RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...

["Yvan G.J. Boily" <yboily () seccuris com>]

You have completely missed the point; I wasn't arguing that the login page
should be protected, or that they already are.  I was arguing that your
proposed requirement for a "secure" pre-login site is pointless.

Users who are not savvy enough to understand the importance of verifying the
SSL certificate and ensuring the data they are sending will be transmitted
using SSL will not be granted any higher level of security by a "protected"
login as it requires an understanding of SSL and what it means in terms of
verifying the authenticity of the site.

The "security" issue you are attempting to address is not an issue of
technical control, but rather a need for increased awareness.  You cannot
overcome the human factor entirely with technology; at some point you have
to place responsibility in the hands of the user.  Sometimes this means that
the end user will be harmed by the technology; it is a risk we take whenever
we use a technology we don't fully understand.

Your trust bar is simply a trivial extension of features that already exist,
and will certainly be useful enough for users with the knowledge and
awareness to understand what it is to look for, but popping up messages
saying things like "Warning: this page is not protected", without offering
further information to improve awareness, or a more meaningful message poses
the same risk.  This is especially so when you are referring to a standard
practice which does not pose a credible risk.

As security professionals we have an obligation to reduce the dilution of
security warnings, and to demystify the warnings we release.  People with
knowledge in a field *must* apply that knowledge and filter the output of
that knowledge so that people outside of the field can understand the most
relevant information.  Doctors, Pharmacists, Lawyers, Financial Analysts,
Accountants, and numerous other publicly accessible professions build
careers on translating jargon into language people can use and work with.  

If everyone in the security field starts hanging off lamp-posts and
screaming the world is going to end, no-one is going to take us seriously,
and no one is going learn anything because people tend to shy away from
hysterics.  Discussing potential threats in a theoretical context is
valuable so that we can develop skill-sets, but creating and releasing tools
that are little more than UI fixes and billing them as security tools is
bordering on negligent.

Regards,
Yvan

-----Original Message-----
From: Amir Herzberg [mailto:herzbea () cs biu ac il] 
Sent: Tuesday, October 26, 2004 7:51 AM
To: yboily () seccuris com
Cc: webappsec () securityfocus com; dwall () yozons com
Subject: Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!,
Chase, ...

<snip>

> The reason this is important is because you claim the "lock" icon is 
> misleading.  I say that the lock icon is more intuitive than a "trust bar"
> or the SSL warnings.  People using e-commerce sites have been 
> indoctrinated to "look for the padlock" and "click on it for more
information".
That's an interesting possibility... I didn't get this feedback in the
surveys we did so far, but I'll try to check specifically for it in the
future. BTW, I tried doing it on the Chase site and still didn't find any
way to reach a protected login page there... is there?

 
> It is my opinion that you are likely doing more damage than good by 
> spreading fear, uncertainty, and doubt about a widely used, and 
> commonly accepted practice to which your proposed solution does 
> essentially nothing about.
Sorry, that's not my intention. In all your arguments, I didn't see an
answer to my simple question: why don't they protect the login page??? 
Considering that there is a trivial fix to the problem, and that I've
pointed it out to all these sites before informing others, I can't really
see where you find me wrong.

<snip>