Re: Is the padlock a page security score? from Ian Fette on 2008-01-10 (public-wsc-wg@w3.org from January 2008)

From: Ian Fette <ifette@google.com>
Date: Thu, 10 Jan 2008 11:13:03 -0800
To: "Serge Egelman" <egelman@cs.cmu.edu>
Cc: michael.mccormick@wellsfargo.com, Anil.Saldhana@redhat.com, hahnt@us.ibm.com, public-wsc-wg@w3.org, Mary_Ellen_Zurko@notesdev.ibm.com
Message-ID: <bbeaa26f0801101113t6d2b9bccvb2377dc309f01bf5@mail.gmail.com>
While I agree with much of what Serge says, I'm not quite sure about the
last bit. Serge says that if we can't find a good way to present the
information, we've just wasted N weeks of time in trying to figure out how
to come up with the information to present. While that's true, it's also
true that if we can't find a good way to come up with the information to
present, we've just wasted M weeks in coming up with presentation and doing
user testing. Garbage in garbage out.

I think there are problems with both sides ( trying to figure out what to
present, and trying to figure out how to present it). I think you could
start with either one, as both need to be fixed before we could seriously
suggest this as part of the spec, but I don't think you can make a great
argument as to which should be tackled first, because both need to be
tackled and it's not clear to me that one side is easier/quicker to tackle
than the other.

-Ian

On Jan 10, 2008 11:07 AM, Serge Egelman <egelman@cs.cmu.edu> wrote:

> No, the more variables it takes into account, the more likely it's going
> to be in a "medium" or "unknown" state for most of the sites that users
> regularly visit.  Thus, the users get habituated and ignore the
> indicator altogether (assuming they ever took notice of it and then
> trusted it to begin with).
>
> Using the padlock as an example really isn't the best place to begin
> arguing in favor of this.  The padlock is an utter failure.  Most users
> (i.e. >90%) simply do not notice it.  Of those who do, many do not have
> any clue as to what it means.  Additionally, when confronted with a
> missing or broken padlock, and a page which looks really well designed,
> the users are going to trust the website over the padlock (see BJ Fogg's
> work).
>
> Instead, we should be using these variables to determine when to warn
> the user, since that's been observed to be far more effective in practice.
>
> With this being said (the fact that I think this is a terrible, terrible
> idea), this could be slightly more helpful by focusing attention on the
> presentation.  Before discussing implementation, there should be a
> concrete design for how it is to be presented to the user.  This design
> can then be tested, and only after we see that it's effective should we
> start deciding how to implement it.  The corollary to that is, if we
> spend weeks and weeks figuring out the implementation details only to
> find that there's no way of effectively presenting the information to
> the user, we've just wasted twice as much time.
>
> serge
>
> michael.mccormick@wellsfargo.com wrote:
> > I agree. But the more variables the security indicator takes into
> > account, the more helpful it becomes for users making trust decisions.
> >
> > ------------------------------------------------------------------------
> > *From:* Ian Fette [mailto:ifette@google.com]
> > *Sent:* Thursday, January 10, 2008 12:37 PM
> > *To:* McCormick, Mike
> > *Cc:* Anil.Saldhana@redhat.com; hahnt@us.ibm.com; public-wsc-wg@w3.org;
> > Mary_Ellen_Zurko@notesdev.ibm.com
> > *Subject:* Re: Is the padlock a page security score?
> >
> > No, but quite frankly neither does any of the information we've talked
> > about in the page security scoring. The reality is that you have no idea
> > if when you post the form it just sends stuff off to orders@somesite.com
> > <mailto:orders@somesite.com> via email, if it's stored in a MySQL
> > database with the default root password, if it's a shared server where
> > root is not locked down - all of this worries me much more than whether
> > it's EV-SSL, using DNSSEC, etc. The reality is that Visa and MasterCard
> > have guidelines for how merchants should handle customer data, and
> > that's about the only thing that I would really care about as a
> > customer. However, I have no way of verifying that said guidelines are
> > being followed, but I have very little risk anyways because I can just
> > call US Bank and tell them that someone is making fraudulent charges
> > against my Northwest WorldPerks Visa Signature card and they're going to
> > take care of me.
> >
> > So, I guess my point is that I really don't understand the end goal
> > here. I thought we wanted to get to the point where someone could
> > determine whether or not it was safe to make an e-commerce transaction
> > at a site, but frankly I don't really know that I find the information
> > we have to be sufficient to actually answer that in a satisfactory
> manner.
> >
> > -Ian
> >
> > On Jan 10, 2008 10:31 AM, <michael.mccormick@wellsfargo.com
> > <mailto:michael.mccormick@wellsfargo.com>> wrote:
> >
> >     I would ask the same question about a binary indicator.  The padlock
> >     does not mean it's safe to enter a credit card.
> >
> >
> ------------------------------------------------------------------------
> >     *From:* Ian Fette [mailto:ifette@google.com <mailto:
> ifette@google.com>]
> >     *Sent:* Thursday, January 10, 2008 12:26 PM
> >     *To:* Anil Saldhana
> >     *Cc:* McCormick, Mike; hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>;
> >     public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>;
> >     Mary_Ellen_Zurko@notesdev.ibm.com
> >     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>
> >
> >     *Subject:* Re: Is the padlock a page security score?
> >
> >     I still don't understand what anything beyond a binary result is
> >     supposed to tell a user. I'm on a site with "Medium" security - what
> >     does that mean? Does that mean that I should give them my credit
> >     card or not?
> >
> >     On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com
> >     <mailto:Anil.Saldhana@redhat.com>> wrote:
> >
> >
> >         Maybe there is an opportunity to associate "High/Medium/Low" or
> >         "Strong/Medium/Low" based on page security score with the
> padlock.
> >
> >         michael.mccormick@wellsfargo.com
> >         <mailto:michael.mccormick@wellsfargo.com> wrote:
> >          > Sure, I agree the padlock is a binary representation of a
> >         boolean security
> >          > score formula based on a single security variable (SSL on
> >         main page).  A
> >          > degenerate case IMHO - but still technically a page security
> >         score.
> >          >
> >          > A security score algorithm should take into account most (if
> >         not all) of the
> >          > variables we enumerated under "What is a Secure Page?"
> >          Perhaps the note
> >          > should state that explicitly.  Then padlocks wouldn't
> qualify.
> >          >
> >          >   _____
> >          >
> >          > From: public-wsc-wg-request@w3.org
> >         <mailto:public-wsc-wg-request@w3.org>
> >         [mailto:public-wsc-wg-request@w3.org
> >         <mailto:public-wsc-wg-request@w3.org>] On
> >          > Behalf Of Timothy Hahn
> >          > Sent: Thursday, January 10, 2008 10:40 AM
> >          > To: public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
> >          > Subject: Re: Is the padlock a page security score?
> >          >
> >          >
> >          >
> >          > Mez,
> >          >
> >          > I'll toss in my view that the padlock is an example of a page
> >         security
> >          > score.  In most user agents, this seems to be pretty much
> >         "binary" (on or
> >          > off) though I think we've heard from some folks that there
> >         are some
> >          > "embellishments" on their display of the icon which would
> >         provide more
> >          > gradations based on information received.
> >          >
> >          > On the bright side of such a visible item - it is relatively
> >         easy to
> >          > describe and for people to grasp the meaning of.
> >          >
> >          > On the down side of the padlock -  ... well, we've had lots
> >         of that
> >          > discussion on this list already - see the archives.
> >          >
> >          > Regards,
> >          > Tim Hahn
> >          > IBM Distinguished Engineer
> >          >
> >          > Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
> >          > Internal: Timothy Hahn/Durham/IBM@IBMUS
> >          > phone: 919.224.1565     tie-line: 8/687.1565
> >          > fax: 919.224.2530
> >          >
> >          >
> >          >
> >          >
> >          > From:         "Mary Ellen Zurko"
> >         <Mary_Ellen_Zurko@notesdev.ibm.com
> >         <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>>
> >          >
> >          > To:   public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
> >          >
> >          > Date:         01/10/2008 11:10 AM
> >          >
> >          > Subject:      Is the padlock a page security score?
> >          >
> >          >   _____
> >          >
> >          >
> >          >
> >          >
> >          >
> >          > If not, why not?
> >          >
> >          >          Mez
> >          >
> >          >
> >          >
> >          >
> >          >
> >
> >         --
> >         Anil Saldhana
> >         Project/Technical Lead,
> >         JBoss Security & Identity Management
> >         JBoss, A division of Red Hat Inc.
> >         http://labs.jboss.com/portal/jbosssecurity/
> >
> >
> >
>
> --
> /*
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly
> Carnegie Mellon University
>
> Legislative Concerns Chair
> National Association of Graduate-Professional Students
> */
>
Received on Thursday, 10 January 2008 19:13:27 UTC