W3C home > Mailing lists > Public > w3c-wai-ig@w3.org > October to December 2007

Re: what do screen readers do with "the padlock"?

From: David Woolley <forums@david-woolley.me.uk>
Date: Wed, 31 Oct 2007 22:56:07 +0000
Message-ID: <47290807.8060809@david-woolley.me.uk>
To: 'WAI Interest Group list' <w3c-wai-ig@w3.org>

Joshue O Connor wrote:

> This area is very interesting. For example is security binary? Is
> something either completely secure or completely insecure? Are there
> grey areas where the connection may be partially secured and good enough
> to use but not *completely* secure and so on?
> To me it makes more sense for a user agent to be able to inform the user
> to what degree a connection is secure. The user agent could detect the
> encryption algorithm/key and inform the user if it is a high bit rate
> (128 +) or of a lower variety. Colour coding can be used to visually
> show the user however how is this information given to a screen reader user?

The most important security parameters aren't actually made available 
easily or at all to users using browsers in normal visual mode.  To a 
large extent the key length is simply playing the numbers game.

The most important thing for an AT presenting a secure site is that it 
announce the domain name to the user, something which I suspect is 
normally suppressed as technical noise.  Unfortunately, this basic check 
fails on many sites, and the use of https is smoke and mirrors because 
you are actually talking to a payment service site, which may be an 
unknown ISP.

If you want a quantification of security, more important than the key 
length is the root certificate used to sign the server certificate. 
Different root certificates, from the same certifier, represent 
different levels of authentication that the certifier really is dealing 
with entity named in the certificate.

> NOTICE: The information contained in this email and any attachments 
> is confidential and may be privileged.  If you are not the intended 


David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
Received on Wednesday, 31 October 2007 22:56:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 13 October 2015 16:21:36 UTC