever is displayed by SBM when the user attempts to visit a non-safe
> website.
>
> But if it is true that "education does not consistently produce the
> results desired", then there may be numerous times when even users who are
> aware of SBM do not actually invoke it when they should; that is, before
> visiting banking websites.  So a question worth asking might be: can a
> user's browser be made "smart" enough to sense that a website that the user
> wants to visit might possibly be a banking website?  The user can easily
> sense this because the Use Case says that the email claims to be from the
> user's bank.    If the user's computer can somehow "read" the email header,
> it might display a message saying "I sense that you are attempting to visit
> a possible banking website.  However, it is possible that this is a
> fraudulent website.  Would you like me to invoke Safe Browsing Mode to
> prevent you from visiting a fraudulent site?"  The user could respond, Yes
> or No.
>
> Some sort of artificial intelligence that could read and interpret email
> headers might be needed, possibly triggered by certain banking-like keywords
> or phrases in an email header.  I don't know if such exists, or if it does,
> whether it is "ready for prime time" and would produce reliable results.
> But it might be one possible answer to the dilemma of needing to educate
> users to do certain things to protect themselves online.
>
> At 08:25 AM 8/24/2007, Mary Ellen Zurko wrote:
>
>  We have two sections in wsc-usecasee that touch on education:
>
> http://www.w3.org/TR/wsc-usecases/#learning-by-doing
>
> http://www.w3.org/TR/wsc-usecases/#uniformity
>
> The first says that experience shows that while users learn, education
> does not consistently produce the results desired.
>
> The second cites on study that shows that education does not impact
> susceptability to phishing. It's possible that Brustoloni's latest shows
> that as well:
>
> http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more
> hopeful, but shows no transfer to "realistic" behavior, in a study or in the
> wild.
>
> I gather from the discussions with the usability evaluation folks, they
> believe they can address education.
>
> Personally, I'm not a believer in direct education, mostly because no
> one's brought up a single data point where users were directly educated to
> do something, and did it, even when they had options that were more
> attrractive for some reason (e.g. more familiar, easier).  All the
> promising anti phishing research makes sure that the secure option is the
> most attractive (or at least comparably attractive).
>
> On the other hand, I do believe that in circumscribed oganizations, like
> the military and large companies, a system of education, reward, and
> punishment can be (and is) set up to change user behavior. I would again
> refer to http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper
> bound on how successful that can be with the option is not the most
> attractive (order of 30% of the overall population).
>
> I would be more comfortable with an education use case if we said more
> somewhere about how we'll come to terms with it. Do the usability evaluation
> folks know how we'll do that?
>
>           Mez
>
>
>
>
> [image: []]
> *New Use Case for W3C WSC*
> *Dan Schutzer *to: public-wsc-wg
>
> 08/24/2007 07:52 AM
>
>
> Sent by:* public-wsc-wg-request@w3.org*
> Cc:"'Dan Schutzer'"
>
>  ------------------------------
>
>
>
>
> I'd like to submit a new use case, shown below, that several of our
> members would like included. It looks for recommendations on how to educate
> customers who have fallen for a phishing email, and improve the type of
> response customers generally get today when they try to access a phishing
> site that has been taken down. I hope this is not too late for
> consideration.
>
> *Use Case*
>
> Frank regularly reads his email in the morning. This morning he receives
> an email that claims it is from his bank asking him to verify a recent
> transaction by clicking on the link embedded in the email. The link does not
> display the usual URL that he types to get to his bank's website, but it
> does have his bank's name in it. He clicks on the link and is directed to a
> phishing site. The phishing site has been shut down as a known fraudulent
> site, so when Frank clicks on the link he receives the generic Error 404:
> File Not Found page. Frank is not sure what has occurred.
> *Destination site *
>
> prior interaction, known organization
> *Navigation *
>
> none
> *Intended interaction *
>
> verification
> *Actual interaction *
>
> Was a phishing site that has been shut down
> *Note*
> * *
> Frank is likely to fall for a similar phishing email. Is there some way to
> educate Frank this time, so that he is less likely to fail for the phishing
> email again?
>
>
>
>
>
>
>
>

Received on Friday, 24 August 2007 20:13:52 UTC