Re: Is the padlock a page security score? from Serge Egelman on 2008-01-10 (public-wsc-wg@w3.org from January 2008)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Thu, 10 Jan 2008 15:44:15 -0500
To: William Eburn <weburn@hisoftware.com>
CC: Anil Saldhana <Anil.Saldhana@redhat.com>, michael.mccormick@wellsfargo.com, ifette@google.com, hahnt@us.ibm.com, public-wsc-wg@w3.org
Message-ID: <4786839F.4080802@cs.cmu.edu>
Sure, I think we're in agreement here.  I guess what I meant is, even 
though I think this security score thing is a terrible idea, this is the 
only way I can see it being remotely useful.  I think the real solution 
is to just use the information in the background to determine when to warn.

serge

William Eburn wrote:
> Serge,
> 
> I agree with you.  In general, every study has shown that people do
> associate the padlock with security to some level, whether it be 10% or
> 100%:
> 
> a.  Do we really believe the new indicator would be any better?
> b.  Does it justify disorienting the 10% which in fact could be millions
> of users?
> 
> Just my two cents, both can live together for some time.  And we all
> know that laboratory settings don't necessarily match the real world.
> 
> Thanks,
> Bill
> 
> 
> -----Original Message-----
> From: Serge Egelman [mailto:egelman@cs.cmu.edu] 
> Sent: Thursday, January 10, 2008 3:25 PM
> To: William Eburn
> Cc: Anil Saldhana; michael.mccormick@wellsfargo.com; ifette@google.com;
> hahnt@us.ibm.com; public-wsc-wg@w3.org
> Subject: Re: Is the padlock a page security score?
> 
> Yes, this shouldn't be the gauge for any decision, since all the studies
> 
> which have been performed have shown the opposite.  Even when explicitly
> 
> told to look for security information in laboratory settings, 25% 
> usually don't.
> 
> serge
> 
> William Eburn wrote:
>> Hello all,
>>
>> As related to the padlock, everyone I know (which shouldn't be the
> gauge
>> for any decision) knows what the padlock means.  This is probably (and
>> this is a guess) due to the number of years that it's been out there.
>> So, with this in mind I just walked around my company and I asked if
>> everyone knew what the big show was in Vegas this week.  One person
>> knew.  I used this example because CES is being advertised worldwide
> in
>> every venue.  So everyone isn't aware of it when it is happening.  To
>> get rid of the padlock in its entirety, you would run for a period of
>> time where people didn't know there was a change.  You would also be
>> wasting, lots of years of education.  So I would vote that we keep the
>> padlock, there is nothing wrong with augmenting it (As long as it's
> not
>> some security score).
>>
>> Bill 
>>
>>
>>
>> -----Original Message-----
>> From: public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org]
>> On Behalf Of Serge Egelman
>> Sent: Thursday, January 10, 2008 2:55 PM
>> To: Anil Saldhana
>> Cc: michael.mccormick@wellsfargo.com; ifette@google.com;
>> hahnt@us.ibm.com; public-wsc-wg@w3.org
>> Subject: Re: Is the padlock a page security score?
>>
>>
>> No, what I'm saying is that any passive indicator for this purpose
> will 
>> have the same fate as the SSL padlock: 99% of users will not notice
> it, 
>> distrust it, or misunderstand it.  That 1% who does look for it will 
>> generally be savvy users who are in a lower risk group to begin with.
>>
>> This isn't necessarily a bad thing, my point is that this indicator is
> 
>> not something for the masses.
>>
>> I would opt for recommending this icon to replace the SSL indicator. 
>> It'll be useful for the savvy users.  And when it hits a certain risk 
>> threshold, use that data to throw up a full-screen warning, which will
> 
>> be useful to the other 99%.  Of course, these warnings should only 
>> appear when there really is certain danger, otherwise users get 
>> habituated and begin ignoring them in the future.
>>
>>
>> serge
>>
>> Anil Saldhana wrote:
>>> Serge, what you say makes perfect sense from usability
>> perspective(also 
>>> drawing inspiration from the recent discussion on pop-up dialog boxes
> 
>>> between Ian and me) - people will tend to ignore when there are 
>>> indicators that consistently show their favorite sites to have low
>> scores.
>>> But does that mean that we should not recommend additional
> indicators?
>>> I do not agree on the throwing up of danger warnings once in a while 
>>> without an associated (passive) indicator. At least the user will
> have
>>> an opportunity to figure out the danger warning emanated from this 
>>> indicator that was dormant but has suddenly woken up to throw this
>> warning.
>>> Serge Egelman wrote:
>>>> In that case the best scenario for a website is that it gets a
