Ka-Ping Yee wrote:
On Fri, 11 Mar 2005, Ian G wrote:
OK, so MAJOR point #1: The meaning of the padlock.
> 2. Acknowledge the typical user's expectation that the display of a
> padlock is something associated primarily with e-commerce or financial
> sites, and basically means "it's safe for you to enter sensitive
> financial or other personal information on this page".
I feel this is uncertain. Here are some reasons why
I feel short of subscribing to this:
a. There is very little documentary evidence of
that meaning, or indeed of any others.
Empirical data about user perceptions of the padlock icon is pretty
scarce. But there has been at least one study that i know of:
Users' Conceptions of Web Security: A Comparative Study.
by Batya Friedman, David Hurley, Daniel C. Howe, Edward Felten,
and Helen Nissenbaum. Extended abstracts of CHI 2002, p. 746-747.
OK! So I have to change my (a) above to be "There isn't that much..." :)
This is interesting work. As I read it, there is a 40-50%
failure rate in recognising a non-secure connection by what
we'd call "average users." Now, this was done with static
pages, presented in isolation, so it isn't an entirely fair
test of real life. If there was a sequence of clicking and
feedback, I'd expect that number to come down (improve).
There is some support for Frank's claim #2, but I don't think
the paper tested that: if you combine the high reliance on
the padlock/key Icon (2.) with the high failure rate based on
type of information (4.) then one could suggest that users
are thinking about the padlock *and* entering info at the
same time. But I wouldn't bet any money on that one!
Next. Average users have only a poor understanding of what
'secure connection' means. It seems that over half of them
did not understand that HTTPS' definition of secure is about
confidentiality and correct delivery over the wire, according
to the drawing test.
I find it curious that there was such a high misunderstanding
on 'secure'. I wonder here if the users were thinking that
'secure' means the data is protected, and the data threats
are mostly on the website, not on the wire. (e.g., if ever
one reads of hack or bust or fraud, it's always on the site,
never on the wire, even for open protocols.) So it may be
that users are acquiring their definition from the real world
of threats rather than the textbook definition of what HTTPS
covers.
*** Everyone who is doing browser security should read this paper. ***
It's very short -- just two pages -- so you only have to spare
five minutes.
That I agree with. Definately.
Here's another study by the same folks that's worth reading:
User's Conceptions of Risks and Harms on the Web: A Comparative Study.
by Batya Friedman, Helen Nissenbaum, David Hurley, Daniel C. Howe,
Edward Felten. Extended abstracts of CHI 2002, p. 614-615.
I wasn not able to draw much from that study. Interesting reading,
but the thing that struck is that it was too early, seems like about
2001 before the current environment shifted into threat mode.
A search on scholar.google.com for
"users conceptions" friedman
http://www.ischool.washington.edu/networksecurity/Articles/Web_Security.pdf
http://www.ischool.washington.edu/networksecurity/Articles/Risks_Harms_Web.pdf
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
