- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Tue, 16 Dec 2014 14:59:21 +0100
- To: Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
I am happy to see this initiative, I consider the current standard browser UI broken and upside-down. Today, plain http is not trustworthy, but it still has the "normal" look in browsers. We ought to change this. A few thoughts: Users expect that when they come to a site that looks like Facebook, it is Facebook. They expect any problems to be flagged, and unless there is a warning, that everything is OK. They do not understand what most icons/colors and dialogs mean, and are confused by the complexity of security (and the web in general). A good UI should present the web the way the user expects it to be presented. Expecting users to spend their time learning and memorizing various browser UIs (user education) is arrogant. Starting this discussion from the implementation details is starting it in the wrong end. One example of an experimental browser UI is Opera Coast. It goes much further than cleaning up the security symbols, it removes the entire address field. It uses a lot of extra background checks, with the aim to allow users to browse without having to check addresses. If something seems wrong, it will warn the user ahead of time. This seems to me to be the ideal, where security is baked into the solution, not tacked on top. >From a user's perspective, it just works. I think revamping address bars and badges should take the long term goal into consideration as well. (I'll happily discuss Coast's solutions, but please start a new thread if so.) Browsers normally have 3-5 different visual security states in the UI; normal (no security), DV and EV. Some browsers have special visual indicators for various types of broken security (dubious, bad, etc). In addition there are a multitude of corner cases. Although I can see the use of three states, to support gradual degradation via the middle state, more than three states is confusing, and the ideal should be none, as in the above example. Given three states for now, the question is how we want to display them. We need one for general unsecured contents. We want one for top security, i.e. all the latest encryption standards and EV. Then general encryption would go into the last bucket. Encryption standards will have to change over time. From a user perspective, a natural way to mark three states would be as insecure (red/warning), normal (neutral/no marking) and secure (green/padlock). There is no need to distinguish unsecured from dubiously secured, they can just go into the same bucket. There isn't even any need to warn users about certificate errors, the UI is just downgraded to insecure, as a self-signed site is no less secure than an http site. There are technical reasons for the warnings, but those can be bug-fixed. Active attacks (e.g. certificate replacement to an invalid one, HSTS failure, revoked certificates, ...) might still be hard-blocked, but note that this constitutes a fourth state, and the UI is becoming very complicated already - there are probably better ways to map such cases into the insecure state, but that is a separate discussion. One issue is that browser UI is and should be a place for innovation, not rigid specifications. At the same time, users would clearly benefit from consistent and good UI. Diverging from the de-facto UI standard towards a better one comes with a cost for browsers, and they might not have the incentive to do so. A coordinated move towards a better future would be good, as long as we avoid the hard limitations. Regardless of this discussion, we do need better coordination for removing old crypto standards (SHA-1, SSLv3, RC4, ...) from the "secure" bucket in the UI. In short, I am all for a coordinated move, but there needs to be space for browsers to innovate as well. In terms of the transition plan, I think a date-based plan is the only thing which will work. This gives all parties time to prepare, they know when the next phase will start, and nobody will be arguing if we have reached a milestone or not. It also avoids any deadlocks where the next phase is needed to push the web to the state where the next phase will begin. Any ambitious timeline will fail to get all players on board. A multi-year plan is still better than the resulting user confusion if browsers move on their own. BTW, have you explicitly contacted other browser teams? -- Sigbjørn Vik Opera Software
Received on Tuesday, 16 December 2014 13:59:53 UTC