WebApp Sec mailing list archives
Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...
From: Amir Herzberg <herzbea () cs biu ac il>
Date: Wed, 27 Oct 2004 09:20:34 +0200
Yvan G.J. Boily wrote: ...
I think you will agree, that this statement is based on your intuition rather than on real research and data. My intuition is different: I believe that by presenting a sufficiently simple interface, even most naive users will be able to detect a spoofed web page (e.g. as result of phishing attack). But I am also conducting experiments to validate my (or your) intuition; preliminary results seem to support my belief. Also, I think that you should, in fairness, try our tool (TrustBar) to evaluate whether it may help (naive, off-guard and savvy) users. I am very interested in your evaluation (although, based on your notes, it is unlikely to be very excited...).Users who are not savvy enough to understand the importance of verifying the SSL certificate and ensuring the data they are sending will be transmitted using SSL will not be granted any higher level of security by a "protected" login as it requires an understanding of SSL and what it means in terms of verifying the authenticity of the site.
...
Your trust bar is simply a trivial extension of features that already exist, and will certainly be useful enough for users with the knowledge and awareness to understand what it is to look for,
Well, that's already something, isn't it?
I quite agree with you here. We should - and will - add information explaining what an `unprotected site` means and what the user can do.but popping up messages saying things like "Warning: this page is not protected", without offering further information to improve awareness, or a more meaningful message posesthe same risk.
But it does! Unprotected login pages are, well, unprotected, and therefore could be spoofed without this being noticed by most (naive) users - and this will happen even if these users use TrustBar which allows them to easily identify (protected) pages (and avoid spoofed versions of them).This is especially so when you are referring to a standard practice which does not pose a credible risk.
With this I completely agree and this is part of the contribution of TrustBar... (try it and you'll see what I mean)As security professionals we have an obligation to reduce the dilution of security warnings, and to demystify the warnings we release. People with knowledge in a field *must* apply that knowledge and filter the output of that knowledge so that people outside of the field can understand the most relevant information. Doctors, Pharmacists, Lawyers, Financial Analysts, Accountants, and numerous other publicly accessible professions buildcareers on translating jargon into language people can use and work with.
Hey, what are you talking about? I just pointed out these pages are unprotected, and that's a fact.If everyone in the security field starts hanging off lamp-posts and screaming the world is going to end, no-one is going to take us seriously,
and no one is going learn anything because people tend to shy away from hysterics. Discussing potential threats in a theoretical context is valuable so that we can develop skill-sets, but creating and releasing tools that are little more than UI fixes and billing them as security tools is bordering on negligent.
I disagree; I think secure UI is a critical element of security. Best, Amir Herzberg
Current thread:
- Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Amir Herzberg (Oct 28)
- RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Yvan G.J. Boily (Nov 01)