- From: Michael Versace <michael.versace@fstc.org>
- Date: Fri, 11 Jan 2008 18:53:41 -0500
- To: <michael.mccormick@wellsfargo.com>, <Anil.Saldhana@redhat.com>, <public-wsc-wg@w3.org>
Consumers want assurance that web sites are secure to do business with, and that the web sites will provide the appropriate consideration for the consumers business. This suggests that web page scoring is irrelevant. Business, however, may benefit from consumer scoring. Consumer "scoring" gives a business the basis for providing the consideration. -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of michael.mccormick@wellsfargo.com Sent: Friday, January 11, 2008 6:13 PM To: Anil.Saldhana@redhat.com; public-wsc-wg@w3.org Subject: RE: Is the padlock a page security score? Certainly online banking is a primary use case for scores, but presumably not the only one. No offense to any of my competitors, but "favorite picture" based site authentication is feel-good security not real security. It has already been broken by MITM attacks and been the subject of some withering academic critiques. -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Anil Saldhana Sent: Friday, January 11, 2008 4:26 PM To: public-wsc-wg@w3.org Subject: Re: Is the padlock a page security score? Which category of users/websites care a lot about page scores? Is it the banking industry? If yes, then we should understand that the banking websites are one of the most sensitive systems on the web. As an user, when they bank, I am sure they care a whole lot about how secure the banking site is. If the site is showing a page score that is not satisfactory to the user, then it is time for the user to call the bank and find out why the score is X. Many of the US banks are going towards multi-factor knowledge based authentication, like displaying a favorite picture of yours and such. Mike Beltzner wrote: > > michael.mccormick@wellsfargo.com wrote: >> There seems to still be some lingering misunderstanding about the >> security score. It does not specify how the score should be >> presented in primary chrome. The UA is free to render it as anything >> from a padlock to a color-coded address bar to a traffic light to whatever. >> The raw score is not displayed in the primary UI. > > The disagreement is in that I don't believe a single "score" will ever > hold value. A recommendation or advice based on a score, is what I > would suggest we advocate in our document. > > The user who needs a recommendation for action (ie: "Is this page > safe?") won't benefit from a score ("72% safe!"), as it won't hold any > specific meaning to them. > > The user who wants to know more about why a specific recommendation > has been given (ie: "Why are you saying that this page is suspicious, > it looks like my bank!") won't benefit from a score ("because it's > onlye 72% safe!") because they need more detail. > > Both of these users are served by a system where security risks are > called out by the browser ("Note: This page is suspicious! > (Details...)") and then further explanation is given (the certificate > changed, it's not high on the network of trust, etc). > > cheers, > mike > -- Anil Saldhana Project/Technical Lead, JBoss Security & Identity Management JBoss, A division of Red Hat Inc. http://labs.jboss.com/portal/jbosssecurity/
Received on Saturday, 12 January 2008 01:18:27 UTC