- From: <michael.mccormick@wellsfargo.com>
- Date: Tue, 8 Jan 2008 10:08:13 -0600
- To: <ifette@google.com>, <egelman@cs.cmu.edu>, <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: <public-wsc-wg@w3.org>, <goldenbj@wellsfargo.com>
- Message-ID: <9D471E876696BE4DA103E939AE64164DAD17DE@msgswbmnmsp17.wellsfargo.com>
At least the Wells Fargo site is under SSL, so I think our padlock is less confusing than padlocks on http:// sites. Padlocks in content MUST not be displayed on http:// pages, and SHOULD not be displayed on https:// pages. FWIW I agree malicious sites will continue to abuse trust icons in this fashion. But that's OK. If we can get trustworthy sites to stop, then the bad sites will start to stick out like a sore thumb. _____ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Ian Fette Sent: Saturday, January 05, 2008 12:00 PM To: Serge Egelman Cc: Web Security Context Working Group WG Subject: Re: ISSUE-161: Be clearer about security indicator images [wsc-xit] That's where we're currently at anyways. According to 3rd party research (i.e. I'm not talking about any Google data here), sites with the TRUSTe seal of approval are 2x as likely to be spammy / have spyware or malware than sites without the seal. ( http://www.theregister.co.uk/2006/09/26/truste_privacy_seal_row/ - granted, it's the register, but links to the original study). And that's only looking at sites that can legitimately use the seal of approval... that's saying nothing about the sites that just rip off the image and shove it on there. I'm guessing you can figure out for yourself whether those sites are likely to be "behaving sites" or "malicious sites". Not that I think that "banning" the lock in content area is going to make a difference - sites will do it anyways, I can't honestly imagine Bank of America or US Bank or Wells Fargo really agreeing to take the plunge and remove it - but I just wanted to point out that we're already in that murky situation. On Jan 5, 2008 2:46 AM, Serge Egelman <egelman@cs.cmu.edu> wrote: > > ISSUE-161: Be clearer about security indicator images [wsc-xit] > > http://www.w3.org/2006/WSC/track/issues/ > > Raised by: Mary Ellen Zurko On product: wsc-xit > > 9.1 > > "trust indicating images" is way too general. Sites want to look > trustworthy. If only behaving sites don't look trustworthy, only > malicious sites will. My proposal: > > Web pages MUST NOT include images used by widely deployed web user agents > to represent specific security context states or values. For example, > padlocks in the web content. > But then aren't we still in the same place where "only behaving sites don't look trustworthy, only malicious sites will." This would mean that only malicious sites will show padlocks in the content. serge
Received on Tuesday, 8 January 2008 16:09:13 UTC