- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Thu, 10 Jan 2008 14:55:00 -0500
- To: Anil Saldhana <Anil.Saldhana@redhat.com>
- CC: michael.mccormick@wellsfargo.com, ifette@google.com, hahnt@us.ibm.com, public-wsc-wg@w3.org
No, what I'm saying is that any passive indicator for this purpose will have the same fate as the SSL padlock: 99% of users will not notice it, distrust it, or misunderstand it. That 1% who does look for it will generally be savvy users who are in a lower risk group to begin with. This isn't necessarily a bad thing, my point is that this indicator is not something for the masses. I would opt for recommending this icon to replace the SSL indicator. It'll be useful for the savvy users. And when it hits a certain risk threshold, use that data to throw up a full-screen warning, which will be useful to the other 99%. Of course, these warnings should only appear when there really is certain danger, otherwise users get habituated and begin ignoring them in the future. serge Anil Saldhana wrote: > Serge, what you say makes perfect sense from usability perspective(also > drawing inspiration from the recent discussion on pop-up dialog boxes > between Ian and me) - people will tend to ignore when there are > indicators that consistently show their favorite sites to have low scores. > > But does that mean that we should not recommend additional indicators? > > I do not agree on the throwing up of danger warnings once in a while > without an associated (passive) indicator. At least the user will have > an opportunity to figure out the danger warning emanated from this > indicator that was dormant but has suddenly woken up to throw this warning. > > Serge Egelman wrote: >> >> In that case the best scenario for a website is that it gets a medium >> setting? I can tell you right now that's a nonstarter. Based on >> empirical evidence we know that users will become habituated and stop >> paying attention to the indicator when it constantly tells them that >> websites they frequent "might not be trustworthy." >> >> From a practical standpoint, if the scores range from "danger" to >> "unknown," why show the passive indicator at all? Instead, when it >> hits "danger," throw up a warning. This is far more effective in >> practice. >> >> serge >> >> michael.mccormick@wellsfargo.com wrote: >>> If you feel the available variables only give half the security >>> picture, I suppose your UA could define a scoring algorithm that >>> never returns a value higher than 50. >>> >>> ------------------------------------------------------------------------ >>> *From:* Ian Fette [mailto:ifette@google.com] >>> *Sent:* Thursday, January 10, 2008 1:09 PM >>> *To:* McCormick, Mike >>> *Cc:* hahnt@us.ibm.com; public-wsc-wg@w3.org >>> *Subject:* Re: Is the padlock a page security score? >>> >>> I don't know about useless, but I worry a *lot* about giving a false >>> sense of security. There could be a site using DNSSEC and an EV-cert, >>> that is hosted on some crappy shared server that uses a MySQL 3 >>> database and we would give it a 100. That's disturbing to me because >>> it would be very misleading and provide a very false sense of security. >>> >>> On Jan 10, 2008 11:04 AM, <michael.mccormick@wellsfargo.com >>> <mailto:michael.mccormick@wellsfargo.com>> wrote: >>> >>> I agree. I like the weather analogy. There's no perfect security >>> indicator. But the more variables an indicator takes into account >>> the more it approaches the asymptote. >>> I guess the alternative would be to throw up our hands and >>> say all >>> security context indicators are useless. >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* public-wsc-wg-request@w3.org >>> <mailto:public-wsc-wg-request@w3.org> >>> [mailto:public-wsc-wg-request@w3.org >>> <mailto:public-wsc-wg-request@w3.org>] *On Behalf Of *Timothy Hahn >>> *Sent:* Thursday, January 10, 2008 12:54 PM >>> >>> *To:* public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org> >>> *Subject:* RE: Is the padlock a page security score? >>> >>> >>> Hi all, >>> >>> This whole discussion is subjective. What is useful for one person >>> could very well be useless to someone else. >>> >>> An analogy - weather forecasts about the possibility of rain today. >>> Does such a score indicate whether I will get rained on? No. Does >>> it help me decide whether or not to wear a hat or carry an umbrella? >>> Yes. There is no way that people other than meteorologists (and >>> some would argue, even them) will accurately interpret isobars, >>> cloud patterns, and doppler radar to determine whether it will rain. >>> But people can get a feeling for the chances of rain based on a >>> 0-100% estimate. >>> >>> I think the same is true for the notion of a page security score. >>> Does it imply that the user will definitely, without a doubt, not >>> get "taken"? No. Does it give the user something with which to >>> make a choice? Yes. In this light, I still feel that page security >>> scores are good things to consider. >>> >>> Regards, >>> Tim Hahn >>> IBM Distinguished Engineer >>> >>> Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com> >>> Internal: Timothy Hahn/Durham/IBM@IBMUS >>> phone: 919.224.1565 tie-line: 8/687.1565 >>> fax: 919.224.2530 >>> >>> >>> >>> From: <michael.mccormick@wellsfargo.com >>> <mailto:michael.mccormick@wellsfargo.com>> >>> To: <ifette@google.com <mailto:ifette@google.com>>, >>> <Anil.Saldhana@redhat.com <mailto:Anil.Saldhana@redhat.com>> >>> Cc: Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org >>> <mailto:public-wsc-wg@w3.org>>, <Mary_Ellen_Zurko@notesdev.ibm.com >>> <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>> >>> Date: 01/10/2008 01:34 PM >>> Subject: RE: Is the padlock a page security score? >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> >>> I would ask the same question about a binary indicator. The padlock >>> does not mean it's safe to enter a credit card. >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Ian Fette [mailto:ifette@google.com] * >>> Sent:* Thursday, January 10, 2008 12:26 PM* >>> To:* Anil Saldhana* >>> Cc:* McCormick, Mike; hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>; >>> public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>; >>> Mary_Ellen_Zurko@notesdev.ibm.com >>> <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>* >>> Subject:* Re: Is the padlock a page security score? >>> >>> I still don't understand what anything beyond a binary result is >>> supposed to tell a user. I'm on a site with "Medium" security - what >>> does that mean? Does that mean that I should give them my credit >>> card or not? >>> >>> On Jan 10, 2008 10:00 AM, Anil Saldhana <_Anil.Saldhana@redhat.com_ >>> <mailto:Anil.Saldhana@redhat.com>> wrote: >>> >>> Maybe there is an opportunity to associate "High/Medium/Low" or >>> "Strong/Medium/Low" based on page security score with the padlock. >>> _ >>> __michael.mccormick@wellsfargo.com_ >>> <mailto:michael.mccormick@wellsfargo.com> wrote: >>> > Sure, I agree the padlock is a binary representation of a boolean >>> security >>> > score formula based on a single security variable (SSL on main >>> page). A >>> > degenerate case IMHO - but still technically a page security >>> score. >>> > >>> > A security score algorithm should take into account most (if not >>> all) of the >>> > variables we enumerated under "What is a Secure Page?" Perhaps >>> the note >>> > should state that explicitly. Then padlocks wouldn't qualify. >>> > >>> > _____ >>> > >>> > From: _public-wsc-wg-request@w3.org_ >>> <mailto:public-wsc-wg-request@w3.org> >>> [mailto:_public-wsc-wg-request@w3.org_ >>> <mailto:public-wsc-wg-request@w3.org>] On >>> > Behalf Of Timothy Hahn >>> > Sent: Thursday, January 10, 2008 10:40 AM >>> > To: _public-wsc-wg@w3.org_ <mailto:public-wsc-wg@w3.org> >>> > Subject: Re: Is the padlock a page security score? >>> > >>> > >>> > >>> > Mez, >>> > >>> > I'll toss in my view that the padlock is an example of a page >>> security >>> > score. In most user agents, this seems to be pretty much >>> "binary" (on or >>> > off) though I think we've heard from some folks that there are >>> some >>> > "embellishments" on their display of the icon which would provide >>> more >>> > gradations based on information received. >>> > >>> > On the bright side of such a visible item - it is relatively >>> easy to >>> > describe and for people to grasp the meaning of. >>> > >>> > On the down side of the padlock - ... well, we've had lots of >>> that >>> > discussion on this list already - see the archives. >>> > >>> > Regards, >>> > Tim Hahn >>> > IBM Distinguished Engineer >>> > >>> > Internet: _hahnt@us.ibm.com_ <mailto:hahnt@us.ibm.com> >>> > Internal: Timothy Hahn/Durham/IBM@IBMUS >>> > phone: 919.224.1565 tie-line: 8/687.1565 >>> > fax: 919.224.2530 >>> > >>> > >>> > >>> > >>> > From: "Mary Ellen Zurko" >>> <_Mary_Ellen_Zurko@notesdev.ibm.com_ >>> <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>> >>> > >>> > To: _public-wsc-wg@w3.org_ <mailto:public-wsc-wg@w3.org> >>> > >>> > Date: 01/10/2008 11:10 AM >>> > >>> > Subject: Is the padlock a page security score? >>> > >>> > _____ >>> > >>> > >>> > >>> > >>> > >>> > If not, why not? >>> > >>> > Mez >>> > >>> > >>> > >>> > >>> > >>> >>> -- >>> Anil Saldhana >>> Project/Technical Lead, >>> JBoss Security & Identity Management >>> JBoss, A division of Red Hat Inc._ >>> __http://labs.jboss.com/portal/jbosssecurity/_ >>> >>> >>> >>> >> > -- /* PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Thursday, 10 January 2008 20:02:23 UTC