Re: Is the padlock a page security score? from Anil Saldhana on 2008-01-10 (public-wsc-wg@w3.org from January 2008)

From: Anil Saldhana <Anil.Saldhana@redhat.com>
Date: Thu, 10 Jan 2008 13:39:49 -0600
To: Serge Egelman <egelman@cs.cmu.edu>
CC: michael.mccormick@wellsfargo.com, ifette@google.com, hahnt@us.ibm.com, public-wsc-wg@w3.org
Message-ID: <47867485.8020202@redhat.com>
Serge, what you say makes perfect sense from usability perspective(also 
drawing inspiration from the recent discussion on pop-up dialog boxes 
between Ian and me) - people will tend to ignore when there are 
indicators that consistently show their favorite sites to have low scores.

But does that mean that we should not recommend additional indicators?

I do not agree on the throwing up of danger warnings once in a while 
without an associated (passive) indicator. At least the user will have 
an opportunity to figure out the danger warning emanated from this 
indicator that was dormant but has suddenly woken up to throw this warning.

Serge Egelman wrote:
> 
> In that case the best scenario for a website is that it gets a medium 
> setting?  I can tell you right now that's a nonstarter.  Based on 
> empirical evidence we know that users will become habituated and stop 
> paying attention to the indicator when it constantly tells them that 
> websites they frequent "might not be trustworthy."
> 
>  From a practical standpoint, if the scores range from "danger" to 
> "unknown," why show the passive indicator at all?  Instead, when it hits 
> "danger," throw up a warning.  This is far more effective in practice.
> 
> serge
> 
> michael.mccormick@wellsfargo.com wrote:
>> If you feel the available variables only give half the security 
>> picture, I suppose your UA could define a scoring algorithm that never 
>> returns a value higher than 50.
>>
>> ------------------------------------------------------------------------
>> *From:* Ian Fette [mailto:ifette@google.com]
>> *Sent:* Thursday, January 10, 2008 1:09 PM
>> *To:* McCormick, Mike
>> *Cc:* hahnt@us.ibm.com; public-wsc-wg@w3.org
>> *Subject:* Re: Is the padlock a page security score?
>>
>> I don't know about useless, but I worry a *lot* about giving a false 
>> sense of security. There could be a site using DNSSEC and an EV-cert, 
>> that is hosted on some crappy shared server that uses a MySQL 3 
>> database and we would give it a 100. That's disturbing to me because 
>> it would be very misleading and provide a very false sense of security.
>>
>> On Jan 10, 2008 11:04 AM, <michael.mccormick@wellsfargo.com 
>> <mailto:michael.mccormick@wellsfargo.com>> wrote:
>>
>>     I agree.  I like the weather analogy.  There's no perfect security
>>     indicator.  But the more variables an indicator takes into account
>>     the more it approaches the asymptote.
>>          I guess the alternative would be to throw up our hands and 
>> say all
>>     security context indicators are useless.
>>
>>     
>> ------------------------------------------------------------------------
>>     *From:* public-wsc-wg-request@w3.org
>>     <mailto:public-wsc-wg-request@w3.org>
>>     [mailto:public-wsc-wg-request@w3.org
>>     <mailto:public-wsc-wg-request@w3.org>] *On Behalf Of *Timothy Hahn
>>     *Sent:* Thursday, January 10, 2008 12:54 PM
>>
>>     *To:* public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>>     *Subject:* RE: Is the padlock a page security score?
>>
>>
>>     Hi all,
>>
>>     This whole discussion is subjective.  What is useful for one person
>>     could very well be useless to someone else.
>>
>>     An analogy - weather forecasts about the possibility of rain today.
>>      Does such a score indicate whether I will get rained on?  No.  Does
>>     it help me decide whether or not to wear a hat or carry an umbrella?
>>      Yes.  There is no way that people other than meteorologists (and
>>     some would argue, even them) will accurately interpret isobars,
>>     cloud patterns, and doppler radar to determine whether it will rain.
>>      But people can get a feeling for the chances of rain based on a
>>     0-100% estimate.
>>
>>     I think the same is true for the notion of a page security score.
>>      Does it imply that the user will definitely, without a doubt, not
>>     get "taken"?  No.  Does it give the user something with which to
>>     make a choice?  Yes.  In this light, I still feel that page security
>>     scores are good things to consider.
>>
>>     Regards,
>>     Tim Hahn
>>     IBM Distinguished Engineer
>>
>>     Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>>     Internal: Timothy Hahn/Durham/IBM@IBMUS
>>     phone: 919.224.1565     tie-line: 8/687.1565
>>     fax: 919.224.2530
>>
>>
>>
>>     From:     <michael.mccormick@wellsfargo.com
>>     <mailto:michael.mccormick@wellsfargo.com>>
>>     To:     <ifette@google.com <mailto:ifette@google.com>>,
>>     <Anil.Saldhana@redhat.com <mailto:Anil.Saldhana@redhat.com>>
>>     Cc:     Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org
>>     <mailto:public-wsc-wg@w3.org>>, <Mary_Ellen_Zurko@notesdev.ibm.com
>>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>>
>>     Date:     01/10/2008 01:34 PM
>>     Subject:     RE: Is the padlock a page security score?
>>
>>
>>     
>> ------------------------------------------------------------------------
>>
>>
>>
>>     I would ask the same question about a binary indicator.  The padlock
>>     does not mean it's safe to enter a credit card.
>>
>>     
>> ------------------------------------------------------------------------
>>     *From:* Ian Fette [mailto:ifette@google.com] *
>>     Sent:* Thursday, January 10, 2008 12:26 PM*
>>     To:* Anil Saldhana*
>>     Cc:* McCormick, Mike; hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>;
>>     public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>;
>>     Mary_Ellen_Zurko@notesdev.ibm.com
>>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>*
>>     Subject:* Re: Is the padlock a page security score?
>>
>>     I still don't understand what anything beyond a binary result is
>>     supposed to tell a user. I'm on a site with "Medium" security - what
>>     does that mean? Does that mean that I should give them my credit
>>     card or not?
>>
>>     On Jan 10, 2008 10:00 AM, Anil Saldhana <_Anil.Saldhana@redhat.com_
>>     <mailto:Anil.Saldhana@redhat.com>> wrote:
>>
>>     Maybe there is an opportunity to associate "High/Medium/Low" or
>>     "Strong/Medium/Low" based on page security score with the padlock.
>>     _
>>     __michael.mccormick@wellsfargo.com_
>>     <mailto:michael.mccormick@wellsfargo.com> wrote:
>>      > Sure, I agree the padlock is a binary representation of a boolean
>>     security
>>      > score formula based on a single security variable (SSL on main
>>     page).  A
>>      > degenerate case IMHO - but still technically a page security 
>> score.
>>      >
>>      > A security score algorithm should take into account most (if not
>>     all) of the
>>      > variables we enumerated under "What is a Secure Page?"  Perhaps
>>     the note
>>      > should state that explicitly.  Then padlocks wouldn't qualify.
>>      >
>>      >   _____
>>      >
>>      > From: _public-wsc-wg-request@w3.org_
>>     <mailto:public-wsc-wg-request@w3.org>
>>     [mailto:_public-wsc-wg-request@w3.org_
>>     <mailto:public-wsc-wg-request@w3.org>] On
>>      > Behalf Of Timothy Hahn
>>      > Sent: Thursday, January 10, 2008 10:40 AM
>>      > To: _public-wsc-wg@w3.org_ <mailto:public-wsc-wg@w3.org>
>>      > Subject: Re: Is the padlock a page security score?
>>      >
>>      >
>>      >
>>      > Mez,
>>      >
>>      > I'll toss in my view that the padlock is an example of a page
>>     security
>>      > score.  In most user agents, this seems to be pretty much
>>     "binary" (on or
>>      > off) though I think we've heard from some folks that there are 
>> some
>>      > "embellishments" on their display of the icon which would provide
>>     more
>>      > gradations based on information received.
>>      >
>>      > On the bright side of such a visible item - it is relatively 
>> easy to
>>      > describe and for people to grasp the meaning of.
>>      >
>>      > On the down side of the padlock -  ... well, we've had lots of 
>> that
>>      > discussion on this list already - see the archives.
>>      >
>>      > Regards,
>>      > Tim Hahn
>>      > IBM Distinguished Engineer
>>      >
>>      > Internet: _hahnt@us.ibm.com_ <mailto:hahnt@us.ibm.com>
>>      > Internal: Timothy Hahn/Durham/IBM@IBMUS
>>      > phone: 919.224.1565     tie-line: 8/687.1565
>>      > fax: 919.224.2530
>>      >
>>      >
>>      >
>>      >
>>      > From:         "Mary Ellen Zurko"
>>     <_Mary_Ellen_Zurko@notesdev.ibm.com_
>>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>>
>>      >
>>      > To:   _public-wsc-wg@w3.org_ <mailto:public-wsc-wg@w3.org>
>>      >
>>      > Date:         01/10/2008 11:10 AM
>>      >
>>      > Subject:      Is the padlock a page security score?
>>      >
>>      >   _____
>>      >
>>      >
>>      >
>>      >
>>      >
>>      > If not, why not?
>>      >
>>      >          Mez
>>      >
>>      >
>>      >
>>      >
>>      >
>>
>>     --
>>     Anil Saldhana
>>     Project/Technical Lead,
>>     JBoss Security & Identity Management
>>     JBoss, A division of Red Hat Inc._
>>     __http://labs.jboss.com/portal/jbosssecurity/_
>>
>>
>>
>>
> 

-- 
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/
Received on Thursday, 10 January 2008 19:41:20 UTC