RE: Is the padlock a page security score?

Hello all,

 

Just a couple quick notes on Ian's mail.  As a software engineer.  I am
constantly beat against the head to not make general assumptions.
Anything that I propose has to be pretty much black and white.  To say
that no one would read the manual is a very black and white statement
and yesterday we talked about the difference between engineers and every
day users.  Both of these may look at the manual in a different manner.
But unless I wanted to be turned into a junior engineer or fired, I
would never claim that no one would read our manuals, or our help.  We
pride ourselves on our documentation (based on the number of bugs found
in our documentation that are reported by our users, we're positive that
the users are reading the documentation).  I can say this in a "black
and white" manner, just by looking at our defect tracking database.

 

Also.  To say that someone getting updates to Vista or IE would not wait
to get educated to receive that update, again is a bit of a false
argument.  I say that, not that you're argument doesn't have some
validity, but I say it because the Vista updates that the end user is
receiving, while, the user may not be looking at the lock but instead it
is the trust relationship that they have with the vendor such as
Microsoft that they use as the deciding factor (I am not stating whether
someone should trust or distrust Microsoft).  

 

In looking at existing browsers, in this case the latest version of
Opera.  I went to the HiSoftware secure site.  The padlock did not take
up much browser real estate, which everyone agrees is a concern.  I
clicked on the padlock, and what I received was unlimited information
about the padlock.  I also was given opportunities to run additional
checks, like to see if the site was fraudulent, and help on what
everything meant.  I like the help because it was online and in that
format accessible to people regardless of their physical abilities.

 

After looking at the Opera browser, perhaps this is our solution,
perhaps we should recommend a new mark / indicator, or even keep the
padlock, but suggest that all vendors do what Opera is doing and suggest
that the vendors like Opera develop this additional window as either
open or shared source.  So that while the browser companies are
validating the sites and the connection to that site, other companies
like Compuware (my old company) or HiSoftware (my new company) could
include a whole slew of other security tests providing application or
content benchmarks to augment what the vendors are already providing.
This may be a more complete solution.  What does everyone think?

 

Bill

 

p.s.  If they choose not to read the help, fine, but at least we've now
accomplished something with the indicator, and the information is
available if they choose to read it.

 

From: Ian Fette [mailto:ifette@google.com] 
Sent: Friday, January 11, 2008 11:22 AM
To: William Eburn
Cc: Doyle, Bill; Mary Ellen Zurko; Mike Beltzner <beltzner;
public-wsc-wg@w3.org
Subject: Re: Is the padlock a page security score?

 

Relying on people reading documentation for a browser is also fraught
with peril... people are not going to wait to get "educated" before
their copy of Vista auto-updates to IE8, nor when they download Firefox
3 are they going to actually sit down and read a manual - they're going
to double click the icon and go at it. If it's not intuitive, that's a
problem. I don't think we can say RTFM, because nobody will... 

On Jan 11, 2008 7:15 AM, William Eburn <weburn@hisoftware.com> wrote:

Whether we use numbers, or "low, medium, high", at best, it's
incomplete.  Instead of calling it a "Security Score", if we called it a
"browser connection security score" and in some kind of education and
documentation, state that the score ignores both content and/or
application and any of the security principals around them, then it may
have some value.  However if someone sees a high score and they land on
a horrible site that steals all of their information, we would
definitely be doing them an injustice because at best the
high-medium-low is misleading.  

 

So, if we agree with Ian... and I do, browser real estate is just so
limited , there is no way we could communicate all of this information.
And understanding that benchmarking is only good if you describe what
you're benchmarking then our benchmark of security score is not useful,
and should be done away with.

 

Bill

 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Doyle, Bill
Sent: Friday, January 11, 2008 10:04 AM
To: Mary Ellen Zurko; Mike Beltzner <beltzner


Cc: public-wsc-wg@w3.org

Subject: RE: Is the padlock a page security score?

 

I was think that instead of a numeric score it would be simpler to point
to a robustness or assurance level in terms of high, medium, low. One
thing to keep in mind is that the capabilities of the protocols and
underlying IA mechanism keep changing, going to be difficult to keep
numeric score consistent. What happens to page score when a new TLS/SSL
version comes out or new ciphers are added. 

 

Be easier to present a consistent UI if it is noted that site meets high
assurance, medium assurance or low assurance. This would still alert the
user that something has changed - 72 to 38 would be a change in
assurance level.

 

 

 

 

	 

________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
	Sent: Friday, January 11, 2008 9:09 AM
	To: Mike Beltzner <beltzner
	Cc: public-wsc-wg@w3.org
	Subject: Re: Is the padlock a page security score?

	
	Great conversation, all the way around. I particularly
appreciate those posts that, while taking a strong stance, also try to
explore other points of view, how their stance relates to it, and what
might be some sort of reasonable middle ground. Kudos to all of you!
	
	> Where the number *would* come in handy is when they're used to

	> seeing a "72" for their bank or online shopping site, but all
of a 
	> sudden they see a "38". It's the change in the security values
that 
	> become interesting. At that point, though, why would we
require that
	> the user remember that theirshoppingsite.com is usually a 72,
but 
	> all of a sudden became a 36. Why would we not, instead, just
alert 
	> them to the fact that there's something suspicious, and they 
	> shouldn't use the site at this time (with links to more detail
for 
	> those who wish to know what tipped us off).
	
	That would tie into the Change of Security Level (or CoSL as I
started to call it in my review comments) in xit. 
	
	As I think does some of the discussion of warnings on top of
passive indicators (although as my review comments indicated, it was
hard to find the part of CoSL where that was specified, and should be
made clearer). 

 



The information in this transmittal (including attachments, if any) is
privileged and confidential and is intended only for the recipient(s)
listed above.  Any review, use, disclosure, distribution or copying of
this transmittal is prohibited except by or on behalf of the intended
recipient.  If you have received this transmittal in error, please
notify me immediately by reply email and destroy all copies of the
transmittal.  Thank you.

 

 





The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above.  Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient.  If you have received this transmittal in error, please notify me immediately by reply
 email and destroy all copies of the transmittal.  Thank you.