> medium
>>>> setting?  I can tell you right now that's a nonstarter.  Based on 
>>>> empirical evidence we know that users will become habituated and
> stop
>>>> paying attention to the indicator when it constantly tells them that
> 
>>>> websites they frequent "might not be trustworthy."
>>>>
>>>>  From a practical standpoint, if the scores range from "danger" to 
>>>> "unknown," why show the passive indicator at all?  Instead, when it 
>>>> hits "danger," throw up a warning.  This is far more effective in 
>>>> practice.
>>>>
>>>> serge
>>>>
>>>> michael.mccormick@wellsfargo.com wrote:
>>>>> If you feel the available variables only give half the security 
>>>>> picture, I suppose your UA could define a scoring algorithm that 
>>>>> never returns a value higher than 50.
>>>>>
>>>>>
> ------------------------------------------------------------------------
>>>>> *From:* Ian Fette [mailto:ifette@google.com]
>>>>> *Sent:* Thursday, January 10, 2008 1:09 PM
>>>>> *To:* McCormick, Mike
>>>>> *Cc:* hahnt@us.ibm.com; public-wsc-wg@w3.org
>>>>> *Subject:* Re: Is the padlock a page security score?
>>>>>
>>>>> I don't know about useless, but I worry a *lot* about giving a
> false
>>>>> sense of security. There could be a site using DNSSEC and an
>> EV-cert, 
>>>>> that is hosted on some crappy shared server that uses a MySQL 3 
>>>>> database and we would give it a 100. That's disturbing to me
> because
>>>>> it would be very misleading and provide a very false sense of
>> security.
>>>>> On Jan 10, 2008 11:04 AM, <michael.mccormick@wellsfargo.com 
>>>>> <mailto:michael.mccormick@wellsfargo.com>> wrote:
>>>>>
>>>>>     I agree.  I like the weather analogy.  There's no perfect
>> security
>>>>>     indicator.  But the more variables an indicator takes into
>> account
>>>>>     the more it approaches the asymptote.
>>>>>          I guess the alternative would be to throw up our hands and
> 
>>>>> say all
>>>>>     security context indicators are useless.
>>>>>
>>>>>     
>>>>>
> ------------------------------------------------------------------------
>>>>>     *From:* public-wsc-wg-request@w3.org
>>>>>     <mailto:public-wsc-wg-request@w3.org>
>>>>>     [mailto:public-wsc-wg-request@w3.org
>>>>>     <mailto:public-wsc-wg-request@w3.org>] *On Behalf Of *Timothy
>> Hahn
>>>>>     *Sent:* Thursday, January 10, 2008 12:54 PM
>>>>>
>>>>>     *To:* public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>>>>>     *Subject:* RE: Is the padlock a page security score?
>>>>>
>>>>>
>>>>>     Hi all,
>>>>>
>>>>>     This whole discussion is subjective.  What is useful for one
>> person
>>>>>     could very well be useless to someone else.
>>>>>
>>>>>     An analogy - weather forecasts about the possibility of rain
>> today.
>>>>>      Does such a score indicate whether I will get rained on?  No.
>> Does
>>>>>     it help me decide whether or not to wear a hat or carry an
>> umbrella?
>>>>>      Yes.  There is no way that people other than meteorologists
>> (and
>>>>>     some would argue, even them) will accurately interpret isobars,
>>>>>     cloud patterns, and doppler radar to determine whether it will
>> rain.
>>>>>      But people can get a feeling for the chances of rain based on
> a
>>>>>     0-100% estimate.
>>>>>
>>>>>     I think the same is true for the notion of a page security
>> score.
>>>>>      Does it imply that the user will definitely, without a doubt,
>> not
>>>>>     get "taken"?  No.  Does it give the user something with which
> to
>>>>>     make a choice?  Yes.  In this light, I still feel that page
>> security
>>>>>     scores are good things to consider.
>>>>>
>>>>>     Regards,
>>>>>     Tim Hahn
>>>>>     IBM Distinguished Engineer
>>>>>
>>>>>     Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>>>>>     Internal: Timothy Hahn/Durham/IBM@IBMUS
>>>>>     phone: 919.224.1565     tie-line: 8/687.1565
>>>>>     fax: 919.224.2530
>>>>>
>>>>>
>>>>>
>>>>>     From:     <michael.mccormick@wellsfargo.com
>>>>>     <mailto:michael.mccormick@wellsfargo.com>>
>>>>>     To:     <ifette@google.com <mailto:ifette@google.com>>,
>>>>>     <Anil.Saldhana@redhat.com <mailto:Anil.Saldhana@redhat.com>>
>>>>>     Cc:     Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org
>>>>>     <mailto:public-wsc-wg@w3.org>>,
>> <Mary_Ellen_Zurko@notesdev.ibm.com
>>>>>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>>
>>>>>     Date:     01/10/2008 01:34 PM
>>>>>     Subject:     RE: Is the padlock a page security score?
>>>>>
>>>>>
>>>>>     
>>>>>
> ------------------------------------------------------------------------
>>>>>
>>>>>     I would ask the same question about a binary indicator.  The
