Yvan G.J. Boily wrote:
...
Users who are not savvy enough to understand the importance of verifying the
SSL certificate and ensuring the data they are sending will be transmitted
using SSL will not be granted any higher level of security by a "protected"
login as it requires an understanding of SSL and what it means in terms of
verifying the authenticity of the site.
I think you will agree, that this statement is based on your intuition
rather than on real research and data. My intuition is different: I
believe that by presenting a sufficiently simple interface, even most
naive users will be able to detect a spoofed web page (e.g. as result of
phishing attack). But I am also conducting experiments to validate my
(or your) intuition; preliminary results seem to support my belief.
Also, I think that you should, in fairness, try our tool (TrustBar) to
evaluate whether it may help (naive, off-guard and savvy) users. I am
very interested in your evaluation (although, based on your notes, it is
unlikely to be very excited...).
...
Your trust bar is simply a trivial extension of features that already exist,
and will certainly be useful enough for users with the knowledge and
awareness to understand what it is to look for,
Well, that's already something, isn't it?
but popping up messages
saying things like "Warning: this page is not protected", without offering
further information to improve awareness, or a more meaningful message poses
the same risk.
I quite agree with you here. We should - and will - add information
explaining what an `unprotected site` means and what the user can do.
This is especially so when you are referring to a standard
practice which does not pose a credible risk.
But it does! Unprotected login pages are, well, unprotected, and
therefore could be spoofed without this being noticed by most (naive)
users - and this will happen even if these users use TrustBar which
allows them to easily identify (protected) pages (and avoid spoofed
versions of them).
As security professionals we have an obligation to reduce the dilution of
security warnings, and to demystify the warnings we release. People with
knowledge in a field *must* apply that knowledge and filter the output of
that knowledge so that people outside of the field can understand the most
relevant information. Doctors, Pharmacists, Lawyers, Financial Analysts,
Accountants, and numerous other publicly accessible professions build
careers on translating jargon into language people can use and work with.
With this I completely agree and this is part of the contribution of
TrustBar... (try it and you'll see what I mean)
If everyone in the security field starts hanging off lamp-posts and
screaming the world is going to end, no-one is going to take us seriously,
Hey, what are you talking about? I just pointed out these pages are
unprotected, and that's a fact.
and no one is going learn anything because people tend to shy away from
hysterics. Discussing potential threats in a theoretical context is
valuable so that we can develop skill-sets, but creating and releasing tools
that are little more than UI fixes and billing them as security tools is
bordering on negligent.
I disagree; I think secure UI is a critical element of security.
Best, Amir Herzberg
