RE: Is the padlock a page security score?

Actually surveys show that most users think the padlock means a site is
"trustworthy".  Few users have any idea what SSL is. 

-----Original Message-----
From: Serge Egelman [mailto:egelman@cs.cmu.edu] 
Sent: Thursday, January 10, 2008 2:35 PM
To: McCormick, Mike
Cc: weburn@hisoftware.com; Anil.Saldhana@redhat.com;
public-wsc-wg@w3.org
Subject: Re: Is the padlock a page security score?

I'm certainly not an expert in this area, but not to my knowledge.  I
suspect this is because the users who use the icon to make decision know
that it only means SSL and nothing else.  The other 99% of the users
don't use the icon to make their decisions.

serge

michael.mccormick@wellsfargo.com wrote:
> Has a browser vendor ever been sued for presenting the padlock on a 
> malicious web site?
> 
> -----Original Message-----
> From: public-wsc-wg-request@w3.org 
> [mailto:public-wsc-wg-request@w3.org]
> On Behalf Of William Eburn
> Sent: Thursday, January 10, 2008 1:33 PM
> To: Anil Saldhana; public-wsc-wg@w3.org
> Subject: RE: Is the padlock a page security score?
> 
> 
> Hello all,
> 
> As you may know, HiSoftware has content and application testing tools 
> around privacy, security, accessibility, general content quality, 
> corporate branding, and several factors of site quality.
> 
> I am concerned that if we give some de facto score but do not consider

> the content or application, then would I not as a user of the browser 
> that gave me the information have the right to sue their corporation 
> if I went to a site, the score said 90% reliable and I entered all my 
> PII and the next user saw that it was 90% secure -- knew that the 
> scoring system was flawed because it didn't consider the content, or 
> the application and in this case used a simple SQL Injection to grab 
> all the PII out of the system (including mine), then opened multiple 
> bank accounts, got car loans, and did whatever, causing me great harm.

> While it's true I was able to cancel the charges as being fraudulent, 
> it took over a year to do so.  Would the company that provided the 
> page score be responsible in a court of law?
> 
> Please note, this would be different depending on which country you 
> were in.
> 
> I think, from our perspective the education of the user to the state 
> of the different security indicators is important but for us to assign

> any value judgment on them would at best, be foolish.  Immediately we 
> could never assign 100%, because as part of the working group we've 
> already said that we aren't examining the content or application being

> viewed by the user agent.  So it would be my vote to eliminate the 
> idea of a page score entirely.  What I'm suggesting is that we show 
> them the information, educate the user as to what it means, but assign
no value.
> 
> This is just my two cents on the page score topic.
> 
> Thanks,
> Bill
> 
> 
> -----Original Message-----
> From: public-wsc-wg-request@w3.org 
> [mailto:public-wsc-wg-request@w3.org]
> On Behalf Of Anil Saldhana
> Sent: Thursday, January 10, 2008 2:18 PM
> To: public-wsc-wg@w3.org
> Subject: Re: Is the padlock a page security score?
> 
> 
> Right on the point, Tim.
> 
> We have a tendency to quote personal experiences/behavior to equate it

> to the general behavior of the masses. A security indicator to one 
> does not mean an indicator to everyone.
> 
> WG has had discussions that the padlock is not sufficient to ensure a 
> secure behavior.  Hence page security score, ev cert bar etc etc. :)
> 
> Timothy Hahn wrote:
>> Hi all,
>>
>> This whole discussion is subjective.  What is useful for one person
> could
>> very well be useless to someone else.
>>
>> An analogy - weather forecasts about the possibility of rain today.
> Does
>> such a score indicate whether I will get rained on?  No.  Does it 
>> help
> me
>> decide whether or not to wear a hat or carry an umbrella?  Yes.  
>> There
> is
>> no way that people other than meteorologists (and some would argue,
> even
>> them) will accurately interpret isobars, cloud patterns, and doppler
> radar
>> to determine whether it will rain.  But people can get a feeling for
> the
>> chances of rain based on a 0-100% estimate.
>>
>> I think the same is true for the notion of a page security score.
> Does it
>> imply that the user will definitely, without a doubt, not get
"taken"?
> No. 
>>  Does it give the user something with which to make a choice?  Yes.
> In
>> this light, I still feel that page security scores are good things to

