Re: Is the padlock a page security score? from Ian Fette on 2008-01-10 (public-wsc-wg@w3.org from January 2008)

From: Ian Fette <ifette@google.com>
Date: Thu, 10 Jan 2008 11:18:38 -0800
To: michael.mccormick@wellsfargo.com
Cc: hahnt@us.ibm.com, public-wsc-wg@w3.org
Message-ID: <bbeaa26f0801101118g4e372d44t9f39cf5ba234c8aa@mail.gmail.com>
In which case users are going to think this is out of 50, and do the
appropriate re-scaling in their head, or they will think that nothing is
secure and stop doing e-commerce and we kill the web. That, or they just
think that the feature is broken and curse their browser.

On Jan 10, 2008 11:14 AM, <michael.mccormick@wellsfargo.com> wrote:

>  If you feel the available variables only give half the security picture,
> I suppose your UA could define a scoring algorithm that never returns a
> value higher than 50.
>
>  ------------------------------
> *From:* Ian Fette [mailto:ifette@google.com]
> *Sent:* Thursday, January 10, 2008 1:09 PM
> *To:* McCormick, Mike
> *Cc:* hahnt@us.ibm.com; public-wsc-wg@w3.org
>
> *Subject:* Re: Is the padlock a page security score?
>
> I don't know about useless, but I worry a *lot* about giving a false sense
> of security. There could be a site using DNSSEC and an EV-cert, that is
> hosted on some crappy shared server that uses a MySQL 3 database and we
> would give it a 100. That's disturbing to me because it would be very
> misleading and provide a very false sense of security.
>
> On Jan 10, 2008 11:04 AM, <michael.mccormick@wellsfargo.com> wrote:
>
> >  I agree.  I like the weather analogy.  There's no perfect security
> > indicator.  But the more variables an indicator takes into account the more
> > it approaches the asymptote.
> >
> > I guess the alternative would be to throw up our hands and say all
> > security context indicators are useless.
> >
> >  ------------------------------
> >  *From:* public-wsc-wg-request@w3.org [mailto:
> > public-wsc-wg-request@w3.org] *On Behalf Of *Timothy Hahn
> > *Sent:* Thursday, January 10, 2008 12:54 PM
> > *To:* public-wsc-wg@w3.org
> >  *Subject:* RE: Is the padlock a page security score?
> >
> >
> > Hi all,
> >
> > This whole discussion is subjective.  What is useful for one person
> > could very well be useless to someone else.
> >
> > An analogy - weather forecasts about the possibility of rain today.
> >  Does such a score indicate whether I will get rained on?  No.  Does it help
> > me decide whether or not to wear a hat or carry an umbrella?  Yes.  There is
> > no way that people other than meteorologists (and some would argue, even
> > them) will accurately interpret isobars, cloud patterns, and doppler radar
> > to determine whether it will rain.  But people can get a feeling for the
> > chances of rain based on a 0-100% estimate.
> >
> > I think the same is true for the notion of a page security score.  Does
> > it imply that the user will definitely, without a doubt, not get "taken"?
> >  No.  Does it give the user something with which to make a choice?  Yes.  In
> > this light, I still feel that page security scores are good things to
> > consider.
> >
> > Regards,
> > Tim Hahn
> > IBM Distinguished Engineer
> >
> > Internet: hahnt@us.ibm.com
> > Internal: Timothy Hahn/Durham/IBM@IBMUS
> > phone: 919.224.1565     tie-line: 8/687.1565
> > fax: 919.224.2530
> >
> >
> >
> >   From: <michael.mccormick@wellsfargo.com>  To: <ifette@google.com>, <
> > Anil.Saldhana@redhat.com>  Cc: Timothy Hahn/Durham/IBM@IBMUS, <
> > public-wsc-wg@w3.org>, <Mary_Ellen_Zurko@notesdev.ibm.com>  Date: 01/10/2008
> > 01:34 PM  Subject: RE: Is the padlock a page security score?
