Adam Shostack wrote:
Have you run end-user testing to demonstrate the user-acceptability of
Trustbar?
Yes, this was asked over on the cap-talk list. Below is what I posted there. I'm somewhat sympathetic as doing a real field trial which involves testing real responses to a browser attack raises all sorts of heisenberg uncertainty / experimental method issues. Off the top of my head, I think this is a really tricky problem, and if anyone knows how to test security breaches on ordinary users, shout!
Ka-Ping Yee wrote:
1. TrustBar: Protecting (even Naive) Web Users from Spoofing and
Phishing Attacks, Amir Herzberg and Ahmad Gbara
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm
I've read that paper. What they did is not a user study at all;
it was merely a questionnaire. It's certainly better than nothing,
but it is not a user study. For the results to be applicable, the
tests should take place while users are actually interacting with
a browser normally.
I agree it wasn't much. But it was a bit more than just a multiple choice:
"The second goal of the third question was to evaluate whether the use of TrustBar is likely to improve the ability of users to discern between unprotected sites, protected sites and spoofed (fake) sites. For this purpose, we gave users a very brief explanation on the TrustBar security indicators, and then presented three additional screen shots, this time using a browser equipped with TrustBar. Again, the screen shots are presented in Appendix B, and each was presented for 10 to 15 seconds, taken using Mozilla in the Amazon web site. We leave it as a simple exercise to the reader to identify the protected, unprotected and spoofed (fake) among these three screen shots.
"The results provide positive indication supporting out belief that the use of TrustBar improves the ability of (naïve) web users to discern between protected, unprotected and fake sites. Specifically, the number of user that correctly identified each of the three sites essentially doubled (to 21, 22 and 29).
That would rate as a simulation rather than a field trial, I guess.
-- iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
