Re: Page Security Score proposal

On 2007-06-18 17:43:52 -0500, michael.mccormick@wellsfargo.com wrote:

> Your point about brittleness is well taken.  I agree the scoring
> formula will have to adapt occasionally to changing technologies
> as new security indicators become available, etc.

More importantly, I also the score factor in certain attack vectors.
For instance, you essentially take hosts.txt as an indicator for an
attack.  That might be true on an average windows system; on my
system, it might actually mean that I found some associations so
important that I don't want hotspots or hotel networks to tamper
with them.

In a way, this very much looks like the kinds of tables that are
configured into spam filters.  And while it's a neat idea from the
usability perspective (similar to a spam filter, there are only two
or three possible courses of action, so somebody MUST actually
compress all that information down), there's some challenges as
well:

- How do we make sure that an interaction with, say, a legit EV
  certificate-secured banking site always gets the full score --
  despite hosts.txt maybe being involved, for example?

- How does attacker behavior change?  E.g., an attacker can get 15
  score points for free by just faking a root certificate for
  TLS....  That suggests that, in some near future after deploying
  your formula, it might actually be more useful to score an unknown
  root CA with a -20.  (And this demonstrates a generic issue.)

Of course, we could also punt all this, and just define how a
browser should display such a score when obtained form a service
somewhere -- thereby also accomodating Tim Hahn's remark about using
social networks to compare scores and scoring rules.

In that case, I'd actually love to see the requisite browser plugins
and web services set up.  Could be an interesting extension to the
current anti-phishing services.

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Friday, 6 July 2007 16:42:27 UTC