Re: Is the padlock a page security score?

1. Browser real estate is extremely expensive. Worse than Los Gatos, worse
than Palo Alto, worse than Manhattan. If you are going to add something in,
you have to be rock solid sure it's going to work, because taking it out is
even more expensive.

2. See 1. You get no space for a visible disclaimer. I would be surprised if
you got more than 20x20px for some little dial meter. Obviously I can't
speak for FF or IE, but we have no real data that shows this is at all
useful, and so if browser vendors were willing to give up any space at all
(which I doubt at this point), that space would be small. The thought of
giving up additional real-estate for a "large disclaimer" is just not even
registering in my mind. As for disclaimers in secondary UI related to this
security-meter-whatever, at best .0001% of your users are ever going to
click to see this.

On Jan 10, 2008 12:47 PM, William Eburn <weburn@hisoftware.com> wrote:

> Serge,
>
> Yea I'd agree with that as well.  It makes sense to provide and educate
> the user as related to all possible security information that can be
> determined by the user agent.  And Maybe in this information, there
> should be a large disclaimer at the top that states the information
> being presented does not take into account, the security or privacy of
> the content application or servers on which the data is stored.
>
> Thanks,
> Bill
>
> -----Original Message-----
> From: Serge Egelman [mailto:egelman@cs.cmu.edu]
> Sent: Thursday, January 10, 2008 3:44 PM
> To: William Eburn
> Cc: Anil Saldhana; michael.mccormick@wellsfargo.com; ifette@google.com;
> hahnt@us.ibm.com; public-wsc-wg@w3.org
> Subject: Re: Is the padlock a page security score?
>
> Sure, I think we're in agreement here.  I guess what I meant is, even
> though I think this security score thing is a terrible idea, this is the
>
> only way I can see it being remotely useful.  I think the real solution
> is to just use the information in the background to determine when to
> warn.
>
> serge
>
> William Eburn wrote:
> > Serge,
> >
> > I agree with you.  In general, every study has shown that people do
> > associate the padlock with security to some level, whether it be 10%
> or
> > 100%:
> >
> > a.  Do we really believe the new indicator would be any better?
> > b.  Does it justify disorienting the 10% which in fact could be
> millions
> > of users?
> >
> > Just my two cents, both can live together for some time.  And we all
> > know that laboratory settings don't necessarily match the real world.
> >
> > Thanks,
> > Bill
> >
> >
> > -----Original Message-----
> > From: Serge Egelman [mailto:egelman@cs.cmu.edu]
> > Sent: Thursday, January 10, 2008 3:25 PM
> > To: William Eburn
> > Cc: Anil Saldhana; michael.mccormick@wellsfargo.com;
> ifette@google.com;
> > hahnt@us.ibm.com; public-wsc-wg@w3.org
> > Subject: Re: Is the padlock a page security score?
> >
> > Yes, this shouldn't be the gauge for any decision, since all the
> studies
> >
> > which have been performed have shown the opposite.  Even when
> explicitly
> >
> > told to look for security information in laboratory settings, 25%
> > usually don't.
> >
> > serge
> >
> > William Eburn wrote:
> >> Hello all,
> >>
> >> As related to the padlock, everyone I know (which shouldn't be the
> > gauge
> >> for any decision) knows what the padlock means.  This is probably
> (and
> >> this is a guess) due to the number of years that it's been out there.
> >> So, with this in mind I just walked around my company and I asked if
> >> everyone knew what the big show was in Vegas this week.  One person
> >> knew.  I used this example because CES is being advertised worldwide
> > in
> >> every venue.  So everyone isn't aware of it when it is happening.  To
> >> get rid of the padlock in its entirety, you would run for a period of
> >> time where people didn't know there was a change.  You would also be
> >> wasting, lots of years of education.  So I would vote that we keep
> the
> >> padlock, there is nothing wrong with augmenting it (As long as it's
> > not
> >> some security score).
> >>
> >> Bill
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: public-wsc-wg-request@w3.org
> > [mailto:public-wsc-wg-request@w3.org]
> >> On Behalf Of Serge Egelman
> >> Sent: Thursday, January 10, 2008 2:55 PM
> >> To: Anil Saldhana
> >> Cc: michael.mccormick@wellsfargo.com; ifette@google.com;
> >> hahnt@us.ibm.com; public-wsc-wg@w3.org
> >> Subject: Re: Is the padlock a page security score?
> >>
> >>
> >> No, what I'm saying is that any passive indicator for this purpose
> > will
> >> have the same fate as the SSL padlock: 99% of users will not notice
> > it,
> >> distrust it, or misunderstand it.  That 1% who does look for it will
> >> generally be savvy users who are in a lower risk group to begin with.
> >>
> >> This isn't necessarily a bad thing, my point is that this indicator
> is
> >
> >> not something for the masses.
> >>
> >> I would opt for recommending this icon to replace the SSL indicator.
> >> It'll be useful for the savvy users.  And when it hits a certain risk
>
> >> threshold, use that data to throw up a full-screen warning, which
> will
> >
> >> be useful to the other 99%.  Of course, these warnings should only
> >> appear when there really is certain danger, otherwise users get
> >> habituated and begin ignoring them in the future.
> >>
> >>
> >> serge
> >>
> >> Anil Saldhana wrote:
> >>> Serge, what you say makes perfect sense from usability
> >> perspective(also
> >>> drawing inspiration from the recent discussion on pop-up dialog
> boxes
> >
> >>> between Ian and me) - people will tend to ignore when there are
> >>> indicators that consistently show their favorite sites to have low
> >> scores.
> >>> But does that mean that we should not recommend additional
> > indicators?
> >>> I do not agree on the throwing up of danger warnings once in a while
>
> >>> without an associated (passive) indicator. At least the user will
> > have
> >>> an opportunity to figure out the danger warning emanated from this
> >>> indicator that was dormant but has suddenly woken up to throw this
> >> warning.
> >>> Serge Egelman wrote:
> >>>> In that case the best scenario for a website is that it gets a
> > medium
> >>>> setting?  I can tell you right now that's a nonstarter.  Based on
> >>>> empirical evidence we know that users will become habituated and
> > stop
> >>>> paying attention to the indicator when it constantly tells them
> that
> >
> >>>> websites they frequent "might not be trustworthy."
> >>>>
> >>>>  From a practical standpoint, if the scores range from "danger" to
> >>>> "unknown," why show the passive indicator at all?  Instead, when it
>
> >>>> hits "danger," throw up a warning.  This is far more effective in
> >>>> practice.
> >>>>
> >>>> serge
> >>>>
> >>>> michael.mccormick@wellsfargo.com wrote:
> >>>>> If you feel the available variables only give half the security
> >>>>> picture, I suppose your UA could define a scoring algorithm that
> >>>>> never returns a value higher than 50.
> >>>>>
> >>>>>
> >
> ------------------------------------------------------------------------
> >>>>> *From:* Ian Fette [mailto:ifette@google.com]
> >>>>> *Sent:* Thursday, January 10, 2008 1:09 PM
> >>>>> *To:* McCormick, Mike
> >>>>> *Cc:* hahnt@us.ibm.com; public-wsc-wg@w3.org
> >>>>> *Subject:* Re: Is the padlock a page security score?
> >>>>>
> >>>>> I don't know about useless, but I worry a *lot* about giving a
> > false
> >>>>> sense of security. There could be a site using DNSSEC and an
> >> EV-cert,
> >>>>> that is hosted on some crappy shared server that uses a MySQL 3
> >>>>> database and we would give it a 100. That's disturbing to me
> > because
> >>>>> it would be very misleading and provide a very false sense of
> >> security.
> >>>>> On Jan 10, 2008 11:04 AM, <michael.mccormick@wellsfargo.com
> >>>>> <mailto:michael.mccormick@wellsfargo.com>> wrote:
> >>>>>
> >>>>>     I agree.  I like the weather analogy.  There's no perfect
> >> security
> >>>>>     indicator.  But the more variables an indicator takes into
> >> account
> >>>>>     the more it approaches the asymptote.
> >>>>>          I guess the alternative would be to throw up our hands
> and
> >
> >>>>> say all
> >>>>>     security context indicators are useless.
> >>>>>
> >>>>>
> >>>>>
> >
> ------------------------------------------------------------------------
> >>>>>     *From:* public-wsc-wg-request@w3.org
> >>>>>     <mailto:public-wsc-wg-request@w3.org>
> >>>>>     [mailto:public-wsc-wg-request@w3.org
> >>>>>     <mailto:public-wsc-wg-request@w3.org>] *On Behalf Of *Timothy
> >> Hahn
> >>>>>     *Sent:* Thursday, January 10, 2008 12:54 PM
> >>>>>
> >>>>>     *To:* public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
> >>>>>     *Subject:* RE: Is the padlock a page security score?
> >>>>>
> >>>>>
> >>>>>     Hi all,
> >>>>>
> >>>>>     This whole discussion is subjective.  What is useful for one
> >> person
> >>>>>     could very well be useless to someone else.
> >>>>>
> >>>>>     An analogy - weather forecasts about the possibility of rain
> >> today.
> >>>>>      Does such a score indicate whether I will get rained on?  No.
> >> Does
> >>>>>     it help me decide whether or not to wear a hat or carry an
> >> umbrella?
> >>>>>      Yes.  There is no way that people other than meteorologists
> >> (and
> >>>>>     some would argue, even them) will accurately interpret
> isobars,
> >>>>>     cloud patterns, and doppler radar to determine whether it will
> >> rain.
> >>>>>      But people can get a feeling for the chances of rain based on
> > a
> >>>>>     0-100% estimate.
> >>>>>
> >>>>>     I think the same is true for the notion of a page security
> >> score.
> >>>>>      Does it imply that the user will definitely, without a doubt,
> >> not
> >>>>>     get "taken"?  No.  Does it give the user something with which
> > to
> >>>>>     make a choice?  Yes.  In this light, I still feel that page
> >> security
> >>>>>     scores are good things to consider.
> >>>>>
> >>>>>     Regards,
> >>>>>     Tim Hahn
> >>>>>     IBM Distinguished Engineer
> >>>>>
> >>>>>     Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
> >>>>>     Internal: Timothy Hahn/Durham/IBM@IBMUS
> >>>>>     phone: 919.224.1565     tie-line: 8/687.1565
> >>>>>     fax: 919.224.2530
> >>>>>
> >>>>>
> >>>>>
> >>>>>     From:     <michael.mccormick@wellsfargo.com
> >>>>>     <mailto:michael.mccormick@wellsfargo.com>>
> >>>>>     To:     <ifette@google.com <mailto:ifette@google.com>>,
> >>>>>     <Anil.Saldhana@redhat.com <mailto:Anil.Saldhana@redhat.com>>
> >>>>>     Cc:     Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org
> >>>>>     <mailto:public-wsc-wg@w3.org>>,
> >> <Mary_Ellen_Zurko@notesdev.ibm.com
> >>>>>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>>
> >>>>>     Date:     01/10/2008 01:34 PM
> >>>>>     Subject:     RE: Is the padlock a page security score?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >
> ------------------------------------------------------------------------
> >>>>>
> >>>>>     I would ask the same question about a binary indicator.  The
> >> padlock
> >>>>>     does not mean it's safe to enter a credit card.
> >>>>>
> >>>>>
> >>>>>
> >
> ------------------------------------------------------------------------
> >>>>>     *From:* Ian Fette [mailto:ifette@google.com] *
> >>>>>     Sent:* Thursday, January 10, 2008 12:26 PM*
> >>>>>     To:* Anil Saldhana*
> >>>>>     Cc:* McCormick, Mike; hahnt@us.ibm.com
> >> <mailto:hahnt@us.ibm.com>;
> >>>>>     public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>;
> >>>>>     Mary_Ellen_Zurko@notesdev.ibm.com
> >>>>>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>*
> >>>>>     Subject:* Re: Is the padlock a page security score?
> >>>>>
> >>>>>     I still don't understand what anything beyond a binary result
> > is
> >>>>>     supposed to tell a user. I'm on a site with "Medium" security
> -
> >> what
> >>>>>     does that mean? Does that mean that I should give them my
> > credit
> >>>>>     card or not?
> >>>>>
> >>>>>     On Jan 10, 2008 10:00 AM, Anil Saldhana
> >> <_Anil.Saldhana@redhat.com_
> >>>>>     <mailto:Anil.Saldhana@redhat.com>> wrote:
> >>>>>
> >>>>>     Maybe there is an opportunity to associate "High/Medium/Low"
> or
> >>>>>     "Strong/Medium/Low" based on page security score with the
> >> padlock.
> >>>>>     _
> >>>>>     __michael.mccormick@wellsfargo.com_
> >>>>>     <mailto:michael.mccormick@wellsfargo.com> wrote:
> >>>>>      > Sure, I agree the padlock is a binary representation of a
> >> boolean
> >>>>>     security
> >>>>>      > score formula based on a single security variable (SSL on
> >> main
> >>>>>     page).  A
> >>>>>      > degenerate case IMHO - but still technically a page
> security
> >
> >>>>> score.
