Re: ACTION-374 - proposed re-written text for 6.3, Page Security Score

Serge, Maritza and Rachna, along with others, have collected a wide  
range of academic literature on the subject in our shared bookmarks.

http://www.w3.org/2006/WSC/wiki/SharedBookmarks

Cheers,

Johnathan

On 24-Jan-08, at 12:53 PM, William Eburn wrote:

>
> Serge,
>
> Is there any chance you can send me the literature that you are  
> talking
> about?  And the type of literature?  So I can review it.
>
> Thanks,
>
> William Eburn
> Software Engineer
> HiSoftware Inc.
> 1-(603)-574-4932
>
>
>
> -----Original Message-----
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org 
> ]
> On Behalf Of Serge Egelman
> Sent: Thursday, January 24, 2008 12:41 PM
> To: Dan Schutzer
> Cc: 'Ian Fette'; 'Timothy Hahn'; public-wsc-wg@w3.org
> Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page
> Security Score
>
>
> The likely thing that will happen in this case is that people will  
> learn
>
> to distrust the indicator when they start visiting websites with worse
> and worse ratings.  As I mentioned earlier, the issue is that when the
> user falls victim to an attack, they have no idea what action they  
> took
> to cause this (e.g. ignoring the meter and visiting a bad website,
> visiting a bad website that actually didn't have a bad meter,
> unscrupulous cashier, etc.).
>
> So the first time they see a "slightly" bad rating and decide to
> proceed, they won't realize any immediate consequences (if there even
> are any).  Thus, this behavior will continue and likely get worse  
> (i.e.
> they'll start ignoring the meter altogether).  This is very classic
> conditioning.
>
> This is just a hypothesis, but it is based on a wealth of literature.
> If many people disagree with me, I would suggest you provide some  
> actual
>
> data.
>
> serge
>
> Dan Schutzer wrote:
>> I agree the issue is what sort of action will people take based upon
> the
>> bar. If there were some adverse result from not going to a site  
>> with a
>
>> low security indicator, then people might learn (based upon their  
>> risk
>
>> adversity) what action to take when they see a bar; e.g. they go to  
>> an
>
>> insecure web page and something bad and immediately observable  
>> happens
>
>> to them. However, in the world of insure web pages, it is not clear
> that
>> people will get this sort of enforcement. So, maybe we ought to think
>> about some companion warning. For example, if when I go to web sites
>> with a low security score, I frequently get a warning, when the site
>> comes up, that this is a known phishing site or has unsafe content, I
>> might begin to pay attention to the low security score.
>>
>>
>>
>>
> ------------------------------------------------------------------------
>>
>> *From:* public-wsc-wg-request@w3.org
>> [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Ian Fette
>> *Sent:* Thursday, January 24, 2008 1:27 AM
>> *To:* Timothy Hahn
>> *Cc:* public-wsc-wg@w3.org
>> *Subject:* Re: ACTION-374 - proposed re-written text for 6.3, Page
>> Security Score
>>
>>
>>
>> By saying that a user agent MAY elect not to display the indicator,
> but
>> that it SHOULD display the indicator, we're saying we think it's
> useful,
>> but if one wants to ignore that go ahead. I don't think that I'm yet
>> willing to go along and say that I think it's useful.
>>
>> I really want to know what a person is supposed to do when they see
> this
>> indicator. If they see 3/4 bars, what do they do? If they see a meter
>> that's somewhere towards the right, what do they do? God forbid they
> see
>> a "78" and have to figure that out. None of these representations  
>> seem
>
>> like a good idea to me, and until we can come up with an indicator
> that
>> is actually going to inform user action, I really don't think we be
>> saying SHOULD about any of this, with the possible exception of
> noticing
>> a change.
>>
>> Let's say that I go to my company's webmail, and it has 2/4 bars. I'm
>> still going to log in. Let's say I go to a e-commerce site and it has
>> 3/4 bars. What does that mean? Is it safe or not? (and I seriously
> doubt
>> that anyone is going to take on the liability of an indicator that
>> answers that question in a binary fashion, which is the only way this
>> might be useful, if we actually had the data to make that decision
> which
>> we do not).
>>
>> This still seems way too strong to me.
>>
>> On Jan 23, 2008 6:46 PM, Timothy Hahn <hahnt@us.ibm.com
>> <mailto:hahnt@us.ibm.com>> wrote:
>>
>>
>> Ian,
>>
>> In addition to the level of indirection I referred to below, I also
>> added this clause:
>>
>>
>>
>>>> The user agent MAY elect to display a visual indicator in primary
>
>> chrome
>>>> only when a change in "security confidence estimate" values is
>> observed.
>>>>
>>
>> I added this upon reflection of your and Jonathan's comments on the  
>> 16
>
>> January call where you seemed to desire to not always show a visual
