- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 15 Feb 2007 12:22:35 +0100
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: public-wsc-wg@w3.org
Here's the further rework that I'm owing according to ACTION-141 and ACTION-142. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> We distinguish a number of properties in the basic use cases that we address. Destination site. A user may have interacted with a site before (i.e., the web site is present in the user's browsing history); he may also have submitted forms to that site before. The site might belong to an organization that the user knows of (and intends to interact with), or it might belong to an organization that the user does not know of, and may or may not have an intention to interact with. For a site that has been visited before, the site's appearance might have changed significantly. User's navigation toward the destination site. The user might have followed a bookmark. He might have followed a web link from a known site, or from a search engine. He might have entered a search term into his browser's address bar and used a feature that directly redirects him to his favorite search engine's top hit. The user might also have discovered a site in a cinema advert, heard about it over the phone, or jotted down a URI on a napkin -- that he then mis-typed into his web browser. Finally, a web browser might have been launched by some local application. Intended interaction. A user might be interested in retrieving information from the public Web, and might therefore interact with a web site in some way. He might be interested in engaging in commerce or other activities that make him expect to submit sensitive information -- be it credentials or personal data. He might be interested in downloading software for his local system, fully aware that this implies that he trusts the software provider to behave correctly far beyond the confines of the browser sandbox. Actual interaction. The web site's behavior may correspond to what the user intends, or the site might cause unexpected behavior: An information site asks for sensitive information; a photo download triggers software installation; an innocuous mouse click that is intended to raise a window on the user's viewport causes a pop-up or pop-under window to open. A time-based trigger might cause the interaction without any activity on the user's side. A user interaction (such as closing a window) might unexpectedly expose a pop-under window that has been launched much earlier. 1. Once a week, Alice pays her bills. She opens her web browser, follows the habitual bookmark to her bank's site, logs in by entering her credentials, and follows the routine course through the online banking system. Destination site: prior interaction, known organization Navigation: bookmark Intended interaction: submission of sensitive information Actual interaction: submission of sensitive information 2. Once a week, Alice pays her bills. She opens her web browser, follows the habitual bookmark to her bank's site, and is directed to an unfamiliar site at a new domain, announcing that her bank has recently acquired another one and changed names a bit. She is asked to enter her usual credentials, succeeds, and quickly adapts to the new online banking system. Destination site: no prior interaction, known organization Navigation: bookmark, then follows a link Intended interaction: submission of sensitive information Actual interactoin: submission of sensitive information Variation: Alice has the habit of typing her bank's URL. 3. Once a week, Alice pays her bills. She opens her web browser, follows the habitual bookmark to her bank's site. Her bank's web site informs her that, as a countermeasure to recent attacks against online banking customers, she needs to install a piece of proprietary software on her computer that will be the conduit for her future interactions with the bank. Destination site: prior interaction, known organization Navigation: bookmark Intended interaction: submission of sensitive information, but site convinces Alice to install software Actual interaction: installation of software Variation: Alice has the habit of typing her bank's URL. 4. Once a week, Alice pays her bills. She opens her web browser, follows the habitual bookmark to her bank's site. A download process starts, and a pop-up window informs Alice that she needs to install a piece of software locally that will henceforth be her conduit for her future online interactions with her bank. Destination site: prior interaction, known organization Navigation: bookmark Intended interaction: submission of sensitive information Actual interaction: installation of software 5. In the advertising leading up to a re-run of the 1970s movie classic "The Sting," Doyle sees an offer for a new-fashioned investment that he can't refuse, offered by a brand that he has heard of before. He memorizes the URL that is given toward the end of the advertising. Coming back home, he mis-types the URI at first, corrects a spelling error, and then reaches a web site that matches the investment firm's branding and name. He's asked for identifying information that he provides. Destination site: no prior interaction, known organization Navigation: typing Intended interaction: submission of sensitive information Actual interaction: sbumission of sensitive information Variations: The URI that Doyle typed can be correct or not. Independently of this, he can end up on the web site he intended to interact with, or not. Doyle might also have typed a keyword glanced from the movie screen into a search box. 6. Watching more cinema advertising, Doyle sees a somewhat irritating, but intriguing movie teaser that ends with a dark screen that has a URL fading away quickly. He mis-memorizes the URL. Coming back home, he types in what he remembers, and gets directed to a web site that immediately causes a software download. A pop-up window informs him (in graphical layout that matches the teaser's last screen) that software will be installed on his system in order to enable him to fully benefit from the web site's multimedial offerings. Destination site: no prior interaction, unknown organization Navigation: typing, with error Intended interaction: information retrieval Actual interaction: software installation Variations: The web site can be the one advertised in the cinema, or not. 7. Frank regularly reads a frequent flyer forum while sipping his first cup of coffee in the morning. He clicks on a link and walks off to the coffee-maker for a refill. Returning, he notes that his computer screen now includes pop-up advertising for a new cheque-management program which is purportedly offered by his bank. A free demonstration version is available for download. The advertising is served from an advertising agency's web site, not from the bank's. Destination site: no prior interaction, unknown organization Navigation: none Intended interaction: information retrieval Actual interaction: software installation Variations: pop-under instead of pop-up; also, it's deliberately left open whether Frank's click trigger or a timeout during his absence causes the pop-up to appear. The software could be on the bank's web site, on an advertising agency's, or on a prankster's. 8. Example Inc. has a popular online service that processes many credit card transactions a day. Betty occasionally uses the service and trusts it with her credit card information. Malcolm