RE: ISSUE-161: Be clearer about security indicator images [wsc-xit] from Doyle, Bill on 2008-01-09 (public-wsc-wg@w3.org from January 2008)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Wed, 9 Jan 2008 11:07:08 -0500
To: "Serge Egelman" <egelman@cs.cmu.edu>, "Ian Fette" <ifette@google.com>
Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801D36D1D@IMCSRV5.MITRE.ORG>

To me the difference is that is consistently displayed in the secure UI
area. If Secure UI is consistent users will begin to look at the secure
UI area not content area. 

Some users will always click on anything others learn. Any info on the
percentage of trainable users?

If the behavior studies are based on a chaotic UI or current user agent
UI, we know it is difficult for users to make decent IA decisions.

Bill Doyle


-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Serge Egelman
Sent: Saturday, January 05, 2008 8:52 PM
To: Ian Fette
Cc: Web Security Context Working Group WG
Subject: Re: ISSUE-161: Be clearer about security indicator images
[wsc-xit]


...and once again, we find ourselves in agreement.

So again, we're now agreeing that this does nothing.  So why recommend
it?


serge

> That's where we're currently at anyways. According to 3rd party
research
> ( i.e. I'm not talking about any Google data here), sites with the
TRUSTe
> seal of approval are 2x as likely to be spammy / have spyware or
malware
> than sites without the seal. ( 
> http://www.theregister.co.uk/2006/09/26/truste_privacy_seal_row/  -
> granted, it's the register, but links to the original study). And
that's
> only looking at sites that can legitimately use the seal of
approval...
> that's saying nothing about the sites that just rip off the image and
> shove it on there. I'm guessing you can figure out for yourself
whether
> those sites are likely to be "behaving sites" or "malicious sites".
> 
> Not that I think that "banning" the lock in content area is going to
make
> a difference - sites will do it anyways, I can't honestly imagine
Bank of 
> America or US Bank or Wells Fargo really agreeing to take the plunge
and 
> remove it - but I just wanted to point out that we're already in that
> murky situation.
> 
> On Jan 5, 2008 2:46 AM, Serge Egelman <egelman@cs.cmu.edu> wrote:
> 
>> 
>>> 
>>> ISSUE-161: Be clearer about security indicator images [wsc-xit]
>>> 
>>> http://www.w3.org/2006/WSC/track/issues/
>>> 
>>> Raised by: Mary Ellen Zurko On product: wsc-xit
>>> 
>>> 9.1
>>> 
>>> "trust indicating images" is way too general. Sites want to look 
>>> trustworthy. If only behaving sites don't look trustworthy, only 
>>> malicious sites will. My proposal:
>>> 
>>> Web pages MUST NOT include images used by widely deployed web user
>> agents
>>> to represent specific security context states or values. For
example,
>>>  padlocks in the web content.
>>> 
>> 
>> But then aren't we still in the same place where "only behaving
sites 
>> don't look trustworthy, only malicious sites will."  This would mean
>> that only malicious sites will show padlocks in the content.
>> 
>> 
>> serge
>> 
>> 
>> 
>

Received on Wednesday, 9 January 2008 16:07:19 UTC