Hi Heikki, On 6/19/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > > > >> 4. No (or minimal) input from user. > > > > At the TIPPI workshop, a user study was presented that showed that > > passive anti-phishing tools such as those provided by Firefox, > > Netcraft and others failed to protect the user from a phishing attack > > in over 50% of attacks. The user study was conducted at MIT. > > You missed "or minimal".
A reasonable conclusion to draw from the MIT study is that if the user is not actively involved in the protection mechanism, he will ignore it. If there is "No input from user", the mechanism will be ignored by the user and fail. No input is an anti-goal, not a goal. I took your "(or minimal)" qualification to mean you were willing to provide some wiggle room if we really needed it, but that you'ld prefer to have no user input. Your restriction certainly does not leave me with the impression that user input is a requirement. In this case, a user study shows that your instincts for what are needed in an anti-phishing tool were wrong. It's OK to admit begin wrong. It's going to happen, lots, to all of us. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
