- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Mon, 26 Mar 2007 12:25:08 -0400
- To: Chuck Wade <Chuck@Interisle.net>
- CC: public-wsc-wg@w3.org
Both Mozilla/Firefox and IE will display an icon to indicate a third-party cookie has been blocked because it disagrees with the user's P3P preferences. Also, regarding the proxy, we've created a browser plugin that uses Tor: http://cups.cs.cmu.edu/foxtor/ The icon will indicate when the user is currently connected to a Tor proxy. There are a few others like this. serge Chuck Wade wrote: > Folks, > > I volunteered to start a thread where we begin to list the privacy and > security indicators that are in use today from the client side of a web > interaction. I'm sure that my list below is incomplete, but I'm also > intrigued by how many indicators are already used by one browser or > another, or by plugins available for popular browsers. > > * The oft-maligned, poorly-understood, "padlock" icon--perhaps the > most consistent indicator, but still used rather inconsistently > across browsers from different vendors > * Certificate "strength" indicators--e.g., IE's green shading in the > location bar for an EV cert > * Various "you're on a suspicious site" warnings--e.g., IE's red > shading of the location bar when problems are detected with the > cert, such as unknown authority > * Various warning notices that the user is about to go to a > suspicious site, usually with an option to allow the user to > override and go there anyway > * Notices that some content displayed was not protected by a TLS/SSL > session (perhaps one of the most confusing of indicators to users) > o A related indicator are the warnings put up by some browsers > that the user is about to display a "secure" page that has > some "insecure" content > * Warnings that the user is about to leave a TLS/SSL protected Web > session (again, a source of considerable confusion to many users) > * Warnings that submitted forms information will not be encrypted > (just what is the user supposed to do about this?) > * Indicators that third-party content has been blocked, often with > an option to allow display of such content > * Indicators that some content on the Web page is from third parties > (some browsers even make it easy for the user to distinguish > first-party content from third-party content. > * Indicators that pop-up pages have been blocked, often with an > option to allow the pop-up to be displayed > * Cookie notices--various schemes for signaling to the user that the > site they have visited has set cookies for the session (again, a > source of mythology, mystery, and mass confusion) > o Some browsers display warnings to users who have disabled > cookies that the site they are visiting wants to set a > cookie, and the user is asked to allow or disallow > * Some browsers (e.g. Firefox) offer users the option to clear > cookies (and other "privacy-related information") when they exit > the browser (either automatically, or via a dialog box) > * For users smart enough to constrain gratuitous use of javascripts > by sites they don't know, there are the various schemes for > letting the user know that the site they have visited is using > javascripts, often with options to allow javascripts from just the > first party or from first and third parties > * For those users that have heeded the warnings about not enabling > java downloads, there are various indicators that tell them when a > site is trying to download a java applet, with options to allow or > disallow > * Java applets are supposed to be signed, and some (most?) browsers > will warn users if an applet is not signed or is not signed by a > trusted authority > * Ditto for Active X controls (applets) > * File download warnings--often of the form that the file is an > executable or that it will run some program, such as a player (I'm > ignoring all the other nagware that will offer to help the user > check for viruses, trojans, etc. in downloaded files) > * Notices that a site has requested use of a plug-in that has either > been disabled by the user, or that is not currently installed > (often with helpful options to download and install the missing > plug-in) > * Various "private browsing" or safe modes that different browsers > offer, often with an obscure indicator, such as a checkbox in a > menu pick, though sometimes with a chrome indicator (note, these > modes usually turn off history and caching) > > > Imagine if automobiles presented this sort of UI clutter to drivers. > > Then, there are a few indicators that I have not encountered, but would > like to: > > * The cert for this site was confirmed as valid in real time by a > trusted authority--i.e., an OCSP lookup (an EV cert is not needed > for OCSP checking) > * Conversely, a warning when a site's cert did not provide the > option for OCSP checking, or the OCSP check could not be performed > * Visible indicators to users when they are using a proxy (maybe > this information needs to go to the Web site as well) > * An indicator that the site a user is visiting corresponds to one > of their set bookmarks > * A clear indicator of the site that will receive any submitted > forms data, and warnings if it does not match the primary URL > * A warning to a user that "the URL you just clicked is submitting > forms data to site XYZ; are you sure you want to do this?" > * The *content* of this page was digitally signed by some named > authority, and the signature is valid, implying the content has > not been altered > * A notice to the user when the site they just visited told three > other Web tracking sites about the visit, and allowed two of them > to set cookies on the user's computer (its a good thing most users > don't know how to use sniffers) > > > Further additions and refinements to this list would be appreciated. > > ...Chuck > -- > _____________________________ > Chuck Wade, Principal > Interisle Consulting Group > +1 508 435-3050 Office > +1 508 277-6439 Mobile > www.interisle.net -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Monday, 26 March 2007 16:26:01 UTC