Re: ISSUE-161: Be clearer about security indicator images [wsc-xit] from Serge Egelman on 2008-01-06 (public-wsc-wg@w3.org from January 2008)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Sat, 5 Jan 2008 20:52:12 -0500 (EST)
To: "Ian Fette" <ifette@google.com>
Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <50132.84.233.132.200.1199584332.squirrel@84.233.132.200>

...and once again, we find ourselves in agreement.

So again, we're now agreeing that this does nothing.  So why recommend it?


serge

> That's where we're currently at anyways. According to 3rd party research
> ( i.e. I'm not talking about any Google data here), sites with the TRUSTe
> seal of approval are 2x as likely to be spammy / have spyware or malware
> than sites without the seal. ( 
> http://www.theregister.co.uk/2006/09/26/truste_privacy_seal_row/  -
> granted, it's the register, but links to the original study). And that's
> only looking at sites that can legitimately use the seal of approval...
> that's saying nothing about the sites that just rip off the image and
> shove it on there. I'm guessing you can figure out for yourself whether
> those sites are likely to be "behaving sites" or "malicious sites".
> 
> Not that I think that "banning" the lock in content area is going to make
> a difference - sites will do it anyways, I can't honestly imagine Bank of 
> America or US Bank or Wells Fargo really agreeing to take the plunge and 
> remove it - but I just wanted to point out that we're already in that
> murky situation.
> 
> On Jan 5, 2008 2:46 AM, Serge Egelman <egelman@cs.cmu.edu> wrote:
> 
>> 
>>> 
>>> ISSUE-161: Be clearer about security indicator images [wsc-xit]
>>> 
>>> http://www.w3.org/2006/WSC/track/issues/
>>> 
>>> Raised by: Mary Ellen Zurko On product: wsc-xit
>>> 
>>> 9.1
>>> 
>>> "trust indicating images" is way too general. Sites want to look 
>>> trustworthy. If only behaving sites don't look trustworthy, only 
>>> malicious sites will. My proposal:
>>> 
>>> Web pages MUST NOT include images used by widely deployed web user
>> agents
>>> to represent specific security context states or values. For example,
>>>  padlocks in the web content.
>>> 
>> 
>> But then aren't we still in the same place where "only behaving sites 
>> don't look trustworthy, only malicious sites will."  This would mean
>> that only malicious sites will show padlocks in the content.
>> 
>> 
>> serge
>> 
>> 
>> 
>

Received on Sunday, 6 January 2008 01:52:23 UTC