ISSUE-38: no safe haven in presentation space (from public comments) from Web Security Context Issue Tracker on 2007-04-15 (public-wsc-wg@w3.org from April 2007)

From: Web Security Context Issue Tracker <dean+cgi@w3.org>
Date: Sun, 15 Apr 2007 14:50:10 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20070415145010.BC57CBDA8@w3c4.w3.org>

ISSUE-38: no safe haven in presentation space (from public comments)

http://www.w3.org/2006/WSC/Group/track/issues/38

Raised by: Bill Doyle
On product: Note: use cases etc.

>From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org

http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html

no safe haven in presentation space
where it says, in 2.5 Reliable presentation of security information
   The Working Group will recommend presentation techniques that
   mitigate deceptive imitation, or hiding, of the user agent's
   presentation of security information.
where it says, in 2.7 Best practices for other media
   The Working Group will provide best practice guidelines for
   other media to follow so as not to undermine the presentation of
   security information on the web.
please consider
This part of the strategy seems particularly weak.  Techniques to ascertain 
the actual presentation of [e.g. DOM objects] is sought by the WAI.  
Techniques to query the delivery context are under development by the Device 
Independence [now Ubiquitous Web Applications] Working Group.  You should 
think of querying the delivery context for evidence of spoofing 'security 
indicating' presentation as one of the tools in your deployment strategy.  
Likewise, making it easy for the user to exercise a faint twitch of skepticism 
with what seems to them a lightweight gesture, but raises the sensitivity of 
security-information-filtering -- that is a closed-loop, mixed-initiative way 
to move the performance curve of security failures vs. user nuisance.  Also, 
you should consider introducing practices which are not widely used now but 
are up and running and working in practice. What if the user gets a page with 
some protected content and some that was transmitted in unprotected HTTP.  The 
user doesn't know what in the page is of what category.  Suppose at this point 
they could by a flick of the hotkey send the challenge "can you send me that 
offer in a signed document?"  This relies on PKI that is somewhere in the SSL 
stack, and the server won't have to bear the burden all the time.  When a user 
is at all concerned, the ethical merchant could want to invest the extra 
cycles for the cryptography.  In other words, readily achievable changes in 
technology deployment should not be altogether off the table.
Why? 
It seems unlikely that you can limit yourselves to currently-widely adopted 
technology and not find that any presentation-property syndrome that you 
select (whether of placement, coloration or language) is vulnerable to highly 
effective spoofing attacks.  Likewise the appeal to other media to stay out of 
your protected zone is not likely to be successful unless a duly constituted 
panel representing all stakeholders decides the allocated reserved 
presentations.

Received on Sunday, 15 April 2007 14:50:24 UTC