- From: Ian Fette <ifette@google.com>
- Date: Wed, 9 Jan 2008 09:10:33 -0800
- To: "Doyle, Bill" <wdoyle@mitre.org>
- Cc: "Serge Egelman" <egelman@cs.cmu.edu>, "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Secure UI is consistent in IE and FF - there's a lock that's in the same place every time you go to your secure site. And yet a lot of people don't look at it. So I'm not sure that consistent implies "users pay attention" On Jan 9, 2008 8:07 AM, Doyle, Bill <wdoyle@mitre.org> wrote: > To me the difference is that is consistently displayed in the secure UI > area. If Secure UI is consistent users will begin to look at the secure > UI area not content area. > > Some users will always click on anything others learn. Any info on the > percentage of trainable users? > > If the behavior studies are based on a chaotic UI or current user agent > UI, we know it is difficult for users to make decent IA decisions. > > Bill Doyle > > > -----Original Message----- > From: public-wsc-wg-request@w3.org > [mailto:public-wsc-wg-request@w3.org] On Behalf Of Serge Egelman > Sent: Saturday, January 05, 2008 8:52 PM > To: Ian Fette > Cc: Web Security Context Working Group WG > > Subject: Re: ISSUE-161: Be clearer about security indicator images > [wsc-xit] > > > ...and once again, we find ourselves in agreement. > > So again, we're now agreeing that this does nothing. So why recommend > it? > > > serge > > > That's where we're currently at anyways. According to 3rd party > research > > ( i.e. I'm not talking about any Google data here), sites with the > TRUSTe > > seal of approval are 2x as likely to be spammy / have spyware or > malware > > than sites without the seal. ( > > http://www.theregister.co.uk/2006/09/26/truste_privacy_seal_row/ - > > granted, it's the register, but links to the original study). And > that's > > only looking at sites that can legitimately use the seal of > approval... > > that's saying nothing about the sites that just rip off the image and > > shove it on there. I'm guessing you can figure out for yourself > whether > > those sites are likely to be "behaving sites" or "malicious sites". > > > > Not that I think that "banning" the lock in content area is going to > make > > a difference - sites will do it anyways, I can't honestly imagine > Bank of > > America or US Bank or Wells Fargo really agreeing to take the plunge > and > > remove it - but I just wanted to point out that we're already in that > > murky situation. > > > > On Jan 5, 2008 2:46 AM, Serge Egelman <egelman@cs.cmu.edu> wrote: > > > >> > >>> > >>> ISSUE-161: Be clearer about security indicator images [wsc-xit] > >>> > >>> http://www.w3.org/2006/WSC/track/issues/ > >>> > >>> Raised by: Mary Ellen Zurko On product: wsc-xit > >>> > >>> 9.1 > >>> > >>> "trust indicating images" is way too general. Sites want to look > >>> trustworthy. If only behaving sites don't look trustworthy, only > >>> malicious sites will. My proposal: > >>> > >>> Web pages MUST NOT include images used by widely deployed web user > >> agents > >>> to represent specific security context states or values. For > example, > >>> padlocks in the web content. > >>> > >> > >> But then aren't we still in the same place where "only behaving > sites > >> don't look trustworthy, only malicious sites will." This would mean > >> that only malicious sites will show padlocks in the content. > >> > >> > >> serge > >> > >> > >> > > > > >
Received on Wednesday, 9 January 2008 17:10:50 UTC