![webappsec logo](/images/webappsec-logo.png)
WebApp Sec mailing list archives
RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...
From: "Yvan G.J. Boily" <yboily () seccuris com>
Date: Tue, 26 Oct 2004 09:14:34 -0500
You have completely missed the point; I wasn't arguing that the login page should be protected, or that they already are. I was arguing that your proposed requirement for a "secure" pre-login site is pointless. Users who are not savvy enough to understand the importance of verifying the SSL certificate and ensuring the data they are sending will be transmitted using SSL will not be granted any higher level of security by a "protected" login as it requires an understanding of SSL and what it means in terms of verifying the authenticity of the site. The "security" issue you are attempting to address is not an issue of technical control, but rather a need for increased awareness. You cannot overcome the human factor entirely with technology; at some point you have to place responsibility in the hands of the user. Sometimes this means that the end user will be harmed by the technology; it is a risk we take whenever we use a technology we don't fully understand. Your trust bar is simply a trivial extension of features that already exist, and will certainly be useful enough for users with the knowledge and awareness to understand what it is to look for, but popping up messages saying things like "Warning: this page is not protected", without offering further information to improve awareness, or a more meaningful message poses the same risk. This is especially so when you are referring to a standard practice which does not pose a credible risk. As security professionals we have an obligation to reduce the dilution of security warnings, and to demystify the warnings we release. People with knowledge in a field *must* apply that knowledge and filter the output of that knowledge so that people outside of the field can understand the most relevant information. Doctors, Pharmacists, Lawyers, Financial Analysts, Accountants, and numerous other publicly accessible professions build careers on translating jargon into language people can use and work with. If everyone in the security field starts hanging off lamp-posts and screaming the world is going to end, no-one is going to take us seriously, and no one is going learn anything because people tend to shy away from hysterics. Discussing potential threats in a theoretical context is valuable so that we can develop skill-sets, but creating and releasing tools that are little more than UI fixes and billing them as security tools is bordering on negligent. Regards, Yvan -----Original Message----- From: Amir Herzberg [mailto:herzbea () cs biu ac il] Sent: Tuesday, October 26, 2004 7:51 AM To: yboily () seccuris com Cc: webappsec () securityfocus com; dwall () yozons com Subject: Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... <snip>
The reason this is important is because you claim the "lock" icon is misleading. I say that the lock icon is more intuitive than a "trust bar" or the SSL warnings. People using e-commerce sites have been indoctrinated to "look for the padlock" and "click on it for more
information". That's an interesting possibility... I didn't get this feedback in the surveys we did so far, but I'll try to check specifically for it in the future. BTW, I tried doing it on the Chase site and still didn't find any way to reach a protected login page there... is there?
It is my opinion that you are likely doing more damage than good by spreading fear, uncertainty, and doubt about a widely used, and commonly accepted practice to which your proposed solution does essentially nothing about.
Sorry, that's not my intention. In all your arguments, I didn't see an answer to my simple question: why don't they protect the login page??? Considering that there is a trivial fix to the problem, and that I've pointed it out to all these sites before informing others, I can't really see where you find me wrong. <snip>
Current thread:
- Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Amir Herzberg (Oct 28)
- RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Yvan G.J. Boily (Oct 28)