>> indicator.
>>
>> I still believe that some type of meter that has more than 0/1
>> gradations is better than a meter that is binary and also better than
> no
>> meter at all.
>>
>>
>>
>> Regards,
>> Tim Hahn
>> IBM Distinguished Engineer
>>
>> Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>> phone: 919.224.1565     tie-line: 8/687.1565
>> fax: 919.224.2530
>>
>>
>> From:
>>
>> 	
>>
>> "Ian Fette" <ifette@google.com <mailto:ifette@google.com>>
>>
>> To:
>>
>> 	
>>
>> Timothy Hahn/Durham/IBM@IBMUS
>>
>> Cc:
>>
>> 	
>>
>> public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>>
>> Date:
>>
>> 	
>>
>> 01/23/2008 05:24 PM
>>
>> Subject:
>>
>> 	
>>
>> Re: ACTION-374 - proposed re-written text for 6.3, Page Security  
>> Score
>>
>>
>>
>>
> ------------------------------------------------------------------------
>>
>>
>>
>>
>> I think that what I was saying on the call, and I heard the same from
>> at least Johnathan, was that it's unclear what it means even if you
>> have a dial, or "3 bars out of 4". At the end, it doesn't help me
>> decide whether to proceed or not. The indirection didn't solve this
>> problem.
>>
>> On Jan 23, 2008 2:13 PM, Timothy Hahn <hahnt@us.ibm.com
>> <mailto:hahnt@us.ibm.com>> wrote:
>>>
>>> Ian,
>>>
>>> Thanks for the feedback.
>>>
>>> I tried to express a level of indirection between what is displayed
> (I
>>> referred to this as a "visual indicator") and the value itself
> (which I
>>> referred to as the "value").  This indirection was meant to allow
> for a
>>> difference between what is displayed and the "raw score" value
> itself.
>>>
>>> I welcome suggestions on making this more clear in the write-up.
>>>
>>> Relative to your desire for MAY vs. SHOULD - given the different
>> opinions of
>>> the people that have been discussing this, I made the bold decision
> that
>>> SHOULD seemed appropriate.
>>>
>>>
>>> Regards,
>>> Tim Hahn
>>>  IBM Distinguished Engineer
>>>
>>>  Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>>>  Internal: Timothy Hahn/Durham/IBM@IBMUS
>>>  phone: 919.224.1565     tie-line: 8/687.1565
>>>  fax: 919.224.2530
>>>
>>>
>>>
>>>
>>>  From: "Ian Fette" <ifette@google.com <mailto:ifette@google.com>>
>>>  To:
>>> Timothy Hahn/Durham/IBM@IBMUS
>>>  Cc:
>>> public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>>>  Date: 01/23/2008 04:55 PM
>>>
>>>  Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page
> Security
>>> Score
>>>
>>>
>>>  ________________________________
>>>
>>>
>>>
>>> I'm still unclear on the following two points:
>>>
>>>  The user agent SHOULD provide a visual indicator in primary chrome
>>>  which varies relative to the "security confidence estimate" value.
>>>  Examples of such visual indicators (non-normative) are gauges,
>>>  thermometers, a selection of several textual descriptions, and
>>>  color-gradations.
>>>
>>>  The visual indicator SHOULD be especially conspicuous in display
> when
>>>  the "security confidence estimate" value is different than the
> value
>>>  which was observed for the loaded page in previous visits to the
>>>  loaded page.
>>>
>>>  It sounds to me like there was a lot of agreement on the call that
>>>  changes in this score might be informative. I don't think there was
>>>  any agreement that the raw score itself was informative. I don't
>>>  understand why we're saying that the score SHOULD be indicated in
>>>  primary chrome, nor do I understand why it makes sense to show it
> if
>>>  the score has changed (i.e. "Hey, this was 78 and now it's 68" -
>>>  "Great, what does that mean"). I think it may make sense (MAY) to
> call
>>>  out what changed, but calling out the score (either normally, or
> even
>>>  when it changes) still makes no sense to me.
>>>
>>>  I would love to see these SHOULD -> MAY
>>>
>>>  -Ian
>>>
>>>  On Jan 23, 2008 10:41 AM, Timothy Hahn <hahnt@us.ibm.com
>> <mailto:hahnt@us.ibm.com>> wrote:
>>>>
>>>> To Mez:
>>>>
>>>> I agree with your proposal and will make that be so in the draft.
>>>>
>>>> To Mike:
>>>>
>>>> While I, myself, would prefer stronger language, I worded the
>> updates per
>>>> the discussion from the group (during the weekly conference call
> as
>> well
>>> as
>>>> on the mailing list).
>>>>
>>>> Regards,
>>>>
>>>> Tim Hahn
>>>> IBM Distinguished Engineer
>>>>
>>>> Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>>>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>>>> phone: 919.224.1565     tie-line: 8/687.1565
>>>> fax: 919.224.2530
>>>>
>>>>
>>>>
>>>>
>>>> From: Mary Ellen Zurko/Westford/IBM@IRIS
>>>> To:
>>>> Timothy Hahn/Durham/IBM@IBMUS
>>>> Cc:
>>>> public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>>>> Date: 01/23/2008 01:29 PM
>>>> Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page
>>> Security
>>>> Score
>>>> ________________________________
>>>>
>>>>
>>>>
>>>> I propose that you also change the title of the section to
> "Security
