[liberationtech] [messaging] Informing the user they have the wrong key
L Jean Camp
ljeanc at gmail.com
Mon Oct 13 16:35:02 PDT 2014
What the user sees right now is simple bold text statements based on their
action.
"This is not a bank" if you try to enter your password.
"This certificate is one day old" with choices to go anyway, get out, or go
carefully (meaning scripts disabled)
And we block for rogue certs.
So determining the context is where we are really working. It is when the
person seems to be in one context and then shifts wildly.
Prof. L. Jean Camp
http://www.ljean.com
Human-Centered Security
http://usablesecurity.net/
Economics of Security
http://www.infosecon.net/
Congressional Fellow
http://www.ieeeusa.org/policy/govfel/congfel.asp
On Mon, Oct 13, 2014 at 6:25 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Mon, Oct 13, 2014 at 3:14 PM, L Jean Camp <ljcamp at indiana.edu> wrote:
>
>> We approach by providing information on order-of-magnitude risk. If
>> someone is MITM while you are in an airport looking at Washington Post you
>> probably do not care. When you log in to work or some other system, then
>> the risk you are looking at, combined with your individual risk posture and
>> momentary context determines if this is acceptable.
>>
>
> This doesn't answer how, but when. This is an admirable goal, but what is
> the mechanism for alerting the user? What does the user see? What actions
> can the user take based on this notification?
>
> This question is specifically directed at the user experience.
>
> --
> Tony Arcieri
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141013/acd318b3/attachment.html>
More information about the liberationtech
mailing list