RE: Is the padlock a page security score? from michael.mccormick@wellsfargo.com on 2008-01-10 (public-wsc-wg@w3.org from January 2008)

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 10 Jan 2008 13:24:54 -0600
To: <ifette@google.com>
Cc: <hahnt@us.ibm.com>, <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164DB43359@msgswbmnmsp17.wellsfargo.com>
Remember most users never see the raw score (it's available in a
secondary UI to sysadmins).  Presumably a score of 50 out of 100 would
be rendered as "half" in the primary chrome SCI.  Tough to do with a
binary SCI like a padlock.  Easy to do with a more granular SCI like a
thermometer bar.

  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Thursday, January 10, 2008 1:19 PM
To: McCormick, Mike
Cc: hahnt@us.ibm.com; public-wsc-wg@w3.org
Subject: Re: Is the padlock a page security score?


In which case users are going to think this is out of 50, and do the
appropriate re-scaling in their head, or they will think that nothing is
secure and stop doing e-commerce and we kill the web. That, or they just
think that the feature is broken and curse their browser. 


On Jan 10, 2008 11:14 AM, <michael.mccormick@wellsfargo.com> wrote:


	If you feel the available variables only give half the security
picture, I suppose your UA could define a scoring algorithm that never
returns a value higher than 50.

  _____  

	
	From: Ian Fette [mailto:ifette@google.com] 
	
	Sent: Thursday, January 10, 2008 1:09 PM
	To: McCormick, Mike
	Cc: hahnt@us.ibm.com; public-wsc-wg@w3.org 

	Subject: Re: Is the padlock a page security score?
	

	I don't know about useless, but I worry a *lot* about giving a
false sense of security. There could be a site using DNSSEC and an
EV-cert, that is hosted on some crappy shared server that uses a MySQL 3
database and we would give it a 100. That's disturbing to me because it
would be very misleading and provide a very false sense of security. 
	
	
	On Jan 10, 2008 11:04 AM, <michael.mccormick@wellsfargo.com>
wrote:
	

		I agree.  I like the weather analogy.  There's no
perfect security indicator.  But the more variables an indicator takes
into account the more it approaches the asymptote.
		 
		I guess the alternative would be to throw up our hands
and say all security context indicators are useless.

  _____  

		
		From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Timothy Hahn
		
		Sent: Thursday, January 10, 2008 12:54 PM 

		To: public-wsc-wg@w3.org
		
		Subject: RE: Is the padlock a page security score?
		


		Hi all, 
		
		This whole discussion is subjective.  What is useful for
one person could very well be useless to someone else. 
		
		An analogy - weather forecasts about the possibility of
rain today.  Does such a score indicate whether I will get rained on?
No.  Does it help me decide whether or not to wear a hat or carry an
umbrella?  Yes.  There is no way that people other than meteorologists
(and some would argue, even them) will accurately interpret isobars,
cloud patterns, and doppler radar to determine whether it will rain.
But people can get a feeling for the chances of rain based on a 0-100%
estimate. 
		
		I think the same is true for the notion of a page
security score.  Does it imply that the user will definitely, without a
doubt, not get "taken"?  No.  Does it give the user something with which
to make a choice?  Yes.  In this light, I still feel that page security
scores are good things to consider. 
		
		Regards, 
		Tim Hahn
		IBM Distinguished Engineer
		
		Internet: hahnt@us.ibm.com
		Internal: Timothy Hahn/Durham/IBM@IBMUS
		phone: 919.224.1565     tie-line: 8/687.1565
		fax: 919.224.2530
		
		
		
		
From: 	<michael.mccormick@wellsfargo.com> 	
To: 	<ifette@google.com>, <Anil.Saldhana@redhat.com> 	
Cc: 	Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, <
Mary_Ellen_Zurko@notesdev.ibm.com
<mailto:Mary_Ellen_Zurko@notesdev.ibm.com> > 	
Date: 	01/10/2008 01:34 PM 	
Subject: 	RE: Is the padlock a page security score?	

  _____  




		I would ask the same question about a binary indicator.
The padlock does not mean it's safe to enter a credit card. 
		
		
  _____  

		From: Ian Fette [mailto:ifette@google.com
<mailto:ifette@google.com> ] 
		Sent: Thursday, January 10, 2008 12:26 PM
		To: Anil Saldhana
		Cc: McCormick, Mike; hahnt@us.ibm.com;
public-wsc-wg@w3.org; Mary_Ellen_Zurko@notesdev.ibm.com
		Subject: Re: Is the padlock a page security score?
		
		I still don't understand what anything beyond a binary
result is supposed to tell a user. I'm on a site with "Medium" security
- what does that mean? Does that mean that I should give them my credit
card or not? 
		
		On Jan 10, 2008 10:00 AM, Anil Saldhana
<Anil.Saldhana@redhat.com <mailto:Anil.Saldhana@redhat.com> > wrote: 
		
		Maybe there is an opportunity to associate
"High/Medium/Low" or
		"Strong/Medium/Low" based on page security score with
the padlock. 
		
		michael.mccormick@wellsfargo.com
<mailto:michael.mccormick@wellsfargo.com>  wrote:
		> Sure, I agree the padlock is a binary representation
of a boolean security
		> score formula based on a single security variable (SSL
on main page).  A
		> degenerate case IMHO - but still technically a page
security score. 
		>
		> A security score algorithm should take into account
most (if not all) of the
		> variables we enumerated under "What is a Secure Page?"
Perhaps the note
		> should state that explicitly.  Then padlocks wouldn't
qualify. 
		>
		>   _____
		>
		> From: public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org>
[mailto:public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org> ] On
		> Behalf Of Timothy Hahn 
		> Sent: Thursday, January 10, 2008 10:40 AM
		> To: public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>

		> Subject: Re: Is the padlock a page security score?
		>
		>
		>
		> Mez, 
		>
		> I'll toss in my view that the padlock is an example of
a page security
		> score.  In most user agents, this seems to be pretty
much "binary" (on or
		> off) though I think we've heard from some folks that
there are some 
		> "embellishments" on their display of the icon which
would provide more
		> gradations based on information received.
		>
		> On the bright side of such a visible item - it is
relatively easy to 
		> describe and for people to grasp the meaning of.
		>
		> On the down side of the padlock -  ... well, we've had
lots of that
		> discussion on this list already - see the archives.
		>
		> Regards, 
		> Tim Hahn
		> IBM Distinguished Engineer
		>
		> Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com> 
		> Internal: Timothy Hahn/Durham/IBM@IBMUS
		> phone: 919.224.1565     tie-line: 8/687.1565 
		> fax: 919.224.2530
		>
		>
		>
		>
		> From:         "Mary Ellen Zurko"
<Mary_Ellen_Zurko@notesdev.ibm.com
<mailto:Mary_Ellen_Zurko@notesdev.ibm.com> >
		>
		> To:   public-wsc-wg@w3.org
<mailto:public-wsc-wg@w3.org> 
		>
		> Date:         01/10/2008 11:10 AM
		>
		> Subject:      Is the padlock a page security score?
		>
		>   _____
		>
		>
		>
		>
		>
		> If not, why not?
		>
		>          Mez
		>
		>
		>
		>
		>
		
		--
		Anil Saldhana
		Project/Technical Lead,
		JBoss Security & Identity Management 
		JBoss, A division of Red Hat Inc.
		http://labs.jboss.com/portal/jbosssecurity/
<http://labs.jboss.com/portal/jbosssecurity/>
Received on Thursday, 10 January 2008 19:28:56 UTC