Re: Security Evaluation Request from Richard Schwerdtfeger on 2016-04-08 (public-aria@w3.org from April 2016)

From: Richard Schwerdtfeger <richschwer@gmail.com>
Date: Fri, 8 Apr 2016 11:22:59 -0500
To: Gervase Markham <gerv@mozilla.org>
Cc: Virginie.Galindo@gemalto.com, public-web-security@w3.org, ARIA <public-aria@w3.org>, Mike Cooper <cooper@w3.org>
Message-Id: <55E48BAE-E08E-4F60-A04D-4755AA72E622@gmail.com>

> On Apr 8, 2016, at 8:38 AM, Gervase Markham <gerv@mozilla.org> wrote:
> 
> On 06/04/16 21:27, Rich Schwerdtfeger wrote:
>> ARIA is not meant to be the web police. The reality is that people are
>> doing this in the wild and if you are interacting with one of these
>> things and you can’t see the screen you want to know what the intent of
>> the author is. 
> 
> So the target of this feature is people who care enough about web
> accessibility to include ARIA roles, but not enough to use semantic markup?
> 

Companies are required to support accessibility to sell to government agencies, educational institutions, etc. world wide. 

Companies do not use standard HTML markup when they feel it does not meet their needs. It really does not have anything to do with whether the markup is semantically correct. This is happening now and we don’t even have a password role. Companies that must do this for business reasons need a way to make it accessible. 

>> So, we agree that people should not do this but if a user encounters it
>> they need to know what it is for. Does adding the role attribute with a
>> value of “password" create a security problem that was not there before?
> 
> Well, it encourages people to use non-password fields for passwords,
> which is arguably a security problem because if people's password
> managers don't save the passwords, they are more likely to use bad
> (simple, short) passwords.

The bigger issue is that passwords as a technology have long outlived their usefulness. The growing world aging population has issues remembering passwords for all the sites they have to gain access to so they often use a simple, short, easy to remember password across all the sites creating a security issue. To this end even HTML’s password is a security risk as it is much easier to hack. This can result in identity theft and a whole litany of issues. Captchas are also a huge problem for aging users. 

The web community needs to fix this bigger issue. 

> 
> Gerv
>

Received on Friday, 8 April 2016 16:23:30 UTC