This morning I attempted to login to Flickr, and something was different.Â My security seal was gone.Â I have to say that the designer earned his/her paycheque — The visual cue worked perfectly.Â Â My screen went from this: To this
Great!Â I have become aware of a possible scary event!Â Now how do I act?
The help file says to restart your browser and manually type in the Yahoo!Â URL. This makes sense as an obvious countermeasure against phishing – but it didn’t help me.Â Â My seal is just gone.Â The help file opines:
- Your cookies were cleared. In some rare instances, if you use certain web browsers and you clear your cookies, you may lose your sign-in seal and you will need to re-create it. Clearing cookies should not remove the seal for most users; however, if your seal disappears, please check that your browser is not set to clear cookies on browser close.
Hold on — I always clear my cookies on browser close.Â Â That’s all it takes to remove my security seal???Â Why has it stuck around for the last six months only to disappear today?Â Â Color me confused.
Now that I’ve looked at it in detail, I think the Yahoo! Security Seal is actually a really good security measure.Â It is simple, it is effective for what it is intended, and the actions expected in the case where the ‘danger event’ occurs are reasonable and effective.Â Â Â Problem is,Â I’m already disincented to recreate my seal.Â Â Why place any trust in something that can disappear for all sorts of other reasons besides being phished?Â How many times will users act correctly in the case of the seal disappearing, only to find out that they’ve been on a fool’s errand?Â And now they have to set up the security device all over again?Â From a signalling perspective, it’s an epic FAIL followed by a barrier to continuation.Â I just don’t think that’s going to fly.
“Why has it stuck around for the last six months only to disappear today?” Perhaps your browser, on browser close, only was clearing those cookies which had no expiration date, and seal was based on a cookie had an expiration date which had finally past?
Now that you’ve said that, I did some simple experimenting – looks like the cookie is called “YL”; deleting that cookie removes the security seal – however the new cookie has an expiry of 2037. Perhaps they have bumped up the longevity since I first created my security seal? It’s hard to say. I guess at least I’ll know for sure it isn’t expiry if my seal disappears again in the next decade or two :)