RE: Is the padlock a page security score?

I am not sure. If there were scores and competing services so that I had a
choice then security might actually improve. Suppose I had two competing
social networks with vastly different security scores; for example, One with
a 70 and one with a 90 security score - I just might not use the service
with the 70 security score. Perhaps if we had reliable scores and people
started picking one service over another based upon the scores, we might get
services that are more serious about security. 

 

  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Thursday, January 10, 2008 2:17 PM
To: Dan Schutzer
Cc: michael.mccormick@wellsfargo.com; hahnt@us.ibm.com; public-wsc-wg@w3.org
Subject: Re: Is the padlock a page security score?

 

There's also something reasonable you can do when you hear it's going to
rain. You can take an umbrella. There's very little you can do when you get
a 70 as a security score. You want to use Facebook, there's not really
anything you can do to mitigate the fact that it comes up with a 70. Just
like you're not going to cancel your vacation because it's raining, you're
not going to cancel your purchase online (or your match.com subscription)
because it got a 70. You're going to look for some way to mitigate the rain
/ 70, realize there's not anything you can do, and curse out your browser
for cluttering your UI with information that doesn't help you. 

:(

On Jan 10, 2008 11:10 AM, Dan Schutzer <dan.schutzer@fstc.org> wrote:

With the weather we often hear words like "the chance of precipitation is
x%" to indicate the lack of perfect forecastability

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of michael.mccormick@wellsfargo.com
Sent: Thursday, January 10, 2008 2:05 PM
To: hahnt@us.ibm.com; public-wsc-wg@w3.org


Subject: RE: Is the padlock a page security score?

 

I agree.  I like the weather analogy.  There's no perfect security
indicator.  But the more variables an indicator takes into account the more
it approaches the asymptote.

 

I guess the alternative would be to throw up our hands and say all security
context indicators are useless.

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Timothy Hahn
Sent: Thursday, January 10, 2008 12:54 PM
To: public-wsc-wg@w3.org
Subject: RE: Is the padlock a page security score?


Hi all, 

This whole discussion is subjective.  What is useful for one person could
very well be useless to someone else. 

An analogy - weather forecasts about the possibility of rain today.  Does
such a score indicate whether I will get rained on?  No.  Does it help me
decide whether or not to wear a hat or carry an umbrella?  Yes.  There is no
way that people other than meteorologists (and some would argue, even them)
will accurately interpret isobars, cloud patterns, and doppler radar to
determine whether it will rain.  But people can get a feeling for the
chances of rain based on a 0-100% estimate. 

I think the same is true for the notion of a page security score.  Does it
imply that the user will definitely, without a doubt, not get "taken"?  No.
Does it give the user something with which to make a choice?  Yes.  In this
light, I still feel that page security scores are good things to consider. 

Regards, 
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From: 

<michael.mccormick@wellsfargo.com> 


To: 

<ifette@google.com>, <Anil.Saldhana@redhat.com> 


Cc: 

Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>,
<Mary_Ellen_Zurko@notesdev.ibm.com> 


Date: 

01/10/2008 01:34 PM 


Subject: 

RE: Is the padlock a page security score?

 

  _____  




I would ask the same question about a binary indicator.  The padlock does
not mean it's safe to enter a credit card. 

  _____  

From: Ian Fette [ <mailto:ifette@google.com> mailto:ifette@google.com ] 
Sent: Thursday, January 10, 2008 12:26 PM
To: Anil Saldhana
Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org;
Mary_Ellen_Zurko@notesdev.ibm.com
Subject: Re: Is the padlock a page security score?

I still don't understand what anything beyond a binary result is supposed to
tell a user. I'm on a site with "Medium" security - what does that mean?
Does that mean that I should give them my credit card or not? 

On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote: 

Maybe there is an opportunity to associate "High/Medium/Low" or
"Strong/Medium/Low" based on page security score with the padlock. 

michael.mccormick@wellsfargo.com wrote:
> Sure, I agree the padlock is a binary representation of a boolean security
> score formula based on a single security variable (SSL on main page).  A
> degenerate case IMHO - but still technically a page security score. 
>
> A security score algorithm should take into account most (if not all) of
the
> variables we enumerated under "What is a Secure Page?"  Perhaps the note
> should state that explicitly.  Then padlocks wouldn't qualify. 
>
>   _____
>
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On
> Behalf Of Timothy Hahn 
> Sent: Thursday, January 10, 2008 10:40 AM
> To: public-wsc-wg@w3.org
> Subject: Re: Is the padlock a page security score?
>
>
>
> Mez, 
>
> I'll toss in my view that the padlock is an example of a page security
> score.  In most user agents, this seems to be pretty much "binary" (on or
> off) though I think we've heard from some folks that there are some 
> "embellishments" on their display of the icon which would provide more
> gradations based on information received.
>
> On the bright side of such a visible item - it is relatively easy to 
> describe and for people to grasp the meaning of.
>
> On the down side of the padlock -  ... well, we've had lots of that
> discussion on this list already - see the archives.
>
> Regards, 
> Tim Hahn
> IBM Distinguished Engineer
>
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565 
> fax: 919.224.2530
>
>
>
>
> From:         "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
>
> To:   public-wsc-wg@w3.org
>
> Date:         01/10/2008 11:10 AM
>
> Subject:      Is the padlock a page security score?
>
>   _____
>
>
>
>
>
> If not, why not?
>
>          Mez
>
>
>
>
>

--
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management 
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/



 

Received on Friday, 11 January 2008 03:35:43 UTC