Fw: ACTION-156: List of privacy and security indicators

> Indicators that pop-up pages have been blocked, often with an option
> to allow the pop-up to be displayed

I guess this uses the definition of privacy as the "right to be left 
alone". Although really pop-ups still don't seem like a security or 
privacy thing to me. 

> Then, there are a few indicators that I have not encountered, but 
> would like to:

If you transfer that to the wiki, we can discuss it in as a lightening 
recommendation. 

> 
> Chuck Wade <Chuck@Interisle.net> 
> Sent by: public-wsc-wg-request@w3.org
> 
> 03/25/2007 11:05 PM
> 
> To
> 
> public-wsc-wg@w3.org
> 
> cc
> 
> Subject
> 
> ACTION-156: List of privacy and security indicators
> 
> Folks,
> 
> I volunteered to start a thread where we begin to list the privacy 
> and security indicators that are in use today from the client side 
> of a web interaction. I'm sure that my list below is incomplete, but
> I'm also intrigued by how many indicators are already used by one 
> browser or another, or by plugins available for popular browsers. 

> The oft-maligned, poorly-understood, "padlock" icon--perhaps the 
> most consistent indicator, but still used rather inconsistently 
> across browsers from different vendors
> Certificate "strength" indicators--e.g., IE's green shading in the 
> location bar for an EV cert 
> Various "you're on a suspicious site" warnings--e.g., IE's red 
> shading of the location bar when problems are detected with the 
> cert, such as unknown authority
> Various warning notices that the user is about to go to a suspicious
> site, usually with an option to allow the user to override and go there 
anyway
> Notices that some content displayed was not protected by a TLS/SSL 
> session (perhaps one of the most confusing of indicators to users)
> A related indicator are the warnings put up by some browsers that 
> the user is about to display a "secure" page that has some "insecure" 
content
> Warnings that the user is about to leave a TLS/SSL protected Web 
> session (again, a source of considerable confusion to many users)
> Warnings that submitted forms information will not be encrypted 
> (just what is the user supposed to do about this?)
> Indicators that third-party content has been blocked, often with an 
> option to allow display of such content
> Indicators that some content on the Web page is from third parties 
> (some browsers even make it easy for the user to distinguish first-
> party content from third-party content.
> Cookie notices--various schemes for signaling to the user that the 
> site they have visited has set cookies for the session (again, a 
> source of mythology, mystery, and mass confusion)
> Some browsers display warnings to users who have disabled cookies 
> that the site they are visiting wants to set a cookie, and the user 
> is asked to allow or disallow
> Some browsers (e.g. Firefox) offer users the option to clear cookies
> (and other "privacy-related information") when they exit the browser
> (either automatically, or via a dialog box)
> For users smart enough to constrain gratuitous use of javascripts by
> sites they don't know, there are the various schemes for letting the
> user know that the site they have visited is using javascripts, 
> often with options to allow javascripts from just the first party or
> from first and third parties
> For those users that have heeded the warnings about not enabling 
> java downloads, there are various indicators that tell them when a 
> site is trying to download a java applet, with options to allow or 
disallow
> Java applets are supposed to be signed, and some (most?) browsers 
> will warn users if an applet is not signed or is not signed by a 
> trusted authority
> Ditto for Active X controls (applets)
> File download warnings--often of the form that the file is an 
> executable or that it will run some program, such as a player (I'm 
> ignoring all the other nagware that will offer to help the user 
> check for viruses, trojans, etc. in downloaded files)
> Notices that a site has requested use of a plug-in that has either 
> been disabled by the user, or that is not currently installed (often
> with helpful options to download and install the missing plug-in)
> Various "private browsing" or safe modes that different browsers 
> offer, often with an obscure indicator, such as a checkbox in a menu
> pick, though sometimes with a chrome indicator (note, these modes 
> usually turn off history and caching)
> 
> Imagine if automobiles presented this sort of UI clutter to drivers. 
> 
> Then, there are a few indicators that I have not encountered, but 
> would like to:

> The cert for this site was confirmed as valid in real time by a 
> trusted authority--i.e., an OCSP lookup (an EV cert is not needed 
> for OCSP checking)
> Conversely, a warning when a site's cert did not provide the option 
> for OCSP checking, or the OCSP check could not be performed
> Visible indicators to users when they are using a proxy (maybe this 
> information needs to go to the Web site as well)
> An indicator that the site a user is visiting corresponds to one of 
> their set bookmarks
> A clear indicator of the site that will receive any submitted forms 
> data, and warnings if it does not match the primary URL
> A warning to a user that "the URL you just clicked is submitting 
> forms data to site XYZ; are  you sure you want to do this?"
> The *content* of this page was digitally signed by some named 
> authority, and the signature is valid, implying the content has not 
> been altered
> A notice to the user when the site they just visited told three 
> other Web tracking sites about the visit, and allowed two of them to
> set cookies on the user's computer (its a good thing most users 
> don't know how to use sniffers)
> 
> Further additions and refinements to this list would be appreciated.
> 
> ...Chuck
> -- 
> _____________________________
>    Chuck Wade, Principal
>    Interisle Consulting Group
>    +1  508 435-3050  Office
>    +1  508 277-6439  Mobile
>    www.interisle.net