- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Wed, 9 Jan 2008 11:07:08 -0500
- To: "Serge Egelman" <egelman@cs.cmu.edu>, "Ian Fette" <ifette@google.com>
- Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
To me the difference is that is consistently displayed in the secure UI area. If Secure UI is consistent users will begin to look at the secure UI area not content area. Some users will always click on anything others learn. Any info on the percentage of trainable users? If the behavior studies are based on a chaotic UI or current user agent UI, we know it is difficult for users to make decent IA decisions. Bill Doyle -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Serge Egelman Sent: Saturday, January 05, 2008 8:52 PM To: Ian Fette Cc: Web Security Context Working Group WG Subject: Re: ISSUE-161: Be clearer about security indicator images [wsc-xit] ...and once again, we find ourselves in agreement. So again, we're now agreeing that this does nothing. So why recommend it? serge > That's where we're currently at anyways. According to 3rd party research > ( i.e. I'm not talking about any Google data here), sites with the TRUSTe > seal of approval are 2x as likely to be spammy / have spyware or malware > than sites without the seal. ( > http://www.theregister.co.uk/2006/09/26/truste_privacy_seal_row/ - > granted, it's the register, but links to the original study). And that's > only looking at sites that can legitimately use the seal of approval... > that's saying nothing about the sites that just rip off the image and > shove it on there. I'm guessing you can figure out for yourself whether > those sites are likely to be "behaving sites" or "malicious sites". > > Not that I think that "banning" the lock in content area is going to make > a difference - sites will do it anyways, I can't honestly imagine Bank of > America or US Bank or Wells Fargo really agreeing to take the plunge and > remove it - but I just wanted to point out that we're already in that > murky situation. > > On Jan 5, 2008 2:46 AM, Serge Egelman <egelman@cs.cmu.edu> wrote: > >> >>> >>> ISSUE-161: Be clearer about security indicator images [wsc-xit] >>> >>> http://www.w3.org/2006/WSC/track/issues/ >>> >>> Raised by: Mary Ellen Zurko On product: wsc-xit >>> >>> 9.1 >>> >>> "trust indicating images" is way too general. Sites want to look >>> trustworthy. If only behaving sites don't look trustworthy, only >>> malicious sites will. My proposal: >>> >>> Web pages MUST NOT include images used by widely deployed web user >> agents >>> to represent specific security context states or values. For example, >>> padlocks in the web content. >>> >> >> But then aren't we still in the same place where "only behaving sites >> don't look trustworthy, only malicious sites will." This would mean >> that only malicious sites will show padlocks in the content. >> >> >> serge >> >> >> >
Received on Wednesday, 9 January 2008 16:07:19 UTC