RE: Is the padlock a page security score?

Serge,

Thank you for your response, so... I am into SCUBA diving, and have a
dive website.  If the browser said that I was 20% secure vs. the 100%
that I am and can prove, I have no doubt that I would be able to sue the
browser company.  The browser company said I was 20% secure, and because
of that I could get no customers and no advertising revenue.  If I could
go into court and prove that I was secure, I guarantee you that the
company would be liable -- in fact, they would settle out of court.  

If you would like, maybe we should do a split off and assign a team
which I'd be happy to be part of, that would look into the legal
ramifications of providing such a score.  If you remember, Outlook used
to block Blue Mountain greeting cards as spam (unintentionally).  Blue
Mountain of course, sued Microsoft.  The moral is that the Security
Score itself, just seems like a point of contention that we should not
be part of.

Let the browser companies vs. the working group, take the risk.

Thanks,
Bill 

-----Original Message-----
From: Serge Egelman [mailto:egelman@cs.cmu.edu] 
Sent: Thursday, January 10, 2008 2:50 PM
To: William Eburn
Cc: Anil Saldhana; public-wsc-wg@w3.org
Subject: Re: Is the padlock a page security score?

No, no one would be responsible because it says 90%.  That means there's

a 10% chance of something bad happening.  Guess what?  That 10% was 
realized.

This is exactly why no one is going to say a website is 100% secure, 
because there's no way of knowing.  And if we say that no website is 
100% secure, this is going confuse users and dilute the indicator.

There currently are no indicators out there that guarantee a website is 
100% secure (i.e. indicators issued by someone other than the website 
owner).  That would be an insane business move because of the liability 
attached.

This is also applies to the opposite case: web browser phishing warnings

that block a page are only issued once the website has been verified.  A

company would have to be damn sure of their heuristics if their process 
is entirely automated and without oversight.  A site that is incorrectly

  accused of being a phishing website may sue for defamation or libel.


serge

William Eburn wrote:
> Hello all,
> 
> As you may know, HiSoftware has content and application testing tools
> around privacy, security, accessibility, general content quality,
> corporate branding, and several factors of site quality.
> 
> I am concerned that if we give some de facto score but do not consider
> the content or application, then would I not as a user of the browser
> that gave me the information have the right to sue their corporation
if
> I went to a site, the score said 90% reliable and I entered all my PII
> and the next user saw that it was 90% secure -- knew that the scoring
> system was flawed because it didn't consider the content, or the
> application and in this case used a simple SQL Injection to grab all
the
> PII out of the system (including mine), then opened multiple bank
> accounts, got car loans, and did whatever, causing me great harm.
While
> it's true I was able to cancel the charges as being fraudulent, it
took
> over a year to do so.  Would the company that provided the page score
be
> responsible in a court of law?
> 
> Please note, this would be different depending on which country you
were
> in.
> 
> I think, from our perspective the education of the user to the state
of
> the different security indicators is important but for us to assign
any
> value judgment on them would at best, be foolish.  Immediately we
could
> never assign 100%, because as part of the working group we've already
> said that we aren't examining the content or application being viewed
by
> the user agent.  So it would be my vote to eliminate the idea of a
page
> score entirely.  What I'm suggesting is that we show them the
> information, educate the user as to what it means, but assign no
value.
> 
> This is just my two cents on the page score topic.
> 
> Thanks,
> Bill
> 
> 
> -----Original Message-----
> From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org]
> On Behalf Of Anil Saldhana
> Sent: Thursday, January 10, 2008 2:18 PM
> To: public-wsc-wg@w3.org
> Subject: Re: Is the padlock a page security score?
> 
> 
> Right on the point, Tim.
> 
> We have a tendency to quote personal experiences/behavior to equate it

> to the general behavior of the masses. A security indicator to one
does 
> not mean an indicator to everyone.
> 
> WG has had discussions that the padlock is not sufficient to ensure a 
> secure behavior.  Hence page security score, ev cert bar etc etc. :)
> 
> Timothy Hahn wrote:
>> Hi all,
>>
>> This whole discussion is subjective.  What is useful for one person
> could 
>> very well be useless to someone else.
>>
>> An analogy - weather forecasts about the possibility of rain today.
> Does 
>> such a score indicate whether I will get rained on?  No.  Does it
help
> me 
>> decide whether or not to wear a hat or carry an umbrella?  Yes.
There
> is 
>> no way that people other than meteorologists (and some would argue,
> even 
>> them) will accurately interpret isobars, cloud patterns, and doppler
> radar 
>> to determine whether it will rain.  But people can get a feeling for
> the 
>> chances of rain based on a 0-100% estimate.
>>
>> I think the same is true for the notion of a page security score.
> Does it 
>> imply that the user will definitely, without a doubt, not get
"taken"?
> No. 
>>  Does it give the user something with which to make a choice?  Yes.
> In 
>> this light, I still feel that page security scores are good things to

