Re: ACTION-156: List of privacy and security indicators from Serge Egelman on 2007-03-26 (public-wsc-wg@w3.org from March 2007)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Mon, 26 Mar 2007 12:25:08 -0400
To: Chuck Wade <Chuck@Interisle.net>
CC: public-wsc-wg@w3.org
Message-ID: <4607F3E4.2030507@cs.cmu.edu>
Both Mozilla/Firefox and IE will display an icon to indicate a
third-party cookie has been blocked because it disagrees with the user's
P3P preferences.

Also, regarding the proxy, we've created a browser plugin that uses Tor:
http://cups.cs.cmu.edu/foxtor/
The icon will indicate when the user is currently connected to a Tor
proxy.  There are a few others like this.


serge

Chuck Wade wrote:
> Folks,
> 
> I volunteered to start a thread where we begin to list the privacy and
> security indicators that are in use today from the client side of a web
> interaction. I'm sure that my list below is incomplete, but I'm also
> intrigued by how many indicators are already used by one browser or
> another, or by plugins available for popular browsers.
> 
>     * The oft-maligned, poorly-understood, "padlock" icon--perhaps the
>       most consistent indicator, but still used rather inconsistently
>       across browsers from different vendors
>     * Certificate "strength" indicators--e.g., IE's green shading in the
>       location bar for an EV cert
>     * Various "you're on a suspicious site" warnings--e.g., IE's red
>       shading of the location bar when problems are detected with the
>       cert, such as unknown authority
>     * Various warning notices that the user is about to go to a
>       suspicious site, usually with an option to allow the user to
>       override and go there anyway
>     * Notices that some content displayed was not protected by a TLS/SSL
>       session (perhaps one of the most confusing of indicators to users)
>           o A related indicator are the warnings put up by some browsers
>             that the user is about to display a "secure" page that has
>             some "insecure" content
>     * Warnings that the user is about to leave a TLS/SSL protected Web
>       session (again, a source of considerable confusion to many users)
>     * Warnings that submitted forms information will not be encrypted
>       (just what is the user supposed to do about this?)
>     * Indicators that third-party content has been blocked, often with
>       an option to allow display of such content
>     * Indicators that some content on the Web page is from third parties
>       (some browsers even make it easy for the user to distinguish
>       first-party content from third-party content.
>     * Indicators that pop-up pages have been blocked, often with an
>       option to allow the pop-up to be displayed
>     * Cookie notices--various schemes for signaling to the user that the
>       site they have visited has set cookies for the session (again, a
>       source of mythology, mystery, and mass confusion)
>           o Some browsers display warnings to users who have disabled
>             cookies that the site they are visiting wants to set a
>             cookie, and the user is asked to allow or disallow
>     * Some browsers (e.g. Firefox) offer users the option to clear
>       cookies (and other "privacy-related information") when they exit
>       the browser (either automatically, or via a dialog box)
>     * For users smart enough to constrain gratuitous use of javascripts
>       by sites they don't know, there are the various schemes for
>       letting the user know that the site they have visited is using
>       javascripts, often with options to allow javascripts from just the
>       first party or from first and third parties
>     * For those users that have heeded the warnings about not enabling
>       java downloads, there are various indicators that tell them when a
>       site is trying to download a java applet, with options to allow or
>       disallow
>     * Java applets are supposed to be signed, and some (most?) browsers
>       will warn users if an applet is not signed or is not signed by a
>       trusted authority
>     * Ditto for Active X controls (applets)
>     * File download warnings--often of the form that the file is an
>       executable or that it will run some program, such as a player (I'm
>       ignoring all the other nagware that will offer to help the user
>       check for viruses, trojans, etc. in downloaded files)
>     * Notices that a site has requested use of a plug-in that has either
>       been disabled by the user, or that is not currently installed
>       (often with helpful options to download and install the missing
>       plug-in)
>     * Various "private browsing" or safe modes that different browsers
>       offer, often with an obscure indicator, such as a checkbox in a
>       menu pick, though sometimes with a chrome indicator (note, these
>       modes usually turn off history and caching)
> 
> 
> Imagine if automobiles presented this sort of UI clutter to drivers.
> 
> Then, there are a few indicators that I have not encountered, but would
> like to:
> 
>     * The cert for this site was confirmed as valid in real time by a
>       trusted authority--i.e., an OCSP lookup (an EV cert is not needed
>       for OCSP checking)
>     * Conversely, a warning when a site's cert did not provide the
>       option for OCSP checking, or the OCSP check could not be performed
>     * Visible indicators to users when they are using a proxy (maybe
>       this information needs to go to the Web site as well)
>     * An indicator that the site a user is visiting corresponds to one
>       of their set bookmarks
>     * A clear indicator of the site that will receive any submitted
>       forms data, and warnings if it does not match the primary URL
>     * A warning to a user that "the URL you just clicked is submitting
>       forms data to site XYZ; are  you sure you want to do this?"
>     * The *content* of this page was digitally signed by some named
>       authority, and the signature is valid, implying the content has
>       not been altered
>     * A notice to the user when the site they just visited told three
>       other Web tracking sites about the visit, and allowed two of them
>       to set cookies on the user's computer (its a good thing most users
>       don't know how to use sniffers)
> 
> 
> Further additions and refinements to this list would be appreciated.
> 
> ...Chuck
> -- 
> _____________________________
>    Chuck Wade, Principal
>    Interisle Consulting Group
>    +1  508 435-3050  Office
>    +1  508 277-6439  Mobile
>    www.interisle.net

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Monday, 26 March 2007 16:26:01 UTC