WebApp Sec: Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...

[Amir Herzberg <herzbea () cs biu ac il>]

Yvan G.J. Boily wrote:
...
> Users who are not savvy enough to understand the importance of verifying the
> SSL certificate and ensuring the data they are sending will be transmitted
> using SSL will not be granted any higher level of security by a "protected"
> login as it requires an understanding of SSL and what it means in terms of
> verifying the authenticity of the site.
I think you will agree, that this statement is based on your intuition 
rather than on real research and data. My intuition is different: I 
believe that by presenting a sufficiently simple interface, even most 
naive users will be able to detect a spoofed web page (e.g. as result of 
phishing attack). But I am also conducting experiments to validate my 
(or your) intuition; preliminary results seem to support my belief. 
Also, I think that you should, in fairness, try our tool (TrustBar) to 
evaluate whether it may help (naive, off-guard and savvy) users. I am 
very interested in your evaluation (although, based on your notes, it is 
unlikely to be very excited...).
...
> Your trust bar is simply a trivial extension of features that already exist,
> and will certainly be useful enough for users with the knowledge and
> awareness to understand what it is to look for,
Well, that's already something, isn't it?
> but popping up messages
> saying things like "Warning: this page is not protected", without offering
> further information to improve awareness, or a more meaningful message poses
> the same risk.  
I quite agree with you here. We should - and will - add information 
explaining what an `unprotected site` means and what the user can do.
> This is especially so when you are referring to a standard
> practice which does not pose a credible risk.
But it does! Unprotected login pages are, well, unprotected, and 
therefore could be spoofed without this being noticed by most (naive) 
users - and this will happen even if these users use TrustBar which 
allows them to easily identify (protected) pages (and avoid spoofed 
versions of them).
> As security professionals we have an obligation to reduce the dilution of
> security warnings, and to demystify the warnings we release.  People with
> knowledge in a field *must* apply that knowledge and filter the output of
> that knowledge so that people outside of the field can understand the most
> relevant information.  Doctors, Pharmacists, Lawyers, Financial Analysts,
> Accountants, and numerous other publicly accessible professions build
> careers on translating jargon into language people can use and work with.  
With this I completely agree and this is part of the contribution of 
TrustBar... (try it and you'll see what I mean)
> If everyone in the security field starts hanging off lamp-posts and
> screaming the world is going to end, no-one is going to take us seriously,
Hey, what are you talking about? I just pointed out these pages are 
unprotected, and that's a fact.
> and no one is going learn anything because people tend to shy away from
> hysterics.  Discussing potential threats in a theoretical context is
> valuable so that we can develop skill-sets, but creating and releasing tools
> that are little more than UI fixes and billing them as security tools is
> bordering on negligent.
I disagree; I think secure UI is a critical element of security.

Best, Amir Herzberg