RE: New Use Case for W3C WSC

I know that this WG is supposed to be generally focused on Web Security
(experience...) but I find it amusing how the subject of email creeps up
from time to time. It makes sense to me though as I'm fairly certain
that a large majority of phishing starts with an email. However only two
of the twenty use cases in our note cite email as the set up. To me,
several of the other eighteen use cases seem to be edge cases.

 

Makes me wonder if email 'media' should have a little more coverage in
the note.

 

Audian

 

 

________________________________

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Dan Schutzer
Sent: Friday, August 24, 2007 4:17 PM
To: 'Ian Fette'
Cc: 'Bob Pinheiro'; public-wsc-wg@w3.org
Subject: RE: New Use Case for W3C WSC

 

I was able to click on both of them. I'll send you examples when I next
come to them

 

________________________________

From: Ian Fette [mailto:ifette@google.com] 
Sent: Friday, August 24, 2007 4:32 PM
To: Dan Schutzer
Cc: Bob Pinheiro; public-wsc-wg@w3.org
Subject: Re: New Use Case for W3C WSC

 

More out of curiosity than anything else, here are two links that should
be embedded in your email. They are safe to click (it's even valid XHTML
1.0!), one of them is plain HTTP and one is HTTPS (valid SSL
certificate, not EV). 

http version <http://www.ifette.net/dan.html> 

https version <https://www.ifette.net/dan.html> 

I'm curious to know if either presents problems...

(And PHB, if you're reading this and want to give me an EV cert to play
around with... ;-) 

-Ian

On 8/24/07, Dan Schutzer <dan.schutzer@fstc.org> wrote:

Next time I come across a link embedded in my email that I am willing to
click on, I'll give you and the group a more complete description of
what goes on.

 

________________________________

From: public-wsc-wg-request@w3.org [mailto: public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org> ] On Behalf Of Ian Fette
Sent: Friday, August 24, 2007 4:13 PM


To: Dan Schutzer
Cc: Bob Pinheiro; public-wsc-wg@w3.org
Subject: Re: New Use Case for W3C WSC

 

I would be very surprised if this was happening. It sounds much more
like a configuration error to me. Trying to figure out what certificates
will be presented is likely very hard, mainly because following links
can have side-effects and that's bad - you don't want your mail client
"clicking" on links to find out what happens. Your client could
establish a connection to the host for the link ( i.e. if the link is 
https://www.example.com/dostuff.php?id=123 it could establish a SSL
connection with example.com), but actually requesting dostuff.php?id=123
might have side-effects, so the client should not do this. (This also
means that you don't really know where the user is going to end up,
because dostuff.php?id=123 might generate a redirect to another
server/site/whatever, and so you really don't know the end state at
which the user will arrive.) 

Just to verify, I booted up my virtual machine with Outlook 2003 and
IE7. I set IE7 as the default browser. I launched Outlook 2003. I was
able to click links in email that were http:// and https:// (the https
link was definitely not EV) and I never had any issues. 

It would be absolutely crazy for MS to disable clicking on links that
don't terminate at an EV certificate because 1) they have no way of
figuring out where a given link will terminate without actually
following it (which would be bad) and 2) the HUGE majority of links in
emails probably don't go to EV-protected sites, so you would be
basically killing almost all links in email. I really think that you
have a configuration problem... 

On 8/24/07, Dan Schutzer <dan.schutzer@fstc.org> wrote:

I am using Outlook 2003 with IE7. Maybe you need to link Outlook with
IE7. Also it only warns me and disables certain links and not others. I
believe, unconfirmed, that this disabling of the link within the email
only occurs for links that are not EV certified.

 

________________________________

From: public-wsc-wg-request@w3.org [mailto: public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org> ] On Behalf Of Ian Fette
Sent: Friday, August 24, 2007 1:21 PM
To: Dan Schutzer
Cc: Bob Pinheiro; public-wsc-wg@w3.org


Subject: Re: New Use Case for W3C WSC

 

I don't know what version of Outlook you're using, or how you have it
configured, but I just launched Outlook 2003 and set up a mail account
(painful), clicked on an email, it had a http:// link, I clicked on it,
and up popped Firefox with that page. So I don't really know what you
mean by "an alt control sequence or clicking on a bar" - i just clicked
the link and it worked. Perhaps there's a problem with your
configuration? 

(I could install Office 2007 and try it out in the newer version of
Outlook, but I really don't have a great desire to spend my time doing
that.)

On 8/24/07, Dan Schutzer <dan.schutzer@fstc.org> wrote:

I don't know if your assumptions are correct. I use Outlook and today
when I get embedded links in my email, I am unable to open the link
without going through an alt control sequence or clicking on a bar in
the email chrome. So, I am already doing something like what has been
described, and so are I suppose most of the current Outlook users

 

Dan

 

________________________________

From: public-wsc-wg-request@w3.org [mailto: public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org> ] On Behalf Of Ian Fette
Sent: Friday, August 24, 2007 11:56 AM
To: Bob Pinheiro
Cc: public-wsc-wg@w3.org
Subject: Re: New Use Case for W3C WSC

 

This is going to rapidly take me down a divergent path, but I shall
follow said path anyways.

One of the biggest problems I have with SBM is invocation. You can't
really expect users to invoke SBM before clicking a link in their email,
because when they're reading their email their browser might not even be
open (except for all the wonderful gmail users out there ;-). But
seriously, when you click on a link in Thunderbird or Outlook or Lotus
Notes or whatever it is that you use to read email, that email program
just knows that it's supposed to open that link in a browser
(sometimes... if it has no clue, it might just shellexecute the URL and
let the OS figure out what to do with it). Either way, unless the
default browser is set to "Browser with SBM Mode Turned On", links from
email are going to get loaded in non-SBM mode. 

