Tyler Close wrote:
Hi Amir,
I missed you at the TIPPI workshop. It's too bad you weren't able to
attend.
Sorry, I heard about it too late, couldn't make it. I think such
meetings could help us a lot.
There was some interesting data presented; some of which is
directly relevant to TrustBar. See below.
On 6/21/05, Amir Herzberg <[EMAIL PROTECTED]> wrote:
4. No (or minimal) input from user.
Agreed; and in fact, I believe `provide useful function even with no
input` is actually a good goal, and we meet (even) that.
5. Easy to use.
You could elaborate 5th a lot: trivially easy to use, idiot-proof, fail
safely, ...
Our usability experiments show TrustBar meets this as well.
The MIT user study I wrote about in a previous post made use of the
TrustBar. According to their results, users failed to detect a
phishing attack in approximately 50% of cases when the TrustBar was
present in the browser. This result was common across all the passive
anti-phishing tools they tested. The conclusion they presented was
that passive anti-phishing tools will not address the problem. What
are your thoughts on this result?
1. I would appreciate a copy / link / email to be able to read ...
2. My data, with early versions of TrustBar, is not very different. We
changed the perception rate from 15% to 50%. I also tried to analyze and
improve, see next items... And I look forward to new usability tests
using our new version, which was improved based on the previous
experience, users feedback, and learning from others e.g. you.
3. I'm not 100% sure that the ability to rename a site (`petname`) is
what will make a difference. Frankly, I think only a minority of users
will use it. OTOH, I think it is a very useful features - for some
users. We actually had this ability in TrustBar from the beginning, but
it was not easy to use (in a popup). So in our next release (0.4), in
pre-alpha now, it is really trivial to rename the site, just like with
your petname tool. If your goal (like mine) is simply to fix browser
security, I think you should seriously evaluate this new version (which
I can send you already if you like), help us refine it, maybe we can
converge our efforts. I am glad to learn from others (e.g. you). BTW, we
also learn from SpoofStick, which only does one thing really- display
the domain name. So, we'll use the domain name as the default name.
4. What I think was a major problem in our previous design was that for
unprotected sites, it `just` displayed a very prominent warning. Users
took it as `false positive` and ignored it. We now try to provide value
on all sites.
Best, Amir Herzberg
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
