RE: Browser security warning from michael.mccormick@wellsfargo.com on 2006-12-28 (public-wsc-wg@w3.org from December 2006)

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 28 Dec 2006 00:07:23 -0600
To: <public-wsc-wg@w3.org>
Message-ID: <8A794A6D6932D146B2949441ECFC9D680287129D@msgswbmnmsp17.wellsfargo.com>
I agree with Tim.  The challenge we face is making security context
usable (understandable) to both your grandmother and your sys admin.
Luckily GUI designers offer a variety of ways to do this.  Tailoring
messages & indicators to different user personas is one.
 
However, if forced to choose between the two user extremes, I'll go with
granny every time.  It's the 80-20 rule and it's where the need is
greatest.

Michael McCormick, CISSP 
Lead Architect, Information Security 

This message may contain confidential and/or privileged information.  If
you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based on
this message or any information herein.  If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message.  Thank you for your cooperation.

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Timothy Hahn
Sent: Friday, December 22, 2006 8:48 AM
To: public-wsc-wg@w3.org
Subject: Re: Browser security warning



Hi all, 

My opinion here is that much of what Michael points out below
re-inforces my point about having to know who we are interacting with.
What is informative to one "user" will be useless and unintelligible to
another. 

I think we need to cater to different user personas (and vary the
information we provide based on "who" we're interacting with.  Here, I
defer to colleagues here who are HCI experts (which does not include
me). 

Happy Holidays, 
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




"Michael(tm) Smith" <mikes@opera.com> 
Sent by: public-wsc-wg-request@w3.org 

12/22/06 06:34 AM 

To
public-wsc-wg@w3.org 
cc
Subject
Re: Browser security warning

	





michael.mccormick@wellsfargo.com, 2006-12-21 11:58 -0600:

> I just tried to access a reputable web site that issues its own
> SSL certs

How exactly did you make the determination that it's reputable?
(I'm not being facetious.) How could a user be expected to tell it
apart from a unreputable site that has a self-signed cert?

For sites with self-signed certs, I think there's growing support
for the idea of simply not showing any security indicators at all.
If we were to do that consistently across browsers, users would
never see any warning dialog at all for this case, nor any padlock
icon or anything else to indicate that the site has a cert.

> and got this warning message from IE6:
> "You are about to install a certificate from a CA claiming to
> represent www.x9.org.  Windows cannot validate that the
> certificate is actually from www.x9.org.  You should confirm its
> origin by contacting www.x9.org.  The following number will
> assist you in this process:
> Thumbprint (sha1): 8FBF6185 1D390508 F04BA0CB 31F4C4C E5310DAE.
> 
> "Installing a certificate with an unconfirmed thumbprint is a
> security risk.  If you click Yes you acknowledge this risk.  Do
> you want to install this certificate?"

I guess in part this is case of the application providing too much
information. Maybe the part that says "Windows cannot validate
that the certificate is actually from www.x9.org" is enough.

Here's what a few other browsers say for the same site:

-----------------------------------------------------------------
The root certificate for this server is not registered. You may
install this certificate. Accept/install?

- The root certificate from "www.x9.org" is not known to Opera.
Opera cannot decide if this certificate can be trusted.
-----------------------------------------------------------------

-----------------------------------------------------------------
 The server certificate failed the authenticity test.

 Certificate is self-signed and thus may not be trustworthy.
 ...
-----------------------------------------------------------------

-----------------------------------------------------------------
 Unable to verify the identity of www.x9.org as a trusted site.
 Possible reasons for this error:
 - Your browser does not recognize the Certificate Authority that
 issued the site's certificate.
 - The site's certificate is incomplete due to a server
 misconfiguration.
 - You are connected to a site pretending to be www.x9.org,
 possibly to obtain your confidential information.

 Please notify the site's webmaster about this problem.

 Before accepting this certificate, you should examine this
 site's certificate carefully. Are you willing to to accept this
 certificate for the purpose of identifying the Web site
 www.x9.org?
-----------------------------------------------------------------

> I'm a security professional and even I find this message very
> hard to understand and almost completely unactionable.  An
> ordinary user would ask:
> *                 What is a certificate?
[...]

It's going to be very hard for any browser to provide information
about the problem without mentioning the word "certificate".

How would you suggest the browser could make an ordinary user
understand what a certificate is so that the user can take action
when encountering this case (a site with a self-signed cert for
which no browser is going to have a root certificate)?

Or do you think browsers should not even bother trying to warn
users about sites with self-signed certs? (That is, just treat
them as they would an unsecure site without any cert.)

 --Mike

-- 
Michael(tm) Smith
Opera Software, Tokyo
xmpp:smith@sideshowbarker.net
Received on Thursday, 28 December 2006 06:07:21 UTC