So, let's now go back to your response. Let's say that the user is
educated enough to understand that SBM should be invoked before visiting
any banking websites. (I personally find this a troublesome assumption,
but let's run with it). Is the user then supposed to start a web
browser, enter SBM mode, and then cut and paste the link from their
email? That's a usability disaster, and I doubt anyone would actually
figure out that those steps were required. Even if a user opens a
browser and starts SBM, clicking on a link in an email program would
very likely just start a new browser window (probably without SBM
enabled... and when a user is in SBM mode, do you really want links from
external programs to be able to clobber the current window?).  In my
mind, we're heading for a usability disaster here. 

Further, in your use case below, you're assuming a strong tie-in between
a user's MUA (email client) and their browser, which is often not the
case. In some cases the two are strongly tied together, but in many
cases when an email client gets a URL and the user clicks on it, it just
throws the URL to the operating system and says "deal with it". And
we're already well down the path of suggesting extensions to MUAs (email
clients) to do machine learning to detect possible bank-like emails, and
I fear this is getting way out of scope of the WG... 

On 8/24/07, Bob Pinheiro <Bob.Pinheiro@fstc.org> wrote:

I think there may be a tie-in here with Safe Browsing Mode.  Suppose the
user is educated enough to understand that SBM should be invoked before
visiting any banking websites.  Then upon seeing the email, the user
should invoke SBM before clicking on the apparent banking link.  If that
is done, then instead of displaying the ERROR 404 message, the user
should see whatever is displayed by SBM when the user attempts to visit
a non-safe website.  

But if it is true that "education does not consistently produce the
results desired", then there may be numerous times when even users who
are aware of SBM do not actually invoke it when they should; that is,
before visiting banking websites.  So a question worth asking might be:
can a user's browser be made "smart" enough to sense that a website that
the user wants to visit might possibly be a banking website?  The user
can easily sense this because the Use Case says that the email claims to
be from the user's bank.    If the user's computer can somehow "read"
the email header, it might display a message saying "I sense that you
are attempting to visit a possible banking website.  However, it is
possible that this is a fraudulent website.  Would you like me to invoke
Safe Browsing Mode to prevent you from visiting a fraudulent site?"  The
user could respond, Yes or No.  

Some sort of artificial intelligence that could read and interpret email
headers might be needed, possibly triggered by certain banking-like
keywords or phrases in an email header.  I don't know if such exists, or
if it does, whether it is "ready for prime time" and would produce
reliable results.  But it might be one possible answer to the dilemma of
needing to educate users to do certain things to protect themselves
online.  

At 08:25 AM 8/24/2007, Mary Ellen Zurko wrote:

We have two sections in wsc-usecasee that touch on education: 

http://www.w3.org/TR/wsc-usecases/#learning-by-doing 

http://www.w3.org/TR/wsc-usecases/#uniformity 

The first says that experience shows that while users learn, education
does not consistently produce the results desired. 

The second cites on study that shows that education does not impact
susceptability to phishing. It's possible that Brustoloni's latest shows
that as well: 

http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more
hopeful, but shows no transfer to "realistic" behavior, in a study or in
the wild. 

I gather from the discussions with the usability evaluation folks, they
believe they can address education. 

Personally, I'm not a believer in direct education, mostly because no
one's brought up a single data point where users were directly educated
to do something, and did it, even when they had options that were more
attrractive for some reason (e.g. more familiar, easier).  All the
promising anti phishing research makes sure that the secure option is
the most attractive (or at least comparably attractive). 

On the other hand, I do believe that in circumscribed oganizations, like
the military and large companies, a system of education, reward, and
punishment can be (and is) set up to change user behavior. I would again
refer to http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper
bound on how successful that can be with the option is not the most
attractive (order of 30% of the overall population). 

I would be more comfortable with an education use case if we said more
somewhere about how we'll come to terms with it. Do the usability
evaluation folks know how we'll do that? 

          Mez




 
New Use Case for W3C WSC
Dan Schutzer to: public-wsc-wg

08/24/2007 07:52 AM


Sent by: public-wsc-wg-request@w3.org 
Cc:"'Dan Schutzer'"

________________________________




I'd like to submit a new use case, shown below, that several of our
members would like included. It looks for recommendations on how to
educate customers who have fallen for a phishing email, and improve the
type of response customers generally get today when they try to access a
phishing site that has been taken down. I hope this is not too late for
consideration.

Use Case

Frank regularly reads his email in the morning. This morning he receives
an email that claims it is from his bank asking him to verify a recent
transaction by clicking on the link embedded in the email. The link does
not display the usual URL that he types to get to his bank's website,
but it does have his bank's name in it. He clicks on the link and is
directed to a phishing site. The phishing site has been shut down as a
known fraudulent site, so when Frank clicks on the link he receives the
generic Error 404: File Not Found page. Frank is not sure what has
occurred.
Destination site 

prior interaction, known organization
Navigation 

none
Intended interaction 

verification
Actual interaction 

Was a phishing site that has been shut down
Note
 
Frank is likely to fall for a similar phishing email. Is there some way
to educate Frank this time, so that he is less likely to fail for the
phishing email again? 
 

 

 

 

 

 

Received on Monday, 27 August 2007 15:29:00 UTC