is a thief with an idea. He creates an imitation of the Example web site and begins directing users to it. Malcolm contacts victims through email, or even the phone, and links to his imposter site from popular blogs and chat forums. He's also given his imposter site a domain name that is just a typo away from Example's authentic web site, so some victims will arrive by accident. Betty is about to enter her credit card information into a site that looks just like Example's. How is she to know if it's the authentic site, or the imposter? Destination site: no prior interaction, unknown organization (but user expects a particular organization) Navigation: link or typing Intended interaction: submission of sensitive information Actual interaction: submission of sensitive information 9. Example Inc. has use of example.com, example.net and example.org. Each is used to manage a different part of the company's online operations. Betty initially found Example at example.com and created her online account through a page hosted at that domain. She has yet to interact with any of Example's other hosts. Sometime later, Betty receives an email claiming to be from Example and alerting her to a pending task that she must attend to. The email provides a hyperlink to a page that will help Betty complete the task. After clicking on the hyperlink, Betty's user agent displays a page from the example.net host. The page asks Betty to enter her username and passphrase before being allowed to access her account. How is Betty to know that her Example credentials can be safely entered into the page? Destination site: no prior interaction known organization Navigation: any Intended interaction: submission of sensitive information Actual interaction: submission of sensitive information 10. Betty's home wireless router has a web interface for making configuration changes. When the router is installed, it generates a self-signed SSL server certificate. Sometime later, Betty attempts to make a configuration change. How does Betty know she's connected to the router she setup earlier, and not her neighbor's? Destination site: prior interaction Navigation: bookmark Intended interaction: submission of sensitive information Actual interaction: submission of sensitive information 11. Betty tries to connect to a web site at <https://www.example.com/>. Her user agent's SSL implementation detects that the domain name specified in the certificate differs from www.example.com. What should the user agent display? Destination site: prior interaction Navigation: bookmark Intended interaction: information retrieval Actual interaction: information retrieval Note: This is actually a variation over use case 1, with an error condition in the SSL security mechanism. 12. Betty is planning a trip to a foreign country. Searching the web, she finds a widely recommended local travel agency. When she connects to their web site, her user agent does not recognize the certificate authority that issued the travel agency's SSL server certificate. What should the user agent display? Destination site: no prior interaction, known organization Navigation: following a link Intended interaction: information retrieval or submission of sensitive information Actual interaction: information retrieval or submission of sensitive information Note: This is a variation over other use cases, with a specific error condition. 13. Betty occasionally visits the example.com web site. On each connection, Betty's user agent receives an SSL server certificate issued by the same certificate authority. On the current connection, the received certificate was issued by a different certificate authority. What should the user agent display? Can Example Inc. affect this display through the content of the new certificate? Destination site: prior interaction, known organization Navigation: bookmark Intended interaction: any Actual interaction: same Note: This use case is a variation of use case 1, with a possible error condition in the SSL security mechanism. 14. Betty occasionally visits the example.com web site. On each connection, Betty's user agent receives an SSL server certificate with the same Organization name and address. On the current connection, the received certificate specifies different attributes. Destination site: prior interaction, known organization Navigation: bookmark Intended interaction: any Actual interaction: same Note: This use case is a variation of use case 1, and spells out a possible error condition in the SSL security mechanism. 15. Betty clicks on a hyperlink to the web page at <https://www.example.com/>. The received HTML page includes content received from <https://www.example.net/>. Betty's user agent is unaware of any relationship between the www.example.com and www.example.net web sites. Note: This use case spells out a complication in the use of the SSL security mechanism. It is independent of our overall classification of basic interactions. 16. Betty visits the web page at <https://www.example.com/>. The received HTML page includes content received from <http://www.example.com/>, i.e., content received using a different security context. Note: This use case spells out a complication in the use of the SSL security mechanism. It is independent of our overall classification of basic interactions. 17. Like many users, Betty has grown accustomed to quickly clicking through any warning dialogs presented by her user agent. Out of habit, Betty dismisses another one, then quickly becomes suspicious about some of the web page's content. This use case is separate from the generalizations that were discussed earlier in this section. It suggests practices around the recording and reversibility of past security decisions. 18. Vicki is interested in finding out more about art auctions in the greater Boston area. She engages a search engine and tries to follow a link there. Her web browser consults a reputation service which has recorded that the link target will attempt to subvert the browser and install malicious software. This use case is separate from the generalizations that were discussed earlier in this section. It serves to suggest practices around the display of results obtained from reputation services. 19. Betty has travelled to a foreign country. In a coffee shop, she is reading a political web site from her home country. She wonders whether the information that is displayed to her is authentic, and whether there will be eavesdropping on her interactions. This use case is separate from the generalizations that were discussed earlier in this section. It serves to suggest practices around the protection against eavesdropping and alteration that deployed security technologies provide. 20. Steve runs a suite of security software on his machine that regularly upgrades certain components. The typical workflow is that a specific browser window is opened automatically. Steve will then control the selection of software upgrades, will download them from the web, and they will then be installed. Destination site: Known, prior visit Navigation: no user interaction Intended interaction: none Actual interaction: software installation Variation: A pop-up window opens with a web site that visually imitates the legitimate software upgrade behavior, but is inteded to install malicious software. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< -- Thomas Roessler, W3C <tlr@w3.org>
Received on Thursday, 15 February 2007 11:21:05 UTC