>> consider.
>>
>> Regards,
>> Tim Hahn
>> IBM Distinguished Engineer
>>
>> Internet: hahnt@us.ibm.com
>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>> phone: 919.224.1565     tie-line: 8/687.1565
>> fax: 919.224.2530
>>
>>
>>
>>
>> From:
>> <michael.mccormick@wellsfargo.com>
>> To:
>> <ifette@google.com>, <Anil.Saldhana@redhat.com>
>> Cc:
>> Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, 
>> <Mary_Ellen_Zurko@notesdev.ibm.com>
>> Date:
>> 01/10/2008 01:34 PM
>> Subject:
>> RE: Is the padlock a page security score?
>>
>>
>>
>> I would ask the same question about a binary indicator.  The padlock
> does 
>> not mean it's safe to enter a credit card.
>>
>> From: Ian Fette [mailto:ifette@google.com] 
>> Sent: Thursday, January 10, 2008 12:26 PM
>> To: Anil Saldhana
>> Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; 
>> Mary_Ellen_Zurko@notesdev.ibm.com
>> Subject: Re: Is the padlock a page security score?
>>
>> I still don't understand what anything beyond a binary result is
> supposed 
>> to tell a user. I'm on a site with "Medium" security - what does that

>> mean? Does that mean that I should give them my credit card or not? 
>>
>> On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com>
> wrote:
>> Maybe there is an opportunity to associate "High/Medium/Low" or
>> "Strong/Medium/Low" based on page security score with the padlock.
>>
>> michael.mccormick@wellsfargo.com wrote:
>>> Sure, I agree the padlock is a binary representation of a boolean 
>> security
>>> score formula based on a single security variable (SSL on main
page).
> A
>>> degenerate case IMHO - but still technically a page security score. 
>>>
>>> A security score algorithm should take into account most (if not
all)
> of 
>> the
>>> variables we enumerated under "What is a Secure Page?"  Perhaps the
> note
>>> should state that explicitly.  Then padlocks wouldn't qualify. 
>>>
>>>   _____
>>>
>>> From: public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org] 
>> On
>>> Behalf Of Timothy Hahn 
>>> Sent: Thursday, January 10, 2008 10:40 AM
>>> To: public-wsc-wg@w3.org
>>> Subject: Re: Is the padlock a page security score?
>>>
>>>
>>>
>>> Mez, 
>>>
>>> I'll toss in my view that the padlock is an example of a page
> security
>>> score.  In most user agents, this seems to be pretty much "binary"
> (on 
>> or
>>> off) though I think we've heard from some folks that there are some 
>>> "embellishments" on their display of the icon which would provide
> more
>>> gradations based on information received.
>>>
>>> On the bright side of such a visible item - it is relatively easy to

>>> describe and for people to grasp the meaning of.
>>>
>>> On the down side of the padlock -  ... well, we've had lots of that
>>> discussion on this list already - see the archives.
>>>
>>> Regards, 
>>> Tim Hahn
>>> IBM Distinguished Engineer
>>>
>>> Internet: hahnt@us.ibm.com
>>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>>> phone: 919.224.1565     tie-line: 8/687.1565 
>>> fax: 919.224.2530
>>>
>>>
>>>
>>>
>>> From:         "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
>>>
>>> To:   public-wsc-wg@w3.org
>>>
>>> Date:         01/10/2008 11:10 AM
>>>
>>> Subject:      Is the padlock a page security score?
>>>
>>>   _____
>>>
>>>
>>>
>>>
>>>
>>> If not, why not?
>>>
>>>          Mez
>>>
>>>
>>>
>>>
>>>
>> --
>> Anil Saldhana
>> Project/Technical Lead,
>> JBoss Security & Identity Management 
>> JBoss, A division of Red Hat Inc.
>> http://labs.jboss.com/portal/jbosssecurity/
>>
>>
>>
>>
> 

-- 
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/



The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above.  Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient.  If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal.  Thank you.

Received on Thursday, 10 January 2008 19:58:36 UTC