Re: ISSUE-161: Be clearer about security indicator images [wsc-xit]

That's where we're currently at anyways. According to 3rd party research (
i.e. I'm not talking about any Google data here), sites with the TRUSTe seal
of approval are 2x as likely to be spammy / have spyware or malware than
sites without the seal. (
http://www.theregister.co.uk/2006/09/26/truste_privacy_seal_row/  - granted,
it's the register, but links to the original study). And that's only looking
at sites that can legitimately use the seal of approval... that's saying
nothing about the sites that just rip off the image and shove it on there.
I'm guessing you can figure out for yourself whether those sites are likely
to be "behaving sites" or "malicious sites".

Not that I think that "banning" the lock in content area is going to make a
difference - sites will do it anyways, I can't honestly imagine Bank of
America or US Bank or Wells Fargo really agreeing to take the plunge and
remove it - but I just wanted to point out that we're already in that murky
situation.

On Jan 5, 2008 2:46 AM, Serge Egelman <egelman@cs.cmu.edu> wrote:

>
> >
> > ISSUE-161: Be clearer about security indicator images [wsc-xit]
> >
> > http://www.w3.org/2006/WSC/track/issues/
> >
> > Raised by: Mary Ellen Zurko On product: wsc-xit
> >
> > 9.1
> >
> > "trust indicating images" is way too general. Sites want to look
> > trustworthy. If only behaving sites don't look trustworthy, only
> > malicious sites will. My proposal:
> >
> > Web pages MUST NOT include images used by widely deployed web user
> agents
> > to represent specific security context states or values. For example,
> > padlocks in the web content.
> >
>
> But then aren't we still in the same place where "only behaving sites
> don't look trustworthy, only malicious sites will."  This would mean that
> only malicious sites will show padlocks in the content.
>
>
> serge
>
>
>