>> consider.
>>
>> Regards,
>> Tim Hahn
>> IBM Distinguished Engineer
>>
>> Internet: hahnt@us.ibm.com
>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>> phone: 919.224.1565     tie-line: 8/687.1565
>> fax: 919.224.2530
>>
>>
>>
>>
>> From:
>> <michael.mccormick@wellsfargo.com>
>> To:
>> <ifette@google.com>, <Anil.Saldhana@redhat.com>
>> Cc:
>> Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, 
>> <Mary_Ellen_Zurko@notesdev.ibm.com>
>> Date:
>> 01/10/2008 01:34 PM
>> Subject:
>> RE: Is the padlock a page security score?
>>
>>
>>
>> I would ask the same question about a binary indicator.  The padlock
> does
>> not mean it's safe to enter a credit card.
>>
>> From: Ian Fette [mailto:ifette@google.com]
>> Sent: Thursday, January 10, 2008 12:26 PM
>> To: Anil Saldhana
>> Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; 
>> Mary_Ellen_Zurko@notesdev.ibm.com
>> Subject: Re: Is the padlock a page security score?
>>
>> I still don't understand what anything beyond a binary result is
> supposed
>> to tell a user. I'm on a site with "Medium" security - what does that

>> mean? Does that mean that I should give them my credit card or not?
>>
>> On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com>
> wrote:
>> Maybe there is an opportunity to associate "High/Medium/Low" or 
>> "Strong/Medium/Low" based on page security score with the padlock.
>>
>> michael.mccormick@wellsfargo.com wrote:
>>> Sure, I agree the padlock is a binary representation of a boolean
>> security
>>> score formula based on a single security variable (SSL on main
page).
> A
>>> degenerate case IMHO - but still technically a page security score. 
>>>
>>> A security score algorithm should take into account most (if not 
>>> all)
> of
>> the
>>> variables we enumerated under "What is a Secure Page?"  Perhaps the
> note
>>> should state that explicitly.  Then padlocks wouldn't qualify. 
>>>
>>>   _____
>>>
>>> From: public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org]
>> On
>>> Behalf Of Timothy Hahn
>>> Sent: Thursday, January 10, 2008 10:40 AM
>>> To: public-wsc-wg@w3.org
>>> Subject: Re: Is the padlock a page security score?
>>>
>>>
>>>
>>> Mez,
>>>
>>> I'll toss in my view that the padlock is an example of a page
> security
>>> score.  In most user agents, this seems to be pretty much "binary"
> (on
>> or
>>> off) though I think we've heard from some folks that there are some 
>>> "embellishments" on their display of the icon which would provide
> more
>>> gradations based on information received.
>>>
>>> On the bright side of such a visible item - it is relatively easy to

>>> describe and for people to grasp the meaning of.
>>>
>>> On the down side of the padlock -  ... well, we've had lots of that 
>>> discussion on this list already - see the archives.
>>>
>>> Regards,
>>> Tim Hahn
>>> IBM Distinguished Engineer
>>>
>>> Internet: hahnt@us.ibm.com
>>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>>> phone: 919.224.1565     tie-line: 8/687.1565 
>>> fax: 919.224.2530
>>>
>>>
>>>
>>>
>>> From:         "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
>>>
>>> To:   public-wsc-wg@w3.org
>>>
>>> Date:         01/10/2008 11:10 AM
>>>
>>> Subject:      Is the padlock a page security score?
>>>
>>>   _____
>>>
>>>
>>>
>>>
>>>
>>> If not, why not?
>>>
>>>          Mez
>>>
>>>
>>>
>>>
>>>
>> --
>> Anil Saldhana
>> Project/Technical Lead,
>> JBoss Security & Identity Management
>> JBoss, A division of Red Hat Inc.
>> http://labs.jboss.com/portal/jbosssecurity/
>>
>>
>>
>>
> 
> --
> Anil Saldhana
> Project/Technical Lead,
> JBoss Security & Identity Management
> JBoss, A division of Red Hat Inc.
> http://labs.jboss.com/portal/jbosssecurity/
> 
> 
> 
> 
> The information in this transmittal (including attachments, if any) is

> privileged and confidential and is intended only for the recipient(s) 
> listed above.  Any review, use, disclosure, distribution or copying of

> this transmittal is prohibited except by or on behalf of the intended 
> recipient.  If you have received this transmittal in error, please 
> notify me immediately by reply email and destroy all copies of the 
> transmittal.  Thank you.
> 
> 
> 
> 

--
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly Carnegie
Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students */

Received on Thursday, 10 January 2008 23:04:00 UTC