>> padlock
>>>>>     does not mean it's safe to enter a credit card.
>>>>>
>>>>>     
>>>>>
> ------------------------------------------------------------------------
>>>>>     *From:* Ian Fette [mailto:ifette@google.com] *
>>>>>     Sent:* Thursday, January 10, 2008 12:26 PM*
>>>>>     To:* Anil Saldhana*
>>>>>     Cc:* McCormick, Mike; hahnt@us.ibm.com
>> <mailto:hahnt@us.ibm.com>;
>>>>>     public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>;
>>>>>     Mary_Ellen_Zurko@notesdev.ibm.com
>>>>>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>*
>>>>>     Subject:* Re: Is the padlock a page security score?
>>>>>
>>>>>     I still don't understand what anything beyond a binary result
> is
>>>>>     supposed to tell a user. I'm on a site with "Medium" security -
>> what
>>>>>     does that mean? Does that mean that I should give them my
> credit
>>>>>     card or not?
>>>>>
>>>>>     On Jan 10, 2008 10:00 AM, Anil Saldhana
>> <_Anil.Saldhana@redhat.com_
>>>>>     <mailto:Anil.Saldhana@redhat.com>> wrote:
>>>>>
>>>>>     Maybe there is an opportunity to associate "High/Medium/Low" or
>>>>>     "Strong/Medium/Low" based on page security score with the
>> padlock.
>>>>>     _
>>>>>     __michael.mccormick@wellsfargo.com_
>>>>>     <mailto:michael.mccormick@wellsfargo.com> wrote:
>>>>>      > Sure, I agree the padlock is a binary representation of a
>> boolean
>>>>>     security
>>>>>      > score formula based on a single security variable (SSL on
>> main
>>>>>     page).  A
>>>>>      > degenerate case IMHO - but still technically a page security
> 
>>>>> score.
>>>>>      >
>>>>>      > A security score algorithm should take into account most (if
>> not
>>>>>     all) of the
>>>>>      > variables we enumerated under "What is a Secure Page?"
>> Perhaps
>>>>>     the note
>>>>>      > should state that explicitly.  Then padlocks wouldn't
>> qualify.
>>>>>      >
>>>>>      >   _____
>>>>>      >
>>>>>      > From: _public-wsc-wg-request@w3.org_
>>>>>     <mailto:public-wsc-wg-request@w3.org>
>>>>>     [mailto:_public-wsc-wg-request@w3.org_
>>>>>     <mailto:public-wsc-wg-request@w3.org>] On
>>>>>      > Behalf Of Timothy Hahn
>>>>>      > Sent: Thursday, January 10, 2008 10:40 AM
>>>>>      > To: _public-wsc-wg@w3.org_ <mailto:public-wsc-wg@w3.org>
>>>>>      > Subject: Re: Is the padlock a page security score?
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      > Mez,
>>>>>      >
>>>>>      > I'll toss in my view that the padlock is an example of a
> page
>>>>>     security
>>>>>      > score.  In most user agents, this seems to be pretty much
>>>>>     "binary" (on or
>>>>>      > off) though I think we've heard from some folks that there
>> are 
>>>>> some
>>>>>      > "embellishments" on their display of the icon which would
>> provide
>>>>>     more
>>>>>      > gradations based on information received.
>>>>>      >
>>>>>      > On the bright side of such a visible item - it is relatively
> 
>>>>> easy to
>>>>>      > describe and for people to grasp the meaning of.
>>>>>      >
>>>>>      > On the down side of the padlock -  ... well, we've had lots
>> of 
>>>>> that
>>>>>      > discussion on this list already - see the archives.
>>>>>      >
>>>>>      > Regards,
>>>>>      > Tim Hahn
>>>>>      > IBM Distinguished Engineer
>>>>>      >
>>>>>      > Internet: _hahnt@us.ibm.com_ <mailto:hahnt@us.ibm.com>
>>>>>      > Internal: Timothy Hahn/Durham/IBM@IBMUS
>>>>>      > phone: 919.224.1565     tie-line: 8/687.1565
>>>>>      > fax: 919.224.2530
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      > From:         "Mary Ellen Zurko"
>>>>>     <_Mary_Ellen_Zurko@notesdev.ibm.com_
>>>>>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>>
>>>>>      >
>>>>>      > To:   _public-wsc-wg@w3.org_ <mailto:public-wsc-wg@w3.org>
>>>>>      >
>>>>>      > Date:         01/10/2008 11:10 AM
>>>>>      >
>>>>>      > Subject:      Is the padlock a page security score?
>>>>>      >
>>>>>      >   _____
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      > If not, why not?
>>>>>      >
>>>>>      >          Mez
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>
>>>>>     --
>>>>>     Anil Saldhana
>>>>>     Project/Technical Lead,
>>>>>     JBoss Security & Identity Management
>>>>>     JBoss, A division of Red Hat Inc._
>>>>>     __http://labs.jboss.com/portal/jbosssecurity/_
>>>>>
>>>>>
>>>>>
>>>>>
> 

-- 
/*
PhD Candidate
Carnegie Mellon University

"Whoever said there's no such thing as a free lunch was never a grad 
student."

All views contained in this message, either expressed or implied, are 
the views of my employer, and not my own.
*/
Received on Thursday, 10 January 2008 20:45:16 UTC