[cap-talk] Firefox and identifiability, small steps or large

[Ka-Ping Yee]

On Wed, 9 Feb 2005, Ian G wrote:
> Ka-Ping Yee wrote:
> >Are there any studies that evaluate the effectiveness of
> >existing anti-phishing measures with real users?
>
> Both of below did small scale trials on 10 - 50 users.
[...]
> 1. TrustBar: Protecting (even Naive) Web Users from Spoofing and
> Phishing Attacks, Amir Herzberg and Ahmad Gbara
> http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm

I've read that paper.  What they did is not a user study at all;
it was merely a questionnaire.  It's certainly better than nothing,
but it is not a user study.  For the results to be applicable, the
tests should take place while users are actually interacting with
a browser normally.

Moreover, the entire TrustBar model places absolute trust in
centralized CAs even though there is no trust relationship between
the user and the CA.  So, depending on your opinion concerning CAs,
you might consider TrustBar to be solving the wrong problem.

> 2. Zishuang (Eileen) Ye, Sean Smith: Trusted Paths for Browsers.
> USENIX Security Symposium 2002, pp. 263-279.
> http://www.informatik.uni-trier.de/~ley/db/conf/uss/uss2002.html#YeS02

The study described in this paper is not a study of phishing.  It
tests only to see if users can distinguish trusted and untrusted
windows according to their flashing borders.

(Although the synchronized random flashing of borders is a
technically valid solution for distinguishing windows, i believe
it is a non-starter in any real application.  Notice that the user
study did not ask any users whether they would actually WANT to
use a browser full of constantly flashing thick rectangles, or
how many minutes of such use they would be able to stand before
walking away with a pounding headache.)

Has anyone heard of any studies in which users actually interacted
with an anti-phishing tool?


-- ?!ng