Re: ISSUE-142: Page Security Score does not yet have enough content behind it [wsc-xit] from Timothy Hahn on 2008-01-02 (public-wsc-wg@w3.org from January 2008)

From: Timothy Hahn <hahnt@us.ibm.com>
Date: Wed, 2 Jan 2008 12:24:27 -0500
To: public-wsc-wg@w3.org
Message-ID: <OF1F40E306.28BF20F4-ON852573C4.005E3DDC-852573C4.005F9B10@us.ibm.com>

Hi all,

I believe that there have been a number of requests on this list for a 
lo-fi prototype of something that would calculate a "page security score".

Speaking only as myself here, I'll offer the following as something to at 
least get a discussion started.

int PageScore( HTTPResponse ) { 
        Sum = 0;

        if ( MIMEType == "text/html" ) { Sum += 5; }
        if ( !dynamicContentFound ) { Sum += 10; }
        if ( SSLprotectedCommunicationsUsed ) { Sum += 10; }
        if ( SSLServerCertificateIsValid ) { Sum += 10; }
        if ( SSLCipherSuite uses AES or TDES crypto ) { Sum += 10; }
        if ( SSLCipherSuite uses SHA1 hashing ) { Sum += 10; }
        if ( SSLServerCertificateIsNotRevoked ) { Sum += 10; }
        if ( !loadedViaRedirect ) { Sum += 5; }
        if ( HTTPAuthHandshakeUsed ) { Sum += 5; }
        if ( !cookiePresent ) { Sum += 5; }
        if ( serverIPAddress == SSLCertificateDNSnameLookup ) { Sum += 10; 
}
        if ( responseFromLocalhost ) { Sum += 10; }
        if ( responseFromIntranet ) { Sum += 5; }
        if ( DNSSEC used for hostname<->IPAddress lookups ) { Sum += 10; }
        if ( !passwordSubmissionFieldsPresent ) { Sum += 5; }
        if ( returnedPageIsInHistory ) { Sum += 10; }
        if ( returnedPageIsInBookmarks ) { Sum += 15; }
        if ( URLRequestedWasTypedIn ) { Sum += 5; }
        if ( URLRequestedWasClickedFromPreviousPage ) { Sum += 
(PreviousPageScore*10)/100; }
        if ( URLRequestedCameFromReputationService ) { Sum += 15; }

        Score = (Sum*100)/175;

        return( Score );
}

The way I came up with this was to go through Section 7 of wsc-usecases 
and picked out various data points.  Then I made a personal opinionated 
valuation of that piece of information and assigned a value for it.  Take 
the sum, divide by the max and multiply by 100 and you get a Score that 
ranges between 0 and 100.  I suspect that there is NO page that would 
score 100 from the above calculation, but I don't think that matters much.

I'm sure that everyone could argue about my opinions on the valuations (5, 
10,15 points, etc.) as well as the items I included (or not).

But at least this gives us something to consider in how such a score might 
be calculated (and then how a user agent chooses to reflect the score - 
range 0-100 is up for discussion too.  It could be a meter, a guage, a 
rainbow scale, something audible, or something else altogether).

Let the discussion begin!

Regards,
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530

Received on Wednesday, 2 January 2008 17:24:39 UTC