WSC WG f2f 2006-11-15
context information | Current presentation; how robust is it? (widely deployed) |
possible best practice approach | how reliable is the information? |
HTTP response headers of current page |
nothing need to check IANA registry some day |
||
Cookie information |
cookies lead to dialogue boxes dependent on configuration used to key display of shared secret in page content -> enable user to recognize site they dealt with before how far are cookies spread? Where are they replayed? |
||
refering page |
history on back button; otherwise, not visible interaction between redirects and history? |
||
URL |
displayed: address bar; attacks use limited size of text field and
overflow that with user:pass@site style URIs
IDN-based attacks against display of URIs / domain names; TLD whitelists are being deployed users read URIs in a typo-correcting mode |
||
SSL on/off; session properties |
(( completely useless? Why does it say it's not valid? black and white right now experience diluted -- dialogue boxes that get ignored )) s in https padlock color changes -- Firefox, IE7, informal agreement warning when attempting to submit form controls to non-SSL site when form was transmitted through TLS "WARNING, YOU ARE NOW SECURE" dialogues Information about cyphers used isn't presented, but can be displayed. Users rely on cypher suite configuration. Warnings about validity period; can be overridden by user All cert properties are available. But user interface is ununderstandable -- logotype rednered in base64? EV certificate work at CA/Browser forum -- IE7 implements this; displays organization's name and issuer name Opera lock item has a number -- MSmith to dig down on what that means Firefox has different states of lock items. People in the room don't get them -> corollary about usability? mismatch between domain name in URI and certificate leads to overridable warning unknown CA leads to overridable warning current UI allegedly intended for site debugging purposes IE7: persistent display of certificate errors, even when overridden by users |
Future UI meme: "secure"? "Approved cryptographic state" vs.
"unapproved cryptographic state"?
Likely out of scope: Separate debugging mode that displays richer but less usable information? Separate user modes? |
|
configured trust roots |
There's a place you can go to look at them. Ununderstandable.
not available: reputation of CA Trust root's identity is displayed for EV certs Different certification policies at same CA aren't translated into user interface, but available as part of overall cert info display. "This is a certificate authority that you trust for this purpose" (Firefox) |
||
browser history, bookmarks, accumulated user agent state? |
password manager state reflected by pre-filling forms
history sidebar general form-filler support; list of sites that form information has been cached for |
||
reputation service |
IE7 phishing filter checks reputation of some URIs; Opera has "sth
similar"
numerous toolbars |
||
past introductions from friends (eg: in email) |
|||
redirection path |
URIs flash up | ||
HTML page? (eg: spam filter like techniques) |
|||
The target URI for a pending request. |
mouse over hyperlink -> status bar update
not displayed for form submission buttons Javascript can override behaviors |
||
IP address |
IP address resolved flashes by | ||
Country of origin for IP address |
used / relayed by some anti-phishing tools | ||
A blacklist of evil IP addresses. |
used / relayed by some anti-phishing tools | ||
Your current ISP? |
|||
Information from external devices (eg: phone call) |
|||
Certificate continuity (Browser has encountered the certificate in the past) |
|||
Shared secret knowledge (eg: a picture, or a password) |
|||
personalization (eg: account history, user's full name) |
|||
Shared public knowledge (eg: mother's maiden name, zip code) (ANTI-PATTERN) |
|||
Does the page contain active content? (eg: Javascript) |
|||
Does the page contain content sourced from distinct servers? |
|||
Does the page come from the intranet or the Internet? |
|||
Has the page completed loading? |
|||
HTTP content in an HTTPS page |