> > ------------------------------
> >
> >
> >
> > I would ask the same question about a binary indicator.  The padlock
> > does not mean it's safe to enter a credit card.
> >
> > ------------------------------
> > *From:* Ian Fette [mailto:ifette@google.com <ifette@google.com>] *
> > Sent:* Thursday, January 10, 2008 12:26 PM*
> > To:* Anil Saldhana*
> > Cc:* McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org;
> > Mary_Ellen_Zurko@notesdev.ibm.com*
> > Subject:* Re: Is the padlock a page security score?
> >
> > I still don't understand what anything beyond a binary result is
> > supposed to tell a user. I'm on a site with "Medium" security - what does
> > that mean? Does that mean that I should give them my credit card or not?
> >
> > On Jan 10, 2008 10:00 AM, Anil Saldhana <*Anil.Saldhana@redhat.com*<Anil.Saldhana@redhat.com>>
> > wrote:
> >
> > Maybe there is an opportunity to associate "High/Medium/Low" or
> > "Strong/Medium/Low" based on page security score with the padlock.
> > *
> > **michael.mccormick@wellsfargo.com* <michael.mccormick@wellsfargo.com>wrote:
> > > Sure, I agree the padlock is a binary representation of a boolean
> > security
> > > score formula based on a single security variable (SSL on main page).
> >  A
> > > degenerate case IMHO - but still technically a page security score.
> > >
> > > A security score algorithm should take into account most (if not all)
> > of the
> > > variables we enumerated under "What is a Secure Page?"  Perhaps the
> > note
> > > should state that explicitly.  Then padlocks wouldn't qualify.
> > >
> > >   _____
> > >
> > > From: *public-wsc-wg-request@w3.org* <public-wsc-wg-request@w3.org>[mailto:
> > *public-wsc-wg-request@w3.org* <public-wsc-wg-request@w3.org>] On
> > > Behalf Of Timothy Hahn
> > > Sent: Thursday, January 10, 2008 10:40 AM
> > > To: *public-wsc-wg@w3.org* <public-wsc-wg@w3.org>
> > > Subject: Re: Is the padlock a page security score?
> > >
> > >
> > >
> > > Mez,
> > >
> > > I'll toss in my view that the padlock is an example of a page security
> > > score.  In most user agents, this seems to be pretty much "binary" (on
> > or
> > > off) though I think we've heard from some folks that there are some
> > > "embellishments" on their display of the icon which would provide more
> > > gradations based on information received.
> > >
> > > On the bright side of such a visible item - it is relatively easy to
> > > describe and for people to grasp the meaning of.
> > >
> > > On the down side of the padlock -  ... well, we've had lots of that
> > > discussion on this list already - see the archives.
> > >
> > > Regards,
> > > Tim Hahn
> > > IBM Distinguished Engineer
> > >
> > > Internet: *hahnt@us.ibm.com* <hahnt@us.ibm.com>
> > > Internal: Timothy Hahn/Durham/IBM@IBMUS
> > > phone: 919.224.1565     tie-line: 8/687.1565
> > > fax: 919.224.2530
> > >
> > >
> > >
> > >
> > > From:         "Mary Ellen Zurko" <*Mary_Ellen_Zurko@notesdev.ibm.com*<Mary_Ellen_Zurko@notesdev.ibm.com>
> > >
> > >
> > > To:   *public-wsc-wg@w3.org* <public-wsc-wg@w3.org>
> > >
> > > Date:         01/10/2008 11:10 AM
> > >
> > > Subject:      Is the padlock a page security score?
> > >
> > >   _____
> > >
> > >
> > >
> > >
> > >
> > > If not, why not?
> > >
> > >          Mez
> > >
> > >
> > >
> > >
> > >
> >
> > --
> > Anil Saldhana
> > Project/Technical Lead,
> > JBoss Security & Identity Management
> > JBoss, A division of Red Hat Inc.*
> > **http://labs.jboss.com/portal/jbosssecurity/*<http://labs.jboss.com/portal/jbosssecurity/>
> >
> >
> >
> >
>
Received on Thursday, 10 January 2008 19:18:55 UTC