W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

RE: Accessibility of security indicators

From: Ben Wilson <ben.wilson@digicert.com>
Date: Thu, 8 Jan 2015 15:58:28 +0000
To: "chaals@yandex-team.ru" <chaals@yandex-team.ru>, Mike West <mkwst@google.com>
CC: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <fe0b4a0603824aa092f20c65492c501d@EX2.corp.digicert.com>
Re-posting what I said about the Vienna Convention on Road Signs and Traffic Signals on the Google Security-Dev list (WRT SHA-1 deprecation).   My main point / pet peeve is that browsers think they can do anything because they control the UI.  That’s true until people get ticked off and decide to regulate and legislate.  They ought to see the writing on the wall and work together than require lawmakers to get involved – and believe me, they will.


When you say that Opera will implement "the same behavior", what does that mean in terms of UX?  Will users start seeing a big red X through "https"?  Can you point us to the image that will appear as the mini-icon in Opera's address bar?  I'm concerned that browsers use passive SSL indicators that are appropriate to the threat level.  Just like the US DHS threat level indicators, the color red should be reserved for the most severe threats.  Red means prohibited.  Orange means high alert.  Yellow means guarded.  Etc.
This is similar to what was adopted in the 20th century by international road sign standards and for traffic lights - http://en.wikipedia.org/wiki/Vienna_Convention_on_Road_Signs_and_Signals#Traffic_lights.
(Hopefully we won't have to hold an international treaty convention for these road signs.)


From: chaals@yandex-team.ru [mailto:chaals@yandex-team.ru] 
Sent: Thursday, January 8, 2015 6:39 AM
To: Mike West
Cc: WebAppSec WG
Subject: Re: Accessibility of security indicators


08.01.2015, 16:18, "Mike West" <mkwst@google.com <mailto:mkwst@google.com> >:

It's certainly an important question, but probably one that's best addressed by filing bugs against individual browser vendors rather than mandating something in a spec.


Agreed, in general…


I've just filed https://crbug.com/447191, for instance.


Then I think it was worth writing here ;) (Thanks for doing that BTW)


That said, https://w3c.github.io/webappsec/specs/mixedcontent/#requirements-ux has a normative requirement to make security indicators accessible, based on the thread here: http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0042.html. Do you think we should say more there?


It would be useful to provide a more general statement asking to ensure that indicators meet accessibility guidelines, *including* being made available through APIs - there are a lot of accessibility issues (like red-green colorblindness, to cite an example raised recently) that don't result in people using an assistive technology through an accessibility API, and in raw numbers such users are probably an order of magnitude more common than those who do use such technology.


Are there other specs the group has produced which should contain similar statements?


Basically anything that talks about UI. So ummm…







Mike West <mkwst@google.com <mailto:mkwst@google.com> >, @mikewest


Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores

(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jan 8, 2015 at 12:55 PM, <chaals@yandex-team.ru <mailto:chaals@yandex-team.ru> > wrote:


as far as I know, there is no indication of the security of a page available to e.g. screenreader users.

Given that browser developers seem to be highly responsive to security concerns, perhaps we should be investing a little time in making sure that the ?1% of blind users who cannot see the padlock can get something from it.

While we are at it, we might want to consider people using screen magnification, who often lose the part of the screen where the padlock is from their view.

Of course this means talking to the people who make the relevant software as well as the browser makers. But I thought it would be useful to try starting the conversation.


Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru <mailto:chaals@yandex-team.ru>  - - - Find more at http://yandex.com <http://yandex.com/> 




Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru <mailto:chaals@yandex-team.ru>  - - - Find more at http://yandex.com


Received on Friday, 9 January 2015 08:18:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC