- From: <michael.mccormick@wellsfargo.com>
- Date: Thu, 10 Jan 2008 17:03:05 -0600
- To: <egelman@cs.cmu.edu>
- Cc: <weburn@hisoftware.com>, <Anil.Saldhana@redhat.com>, <public-wsc-wg@w3.org>
Actually surveys show that most users think the padlock means a site is "trustworthy". Few users have any idea what SSL is. -----Original Message----- From: Serge Egelman [mailto:egelman@cs.cmu.edu] Sent: Thursday, January 10, 2008 2:35 PM To: McCormick, Mike Cc: weburn@hisoftware.com; Anil.Saldhana@redhat.com; public-wsc-wg@w3.org Subject: Re: Is the padlock a page security score? I'm certainly not an expert in this area, but not to my knowledge. I suspect this is because the users who use the icon to make decision know that it only means SSL and nothing else. The other 99% of the users don't use the icon to make their decisions. serge michael.mccormick@wellsfargo.com wrote: > Has a browser vendor ever been sued for presenting the padlock on a > malicious web site? > > -----Original Message----- > From: public-wsc-wg-request@w3.org > [mailto:public-wsc-wg-request@w3.org] > On Behalf Of William Eburn > Sent: Thursday, January 10, 2008 1:33 PM > To: Anil Saldhana; public-wsc-wg@w3.org > Subject: RE: Is the padlock a page security score? > > > Hello all, > > As you may know, HiSoftware has content and application testing tools > around privacy, security, accessibility, general content quality, > corporate branding, and several factors of site quality. > > I am concerned that if we give some de facto score but do not consider > the content or application, then would I not as a user of the browser > that gave me the information have the right to sue their corporation > if I went to a site, the score said 90% reliable and I entered all my > PII and the next user saw that it was 90% secure -- knew that the > scoring system was flawed because it didn't consider the content, or > the application and in this case used a simple SQL Injection to grab > all the PII out of the system (including mine), then opened multiple > bank accounts, got car loans, and did whatever, causing me great harm. > While it's true I was able to cancel the charges as being fraudulent, > it took over a year to do so. Would the company that provided the > page score be responsible in a court of law? > > Please note, this would be different depending on which country you > were in. > > I think, from our perspective the education of the user to the state > of the different security indicators is important but for us to assign > any value judgment on them would at best, be foolish. Immediately we > could never assign 100%, because as part of the working group we've > already said that we aren't examining the content or application being > viewed by the user agent. So it would be my vote to eliminate the > idea of a page score entirely. What I'm suggesting is that we show > them the information, educate the user as to what it means, but assign no value. > > This is just my two cents on the page score topic. > > Thanks, > Bill > > > -----Original Message----- > From: public-wsc-wg-request@w3.org > [mailto:public-wsc-wg-request@w3.org] > On Behalf Of Anil Saldhana > Sent: Thursday, January 10, 2008 2:18 PM > To: public-wsc-wg@w3.org > Subject: Re: Is the padlock a page security score? > > > Right on the point, Tim. > > We have a tendency to quote personal experiences/behavior to equate it > to the general behavior of the masses. A security indicator to one > does not mean an indicator to everyone. > > WG has had discussions that the padlock is not sufficient to ensure a > secure behavior. Hence page security score, ev cert bar etc etc. :) > > Timothy Hahn wrote: >> Hi all, >> >> This whole discussion is subjective. What is useful for one person > could >> very well be useless to someone else. >> >> An analogy - weather forecasts about the possibility of rain today. > Does >> such a score indicate whether I will get rained on? No. Does it >> help > me >> decide whether or not to wear a hat or carry an umbrella? Yes. >> There > is >> no way that people other than meteorologists (and some would argue, > even >> them) will accurately interpret isobars, cloud patterns, and doppler > radar >> to determine whether it will rain. But people can get a feeling for > the >> chances of rain based on a 0-100% estimate. >> >> I think the same is true for the notion of a page security score. > Does it >> imply that the user will definitely, without a doubt, not get "taken"? > No. >> Does it give the user something with which to make a choice? Yes. > In >> this light, I still feel that page security scores are good things to >> consider. >> >> Regards, >> Tim Hahn >> IBM Distinguished Engineer >> >> Internet: hahnt@us.ibm.com >> Internal: Timothy Hahn/Durham/IBM@IBMUS >> phone: 919.224.1565 tie-line: 8/687.1565 >> fax: 919.224.2530 >> >> >> >> >> From: >> <michael.mccormick@wellsfargo.com> >> To: >> <ifette@google.com>, <Anil.Saldhana@redhat.com> >> Cc: >> Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, >> <Mary_Ellen_Zurko@notesdev.ibm.com> >> Date: >> 01/10/2008 01:34 PM >> Subject: >> RE: Is the padlock a page security score? >> >> >> >> I would ask the same question about a binary indicator. The padlock > does >> not mean it's safe to enter a credit card. >> >> From: Ian Fette [mailto:ifette@google.com] >> Sent: Thursday, January 10, 2008 12:26 PM >> To: Anil Saldhana >> Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; >> Mary_Ellen_Zurko@notesdev.ibm.com >> Subject: Re: Is the padlock a page security score? >> >> I still don't understand what anything beyond a binary result is > supposed >> to tell a user. I'm on a site with "Medium" security - what does that >> mean? Does that mean that I should give them my credit card or not? >> >> On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com> > wrote: >> Maybe there is an opportunity to associate "High/Medium/Low" or >> "Strong/Medium/Low" based on page security score with the padlock. >> >> michael.mccormick@wellsfargo.com wrote: >>> Sure, I agree the padlock is a binary representation of a boolean >> security >>> score formula based on a single security variable (SSL on main page). > A >>> degenerate case IMHO - but still technically a page security score. >>> >>> A security score algorithm should take into account most (if not >>> all) > of >> the >>> variables we enumerated under "What is a Secure Page?" Perhaps the > note >>> should state that explicitly. Then padlocks wouldn't qualify. >>> >>> _____ >>> >>> From: public-wsc-wg-request@w3.org > [mailto:public-wsc-wg-request@w3.org] >> On >>> Behalf Of Timothy Hahn >>> Sent: Thursday, January 10, 2008 10:40 AM >>> To: public-wsc-wg@w3.org >>> Subject: Re: Is the padlock a page security score? >>> >>> >>> >>> Mez, >>> >>> I'll toss in my view that the padlock is an example of a page > security >>> score. In most user agents, this seems to be pretty much "binary" > (on >> or >>> off) though I think we've heard from some folks that there are some >>> "embellishments" on their display of the icon which would provide > more >>> gradations based on information received. >>> >>> On the bright side of such a visible item - it is relatively easy to >>> describe and for people to grasp the meaning of. >>> >>> On the down side of the padlock - ... well, we've had lots of that >>> discussion on this list already - see the archives. >>> >>> Regards, >>> Tim Hahn >>> IBM Distinguished Engineer >>> >>> Internet: hahnt@us.ibm.com >>> Internal: Timothy Hahn/Durham/IBM@IBMUS >>> phone: 919.224.1565 tie-line: 8/687.1565 >>> fax: 919.224.2530 >>> >>> >>> >>> >>> From: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> >>> >>> To: public-wsc-wg@w3.org >>> >>> Date: 01/10/2008 11:10 AM >>> >>> Subject: Is the padlock a page security score? >>> >>> _____ >>> >>> >>> >>> >>> >>> If not, why not? >>> >>> Mez >>> >>> >>> >>> >>> >> -- >> Anil Saldhana >> Project/Technical Lead, >> JBoss Security & Identity Management >> JBoss, A division of Red Hat Inc. >> http://labs.jboss.com/portal/jbosssecurity/ >> >> >> >> > > -- > Anil Saldhana > Project/Technical Lead, > JBoss Security & Identity Management > JBoss, A division of Red Hat Inc. > http://labs.jboss.com/portal/jbosssecurity/ > > > > > The information in this transmittal (including attachments, if any) is > privileged and confidential and is intended only for the recipient(s) > listed above. Any review, use, disclosure, distribution or copying of > this transmittal is prohibited except by or on behalf of the intended > recipient. If you have received this transmittal in error, please > notify me immediately by reply email and destroy all copies of the > transmittal. Thank you. > > > > -- /* PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Thursday, 10 January 2008 23:04:00 UTC