> >>>>>      >
> >>>>>      > A security score algorithm should take into account most
> (if
> >> not
> >>>>>     all) of the
> >>>>>      > variables we enumerated under "What is a Secure Page?"
> >> Perhaps
> >>>>>     the note
> >>>>>      > should state that explicitly.  Then padlocks wouldn't
> >> qualify.
> >>>>>      >
> >>>>>      >   _____
> >>>>>      >
> >>>>>      > From: _public-wsc-wg-request@w3.org_
> >>>>>     <mailto:public-wsc-wg-request@w3.org>
> >>>>>     [mailto:_public-wsc-wg-request@w3.org_
> >>>>>     <mailto:public-wsc-wg-request@w3.org>] On
> >>>>>      > Behalf Of Timothy Hahn
> >>>>>      > Sent: Thursday, January 10, 2008 10:40 AM
> >>>>>      > To: _public-wsc-wg@w3.org_ <mailto:public-wsc-wg@w3.org>
> >>>>>      > Subject: Re: Is the padlock a page security score?
> >>>>>      >
> >>>>>      >
> >>>>>      >
> >>>>>      > Mez,
> >>>>>      >
> >>>>>      > I'll toss in my view that the padlock is an example of a
> > page
> >>>>>     security
> >>>>>      > score.  In most user agents, this seems to be pretty much
> >>>>>     "binary" (on or
> >>>>>      > off) though I think we've heard from some folks that there
> >> are
> >>>>> some
> >>>>>      > "embellishments" on their display of the icon which would
> >> provide
> >>>>>     more
> >>>>>      > gradations based on information received.
> >>>>>      >
> >>>>>      > On the bright side of such a visible item - it is
> relatively
> >
> >>>>> easy to
> >>>>>      > describe and for people to grasp the meaning of.
> >>>>>      >
> >>>>>      > On the down side of the padlock -  ... well, we've had lots
> >> of
> >>>>> that
> >>>>>      > discussion on this list already - see the archives.
> >>>>>      >
> >>>>>      > Regards,
> >>>>>      > Tim Hahn
> >>>>>      > IBM Distinguished Engineer
> >>>>>      >
> >>>>>      > Internet: _hahnt@us.ibm.com_ <mailto:hahnt@us.ibm.com>
> >>>>>      > Internal: Timothy Hahn/Durham/IBM@IBMUS
> >>>>>      > phone: 919.224.1565     tie-line: 8/687.1565
> >>>>>      > fax: 919.224.2530
> >>>>>      >
> >>>>>      >
> >>>>>      >
> >>>>>      >
> >>>>>      > From:         "Mary Ellen Zurko"
> >>>>>     <_Mary_Ellen_Zurko@notesdev.ibm.com_
> >>>>>     <mailto:Mary_Ellen_Zurko@notesdev.ibm.com>>
> >>>>>      >
> >>>>>      > To:   _public-wsc-wg@w3.org_ <mailto:public-wsc-wg@w3.org>
> >>>>>      >
> >>>>>      > Date:         01/10/2008 11:10 AM
> >>>>>      >
> >>>>>      > Subject:      Is the padlock a page security score?
> >>>>>      >
> >>>>>      >   _____
> >>>>>      >
> >>>>>      >
> >>>>>      >
> >>>>>      >
> >>>>>      >
> >>>>>      > If not, why not?
> >>>>>      >
> >>>>>      >          Mez
> >>>>>      >
> >>>>>      >
> >>>>>      >
> >>>>>      >
> >>>>>      >
> >>>>>
> >>>>>     --
> >>>>>     Anil Saldhana
> >>>>>     Project/Technical Lead,
> >>>>>     JBoss Security & Identity Management
> >>>>>     JBoss, A division of Red Hat Inc._
> >>>>>     __http://labs.jboss.com/portal/jbosssecurity/_
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >
>
> --
> /*
> PhD Candidate
> Carnegie Mellon University
>
> "Whoever said there's no such thing as a free lunch was never a grad
> student."
>
> All views contained in this message, either expressed or implied, are
> the views of my employer, and not my own.
> */
>
>
>
> The information in this transmittal (including attachments, if any) is
> privileged and confidential and is intended only for the recipient(s) listed
> above.  Any review, use, disclosure, distribution or copying of this
> transmittal is prohibited except by or on behalf of the intended recipient.
>  If you have received this transmittal in error, please notify me
> immediately by reply email and destroy all copies of the transmittal.  Thank
> you.
>

Received on Thursday, 10 January 2008 22:21:22 UTC