Re: ACTION-156: List of privacy and security indicators from Serge Egelman on 2007-03-28 (public-wsc-wg@w3.org from March 2007)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Wed, 28 Mar 2007 00:31:38 -0400
To: Praveen Alavilli <AlavilliPraveen@AOL.COM>
CC: public-wsc-wg@w3.org
Message-ID: <4609EFAA.3040203@cs.cmu.edu>
Well, P3P can be used for a lot more than just browsers and browser
plugins (e.g., see Privacy Finder--http://www.privacyfinder.org/).  But
I guess that's just a technicality...

serge

Praveen Alavilli wrote:
> I have an action [ACTION-155 OPEN Track P3P header related indicators
> <http://www.w3.org/2006/WSC/track/actions/155>]  which also falls into
> this list of privacy and security indicators.
> So I propose we close Action# 155 and contribute to this list [156].
> 
> thanks
> Praveen
> 
> Serge Egelman wrote:
>> Both Mozilla/Firefox and IE will display an icon to indicate a
>> third-party cookie has been blocked because it disagrees with the user's
>> P3P preferences.
>>
>> Also, regarding the proxy, we've created a browser plugin that uses Tor:
>> http://cups.cs.cmu.edu/foxtor/
>> The icon will indicate when the user is currently connected to a Tor
>> proxy.  There are a few others like this.
>>
>>
>> serge
>>
>> Chuck Wade wrote:
>>   
>>> Folks,
>>>
>>> I volunteered to start a thread where we begin to list the privacy and
>>> security indicators that are in use today from the client side of a web
>>> interaction. I'm sure that my list below is incomplete, but I'm also
>>> intrigued by how many indicators are already used by one browser or
>>> another, or by plugins available for popular browsers.
>>>
>>>     * The oft-maligned, poorly-understood, "padlock" icon--perhaps the
>>>       most consistent indicator, but still used rather inconsistently
>>>       across browsers from different vendors
>>>     * Certificate "strength" indicators--e.g., IE's green shading in the
>>>       location bar for an EV cert
>>>     * Various "you're on a suspicious site" warnings--e.g., IE's red
>>>       shading of the location bar when problems are detected with the
>>>       cert, such as unknown authority
>>>     * Various warning notices that the user is about to go to a
>>>       suspicious site, usually with an option to allow the user to
>>>       override and go there anyway
>>>     * Notices that some content displayed was not protected by a TLS/SSL
>>>       session (perhaps one of the most confusing of indicators to users)
>>>           o A related indicator are the warnings put up by some browsers
>>>             that the user is about to display a "secure" page that has
>>>             some "insecure" content
>>>     * Warnings that the user is about to leave a TLS/SSL protected Web
>>>       session (again, a source of considerable confusion to many users)
>>>     * Warnings that submitted forms information will not be encrypted
>>>       (just what is the user supposed to do about this?)
>>>     * Indicators that third-party content has been blocked, often with
>>>       an option to allow display of such content
>>>     * Indicators that some content on the Web page is from third parties
>>>       (some browsers even make it easy for the user to distinguish
>>>       first-party content from third-party content.
>>>     * Indicators that pop-up pages have been blocked, often with an
>>>       option to allow the pop-up to be displayed
>>>     * Cookie notices--various schemes for signaling to the user that the
>>>       site they have visited has set cookies for the session (again, a
>>>       source of mythology, mystery, and mass confusion)
>>>           o Some browsers display warnings to users who have disabled
>>>             cookies that the site they are visiting wants to set a
>>>             cookie, and the user is asked to allow or disallow
>>>     * Some browsers (e.g. Firefox) offer users the option to clear
>>>       cookies (and other "privacy-related information") when they exit
>>>       the browser (either automatically, or via a dialog box)
>>>     * For users smart enough to constrain gratuitous use of javascripts
>>>       by sites they don't know, there are the various schemes for
>>>       letting the user know that the site they have visited is using
>>>       javascripts, often with options to allow javascripts from just the
>>>       first party or from first and third parties
>>>     * For those users that have heeded the warnings about not enabling
>>>       java downloads, there are various indicators that tell them when a
>>>       site is trying to download a java applet, with options to allow or
>>>       disallow
>>>     * Java applets are supposed to be signed, and some (most?) browsers
>>>       will warn users if an applet is not signed or is not signed by a
>>>       trusted authority
>>>     * Ditto for Active X controls (applets)
>>>     * File download warnings--often of the form that the file is an
>>>       executable or that it will run some program, such as a player (I'm
>>>       ignoring all the other nagware that will offer to help the user
>>>       check for viruses, trojans, etc. in downloaded files)
>>>     * Notices that a site has requested use of a plug-in that has either
>>>       been disabled by the user, or that is not currently installed
>>>       (often with helpful options to download and install the missing
>>>       plug-in)
>>>     * Various "private browsing" or safe modes that different browsers
>>>       offer, often with an obscure indicator, such as a checkbox in a
>>>       menu pick, though sometimes with a chrome indicator (note, these
>>>       modes usually turn off history and caching)
>>>
>>>
>>> Imagine if automobiles presented this sort of UI clutter to drivers.
>>>
>>> Then, there are a few indicators that I have not encountered, but would
>>> like to:
>>>
>>>     * The cert for this site was confirmed as valid in real time by a
>>>       trusted authority--i.e., an OCSP lookup (an EV cert is not needed
>>>       for OCSP checking)
>>>     * Conversely, a warning when a site's cert did not provide the
>>>       option for OCSP checking, or the OCSP check could not be performed
>>>     * Visible indicators to users when they are using a proxy (maybe
>>>       this information needs to go to the Web site as well)
>>>     * An indicator that the site a user is visiting corresponds to one
>>>       of their set bookmarks
>>>     * A clear indicator of the site that will receive any submitted
>>>       forms data, and warnings if it does not match the primary URL
>>>     * A warning to a user that "the URL you just clicked is submitting
>>>       forms data to site XYZ; are  you sure you want to do this?"
>>>     * The *content* of this page was digitally signed by some named
>>>       authority, and the signature is valid, implying the content has
>>>       not been altered
>>>     * A notice to the user when the site they just visited told three
>>>       other Web tracking sites about the visit, and allowed two of them
>>>       to set cookies on the user's computer (its a good thing most users
>>>       don't know how to use sniffers)
>>>
>>>
>>> Further additions and refinements to this list would be appreciated.
>>>
>>> ...Chuck
>>> -- 
>>> _____________________________
>>>    Chuck Wade, Principal
>>>    Interisle Consulting Group
>>>    +1  508 435-3050  Office
>>>    +1  508 277-6439  Mobile
>>>    www.interisle.net
>>>     
>>
>>   

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Wednesday, 28 March 2007 04:31:54 UTC