W3C home > Mailing lists > Public > public-aria-admin@w3.org > March 2016

RE: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions

From: John Foliot <john.foliot@deque.com>
Date: Tue, 29 Mar 2016 14:55:36 -0400
To: "'Rich Schwerdtfeger'" <richschwer@gmail.com>
Cc: 'Léonie Watson' <tink@tink.uk>, "'ARIA Working Group'" <public-aria-admin@w3.org>, "'Wendy Seltzer'" <wseltzer@w3.org>
Message-ID: <002c01d189ec$9a9f3fb0$cfddbf10$@deque.com>
Hi Rich,

 

First, please ramp the tone down a bit: I understand both the issue and the need, we are simply pointing out a real security issue, one which we have not heard a solution to. Accusing me of shouting at the moon does nothing to address this problem, or advance a solution.

 

It’s good and well that engineers at Microsoft and IBM are doing this today – I will work with the assumption that they are doing things in good faith, and care about issues like security and privacy. But what, exactly, do you propose we do when malicious actors use the proposed attribute in a fishing scam? Telling them that they shouldn’t do this is an open invitation for them to actually do it. I’d rather have a screen reader user approach an input like this with heightened caution then with blissful ignorance.

 

> zero vehicle to tell the screen reader to not ECHO the keyboard keys being type for all to hear in the room. 

 

Sure, but telling them the characters are being obscured without an absolute assurance that they *ARE* visually obscured is equally a serious problem, and one that takes explicit advantage of the fact that a screen reader cannot see what is on screen. So unless browsers commit to treating role=”password” with the same security approach as input type=”password” we leave open a door for a security/privacy breach.

 

Do I have a specific solution at hand? No, not really outside of getting browser vendors on-board. Does my lack of a detailed proposed solution today weaken the concern in any way? No, and I am concerned that you are so ready to dismiss that concern with a flippant “they are already doing this today”… bad actors are also doing other malicious things on the web today, and we should be trying to help minimize and eradicate those issues, not adding another possible attack vector to the mix.

 

JF

 

From: Rich Schwerdtfeger [mailto:richschwer@gmail.com] 
Sent: Monday, March 28, 2016 6:25 PM
To: John Foliot <john.foliot@deque.com>
Cc: Léonie Watson <tink@tink.uk>; ARIA Working Group <public-aria-admin@w3.org>
Subject: Re: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions

 

John,

 

First, authors are already creating these custom password fields to say that they must behave exactly like an HTML5 password field does not make any sense. The Microsoft security people stated that people were doing this already and adding a password role does absolutely nothing to stop them from doing so. 

 

The far bigger security issue is that despite the fact that they are creating one of these custom fields we give the author zero vehicle to tell the screen reader to not ECHO the keyboard keys being type for all to hear in the room. They don’t echo the keys you actually see which are obscured. they echo the text typed coming in from the keyboard. 

 

What is your solution to prevent this? Yelling at them to use HTML5 passwords is like our shouting at the moon. 

 

I want to see a real solution here. 

 

Where are we asking a browser to change their UI? Browser vendors have been very clear to tell us that we cannot require them to change their UI based on ARIA. On this I see no win although I agree with you that it would be could here. 

 

So, the net of this if we don’t include the role we continue to leave users exposed with a security hole where everyone can hear the password they are typing unless they happen to have a headset on. Is that what you both want?

 

 

Rich Schwerdtfeger

 

 

 

On Mar 28, 2016, at 5:02 PM, John Foliot <john.foliot@deque.com <mailto:john.foliot@deque.com> > wrote:

 

Hi Rich,

 

After chatting with some folks at CSUN, I share Leonie’s concerns. Unless all of the browser vendors and screen readers are going to programmatically treat the role=”password” *EXACTLY* like input type=”password” I too see a serious security/privacy concern.

 

For example, what should we expect with this piece of code: <input type=”text” role=”password”>? 

 

Will screen readers announce “star, star, star” while displaying “Secret PIN #” in the text field, in the clear and open?  (Saying they shouldn’t do that  isn’t enough, I just did it and so others will as well) 

 

Likewise for a scripted input, perhaps something like <div class=”Input_Field” role=”password”>: how do we guarantee end users that the scripted input *is* being treated like an actual password input, and isn’t a fishing spoof on non-sighted users? Companies like IBM would likely never do that, but IBM isn’t the only folks writing code out there :D



I also understand that this is needed for SVG, so my concern is not that we need a “something”, but rather, again, we’re asking browser vendors to change their UI based upon an ARIA attribute, something that they have refused to do in the past, as for example here:  <https://lists.w3.org/Archives/Public/public-pfwg/2015Sep/0172.html> https://lists.w3.org/Archives/Public/public-pfwg/2015Sep/0172.html

 

JF

 

From: Rich Schwerdtfeger [mailto:richschwer@gmail.com] 
Sent: Monday, March 28, 2016 5:37 PM
To: Léonie Watson <tink@tink.uk <mailto:tink@tink.uk> >
Cc: ARIA Working Group <public-aria-admin@w3.org <mailto:public-aria-admin@w3.org> >
Subject: Fwd: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions

 

Leonie, 

 

Did my response address your concern? Microsoft confirmed that people were creating their own custom passwords in the wild and there is no ARIA role to indicate to the AT that this is a password and to tell the AT to NOT echo the password text as you type it. This would facilitate that. 

 

Rich

 

 

Rich Schwerdtfeger

 

 





Begin forwarded message:

 

From: Rich Schwerdtfeger < <mailto:richschwer@gmail.com> richschwer@gmail.com>

Subject: Re: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions

Date: March 20, 2016 at 3:59:23 PM CDT

To:  <mailto:tink@tink.uk> tink@tink.uk

Cc: ARIA Working Group < <mailto:public-aria-admin@w3.org> public-aria-admin@w3.org>

 

Leonie,

 

On the other hand, a screen reader could announce the characters being typed and not know to not do that. Furthermore, people are creating these things today and there is no way to know that the textfield is a password field. Would you prefer to not know? 

 

I don’t understand how your statement supports your argument. Incidentally,we did vet this with the Microsoft browser security people before agreeing to add it to the spec. Microsoft stated that people were creating their own password textbooks in the wild and there is no way for you to know that is what the textfield is. 

 

Rich

 

Rich Schwerdtfeger

 

 

 

On Mar 17, 2016, at 3:06 PM, Léonie Watson < <mailto:tink@tink.uk> tink@tink.uk> wrote:

 

From: Rich Schwerdtfeger [ <mailto:richschwer@gmail.com> mailto:richschwer@gmail.com] 
Sent: 17 March 2016 19:12
To: ARIA Working Group < <mailto:public-aria-admin@w3.org> public-aria-admin@w3.org>
Subject: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions

This is a Call for Consensus (CfC) to the Accessible Rich Internet Applications (ARIA) Working Group on the following resolution:
1. Accept Joanie’s addition of a new password addressing Action 2004: 
 <https://rawgit.com/w3c/aria/password-role/aria/aria.html#password> https://rawgit.com/w3c/aria/password-role/aria/aria.html#password 

 

I object to the password role. Unless I’m missing something, it leaves open the possibility that an AT will behave as though the characters input into the field are obscured, when visually they may not be. A screen reader user cannot be certain that their password is adequately protected from being observed.

 

 

Léonie.

 

-- 

@LeonieWatson  <http://tink.uk/> tink.uk Carpe diem.

 
Received on Tuesday, 29 March 2016 18:56:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC