RE: Is the padlock a page security score?

Right.  MITM attacks of the so-called "Phishing 2.0" variety are a big
problem in banking.

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Dan Schutzer
Sent: Thursday, January 10, 2008 9:25 PM
To: 'Ian Fette'; 'Timothy Hahn'
Cc: public-wsc-wg@w3.org
Subject: RE: Is the padlock a page security score?



MITM attacks are seen in bank transfer fraud. There are more efficient
ways to steal credit card numbers

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Ian Fette
Sent: Thursday, January 10, 2008 2:07 PM
To: Timothy Hahn
Cc: public-wsc-wg@w3.org
Subject: Re: Is the padlock a page security score?

 

At least the weather forecast is based on the right factors though. All
of the things we're looking at seem to be "Is my connection to the
server secure" / "Am I connected to who I think I am". Sure, EV adds a
bit more on top of that, but basically we're still stuck at the same
question that SSL answers, which is "Who am I talking to, and am I doing
so securely?" 

It's been a *long* time since I've heard anything about someone's credit
card getting stolen by a MITM attack. It's very often that I hear about
credit cards getting stolen because a site was hacked, or because of
poor security practices on behalf of the site. 

It seems like the first question (SSL-esque question) is really the only
thing we can answer, but it's also the least useful thing to answer
(IMHO) and we are doing a disservice to the user. It's the equivalent to
saying "Is it going to rain" and making your prediction based only on
the barometric pressure, without looking at any storm fronts etc. We're
leaving out the most important information, and still expecting the user
to make a decision. This seems wrong. 

On Jan 10, 2008 10:54 AM, Timothy Hahn <hahnt@us.ibm.com> wrote:


Hi all, 

This whole discussion is subjective.  What is useful for one person
could very well be useless to someone else. 

An analogy - weather forecasts about the possibility of rain today.
Does such a score indicate whether I will get rained on?  No.  Does it
help me decide whether or not to wear a hat or carry an umbrella?  Yes.
There is no way that people other than meteorologists (and some would
argue, even them) will accurately interpret isobars, cloud patterns, and
doppler radar to determine whether it will rain.  But people can get a
feeling for the chances of rain based on a 0-100% estimate. 

I think the same is true for the notion of a page security score.  Does
it imply that the user will definitely, without a doubt, not get
"taken"?  No.  Does it give the user something with which to make a
choice?  Yes.  In this light, I still feel that page security scores are
good things to consider. 



Regards, 
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From: 

<michael.mccormick@wellsfargo.com> 

To: 

<ifette@google.com>, <Anil.Saldhana@redhat.com > 

Cc: 

Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>,
<Mary_Ellen_Zurko@notesdev.ibm.com> 

Date: 

01/10/2008 01:34 PM 

Subject: 

RE: Is the padlock a page security score?

 

  _____  




I would ask the same question about a binary indicator.  The padlock
does not mean it's safe to enter a credit card. 

 

  _____  

From: Ian Fette [mailto:ifette@google.com <mailto:ifette@google.com> ] 
Sent: Thursday, January 10, 2008 12:26 PM
To: Anil Saldhana
Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org;
Mary_Ellen_Zurko@notesdev.ibm.com
Subject: Re: Is the padlock a page security score?

I still don't understand what anything beyond a binary result is
supposed to tell a user. I'm on a site with "Medium" security - what
does that mean? Does that mean that I should give them my credit card or
not? 

On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com>
wrote: 

Maybe there is an opportunity to associate "High/Medium/Low" or
"Strong/Medium/Low" based on page security score with the padlock. 

michael.mccormick@wellsfargo.com wrote:
> Sure, I agree the padlock is a binary representation of a boolean
security
> score formula based on a single security variable (SSL on main page).
A
> degenerate case IMHO - but still technically a page security score. 
>
> A security score algorithm should take into account most (if not all)
of the
> variables we enumerated under "What is a Secure Page?"  Perhaps the
note
> should state that explicitly.  Then padlocks wouldn't qualify. 
>
>   _____
>
> From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On
> Behalf Of Timothy Hahn 
> Sent: Thursday, January 10, 2008 10:40 AM
> To: public-wsc-wg@w3.org
> Subject: Re: Is the padlock a page security score?
>
>
>
> Mez, 
>
> I'll toss in my view that the padlock is an example of a page security
> score.  In most user agents, this seems to be pretty much "binary" (on
or
> off) though I think we've heard from some folks that there are some 
> "embellishments" on their display of the icon which would provide more
> gradations based on information received.
>
> On the bright side of such a visible item - it is relatively easy to 
> describe and for people to grasp the meaning of.
>
> On the down side of the padlock -  ... well, we've had lots of that
> discussion on this list already - see the archives.
>
> Regards, 
> Tim Hahn
> IBM Distinguished Engineer
>
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565 
> fax: 919.224.2530
>
>
>
>
> From:         "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com >
>
> To:   public-wsc-wg@w3.org
>
> Date:         01/10/2008 11:10 AM
>
> Subject:      Is the padlock a page security score?
>
>   _____
>
>
>
>
>
> If not, why not?
>
>          Mez
>
>
>
>
>

--
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management 
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/