>>>> Confidence Estimate"
>>>>
>>>>          Mez
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> From:
>>>> Timothy Hahn/Durham/IBM@IBMUS
>>>> To:
>>>> public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
>>>> Date:
>>>> 01/23/2008 11:29 AM
>>>> Subject: ACTION-374 - proposed re-written text for 6.3, Page
> Security
>>> Score
>>>> ________________________________
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi all,
>>>>
>>>> From last week's meeting (16 January 2008) I took an action to
> propose
>>>> re-written text for the "Page Security Score" section.
>>>>
>>>> From the latest wsc-xit draft, the current text reads:
>>>>
>>>> --- Start ---
>>>> 6.3 Page Security Score
>>>>
>>>> See also: ISSUE-129
>>>>
>>>> Please refer to the following entries in the Working Group's Wiki
> for
>>>> relevant background information:
>> RecommendationDisplayProposals/PageScore
>>>>
>>>> The user agent MUST reduce the state of all security context
>> information
>>>> made available to a single value. A partial order MUST be defined
>
>> on the
>>> set
>>>> of possible values.
>>>>
>>>> The user agent MUST make the security context information value
>> available
>>> to
>>>> the end user, in either primary or secondary chrome.
>>>>
>>>> The user agent MUST make the formula by which the value is
> calculated
>>>> available to the end user. Documentation of the user agent is the
>>> likeliest
>>>> place.
>>>>
>>>> The form of the indicator of this value will depend on the user
>> agent and
>>>> end user abilities. The user agent SHOULD provide a a primary
> chrome
>>>> indicator
>>>>
>>>> --- End ---
>>>>
>>>> Here is my proposed re-written text:
>>>>
>>>> --- Start ---
>>>> 6.3 Page Security Score
>>>>
>>>> See also: ISSUE-129
>>>>
>>>> Please refer to the following entries in the Working Group's Wiki
> for
>>>> relevant background information:
>> RecommendationDisplayProposals/PageScore
>>>>
>>>> The user agent SHOULD provide a means of reducing the collection
> of
>>> security
>>>> context information which is available for any loaded page to a
> numeric
>>>> value (termed a "security confidence estimate").
>>>>
>>>> The calculation algorithm for the "security confidence estimate"
> MAY be
>>> made
>>>> selectable by the end user or offered by separately installed
> user
>> agent
>>>> plug-ins.
>>>>
>>>> The user agent SHOULD provide a visual indicator in primary
> chrome
>> which
>>>> varies relative to the "security confidence estimate" value.
>> Examples of
>>>> such visual indicators (non-normative) are gauges, thermometers,
> a
>>> selection
>>>> of several textual descriptions, and color-gradations.
>>>>
>>>> The visual indicator SHOULD be especially conspicuous in display
>> when the
>>>> "security confidence estimate" value is different than the value
> which
>>> was
>>>> observed for the loaded page in previous visits to the loaded
> page.
>>>>
>>>> The user agent MAY elect to display a visual indicator in primary
>
>> chrome
>>>> only when a change in "security confidence estimate" values is
>> observed.
>>>>
>>>> The user agent MUST make the details of all available security
> context
>>>> information available to the end user, in either primary or
> secondary
>>>> chrome.
>>>>
>>>> If a "security confidence estimate" is provided, the provider of
> the
>>>> implementation MUST make the calculation algorithm by which the
>> "security
>>>> confidence estimate" value is calculated available to the end
> user.
>>>> Documentation for the user agent or plug-in which is employed is
> the
>>>> likeliest place.
>>>>
>>>> The visual realization of the "security confidence estimate"
> value will
>>>> depend on the user agent and end user abilities.
>>>>
>>>> --- End ---
>>>>
>>>>
>>>> Tim Hahn
>>>> IBM Distinguished Engineer
>>>>
>>>> Internet: hahnt@us.ibm.com <mailto:hahnt@us.ibm.com>
>>>> Internal: Timothy Hahn/Durham/IBM@IBMUS
>>>> phone: 919.224.1565     tie-line: 8/687.1565
>>>> fax: 919.224.2530
>>>>
>>>> [attachment "smime.p7s" deleted by Mary Ellen Zurko/Westford/IBM]
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
> -- 
> /*
> PhD Candidate
> Carnegie Mellon University
>
> "Whoever said there's no such thing as a free lunch was never a grad
> student."
>
> All views contained in this message, either expressed or implied, are
> the views of my employer, and not my own.
> */
>
>
>
>
> The information in this transmittal (including attachments, if any)  
> is privileged and confidential and is intended only for the  
> recipient(s) listed above.  Any review, use, disclosure,  
> distribution or copying of this transmittal is prohibited except by  
> or on behalf of the intended recipient.  If you have received this  
> transmittal in error, please notify me immediately by reply email  
> and destroy all copies of the transmittal.  Thank you.
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Thursday, 24 January 2008 18:09:26 UTC