ghopp
/
server_playground
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Another abandoned server code base... this is kind of an ancestor of taskrambler.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
160 Commits
1 Branch
0 Tags
51 MiB
 
 
 
 
 
 
Tree: 2a98883031
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2a98883031'
${ noResults }
server_playground/doc/www.w3.org/TR/2008/NOTE-wsc-usecases-20080306/index.html

3327 lines
137 KiB
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content=
"HTML Tidy for Mac OS X (vers 31 October 2006 - Apple Inc. build 13), see www.w3.org" />
<meta http-equiv="Content-Type" content=
"text/html; charset=utf-8" />
<title>Web Security Experience, Indicators and Trust: Scope and
Use Cases</title>
<link rel="home" title="Top" href="#title" />
<link rel="chapter" title="Abstract" href="#abstract" />
<link rel="chapter" title="Status of this Document" href=
"#status" />
<link rel="contents" title="Table of Contents" href=
"#contents" />
<link rel="chapter" title="1 Overview" href="#Overview" />
<link rel="chapter" title="2 Goals" href="#goals" />
<link rel="section" title="2.1 Document the status quo" href=
"#status-quo" />
<link rel="section" title="2.2 Relevance of security information"
href="#relevance" />
<link rel="section" title=
"2.3 Consistent presentation of security information" href=
"#vocabulary" />
<link rel="section" title=
"2.4 User awareness of security information" href="#workflow" />
<link rel="section" title=
"2.5 Reliable presentation of security information" href=
"#trusted-path" />
<link rel="section" title=
"2.6 Reduce the number of scenarios in which users need to make trust decisions"
href="#trust-decision-management" />
<link rel="section" title=
"2.7 Authoring and deployment techniques" href="#deployment" />
<link rel="section" title="2.8 Best practices for other media"
href="#other-media" />
<link rel="chapter" title="3 Non-goals" href="#non-goals" />
<link rel="section" title=
"3.1 Presentation of all security information" href=
"#completeness" />
<link rel="section" title="3.2 Non-HTTP Web interactions" href=
"#nonhttp" />
<link rel="chapter" title="4 In scope" href="#in-scope" />
<link rel="section" title="4.1 Web interactions" href=
"#web-protocols" />
<link rel="section" title="4.2 User agents" href=
"#user-agents" />
<link rel="section" title="4.3 Entity identification" href=
"#identification" />
<link rel="section" title="4.4 Third-party recommendation" href=
"#recommendation" />
<link rel="section" title="4.5 Historical browsing information"
href="#browser-history" />
<link rel="chapter" title="5 Out of scope" href=
"#out-of-scope" />
<link rel="section" title="5.1 Protocols" href=
"#non-web-protocols" />
<link rel="section" title="5.2 non-Web interactions" href=
"#non-web-interactions" />
<link rel="section" title=
"5.3 Security context information for consumption by automated agents"
href="#automation" />
<link rel="section" title="5.4 New security information" href=
"#vaporware" />
<link rel="section" title="5.5 Content based detection" href=
"#filters" />
<link rel="section" title=
"5.6 Security information about the user's computer" href=
"#trusted-computing" />
<link rel="section" title="5.7 User agent exploits" href=
"#bugs" />
<link rel="section" title="5.8 User separation" href="#kiosk" />
<link rel="section" title="5.9 Content production exploits" href=
"#XSS" />
<link rel="section" title="5.10 Other security challenges" href=
"#out-of-scope-other" />
<link rel="chapter" title="6 Use cases" href="#use-cases" />
<link rel="section" title="6.1 User decisions" href=
"#decisions" />
<link rel="subsection" title=
"6.1.1 Providing sensitive information to a web site" href=
"#secret-sharing" />
<link rel="subsection" title=
"6.1.2 Believing information to come from a known author" href=
"#attribution" />
<link rel="subsection" title=
"6.1.3 Installing software downloaded from a web site" href=
"#authorization" />
<link rel="section" title="6.2 Navigation" href="#navigation" />
<link rel="subsection" title="6.2.1 Unidentified destination"
href="#unidentified-destination" />
<link rel="subsection" title="6.2.2 Unidentified source" href=
"#unidentified-source" />
<link rel="section" title="6.3 User agent type" href=
"#user-agent-type" />
<link rel="subsection" title="6.3.1 Desktop browser" href=
"#desktop-browser" />
<link rel="subsection" title="6.3.2 Smartphone" href=
"#smartphone" />
<link rel="section" title="6.4 Accessibility" href=
"#accessibility" />
<link rel="section" title="6.5 Scenarios" href="#scenarios" />
<link rel="bookmark" title="any-iip-1" href="#any-iip-1" />
<link rel="bookmark" title="any-iip-2" href="#any-iip-2" />
<link rel="bookmark" title="any-iup-1" href="#any-iup-1" />
<link rel="bookmark" title="any-uip-1" href="#any-uip-1" />
<link rel="bookmark" title="any-uip-2" href="#any-uip-2" />
<link rel="bookmark" title="smartphone-uip-1" href=
"#smartphone-uip-1" />
<link rel="bookmark" title="any-uup-1" href="#any-uup-1" />
<link rel="bookmark" title="any-iib-1" href="#any-iib-1" />
<link rel="bookmark" title="any-iib-2" href="#any-iib-2" />
<link rel="bookmark" title="any-iub-1" href="#any-iub-1" />
<link rel="bookmark" title="any-uub-1" href="#any-uub-1" />
<link rel="bookmark" title="any-uub-2" href="#any-uub-2" />
<link rel="bookmark" title="any-uub-3" href="#any-uub-3" />
<link rel="bookmark" title="any-uub-4" href="#any-uub-4" />
<link rel="bookmark" title="any-iii-1" href="#any-iii-1" />
<link rel="bookmark" title="any-iui-1" href="#any-iui-1" />
<link rel="bookmark" title="any-iui-2" href="#any-iui-2" />
<link rel="bookmark" title="any-uii-1" href="#any-uii-1" />
<link rel="bookmark" title="any-uii-2" href="#any-uii-2" />
<link rel="bookmark" title="any-uui-1" href="#any-uui-1" />
<link rel="bookmark" title="any-iio-1" href="#any-iio-1" />
<link rel="bookmark" title="any-uuo-1" href="#any-uuo-1" />
<link rel="section" title="6.6 Threats" href="#threats" />
<link rel="subsection" title="6.6.1 Subverted navigation" href=
"#subverted-navigation" />
<link rel="subsection" title="6.6.2 Web site impersonation" href=
"#impersonation" />
<link rel="chapter" title=
"7 Security information available to the user agent" href=
"#available" />
<link rel="section" title=
"7.1 Defined by web content specifications" href=
"#web-content-source" />
<link rel="bookmark" title="dynamic-content" href=
"#dynamic-content" />
<link rel="section" title=
"7.2 Defined by SSL related specifications" href="#SSL-source" />
<link rel="bookmark" title="SSL-certificate-chain" href=
"#SSL-certificate-chain" />
<link rel="section" title=
"7.3 Defined by HTTP related specifications" href=
"#HTTP-source" />
<link rel="bookmark" title="HTTP-redirect" href=
"#HTTP-redirect" />
<link rel="section" title=
"7.4 Defined by IP related specifications" href="#IP-source" />
<link rel="section" title=
"7.5 Defined by DNS related specifications" href="#DNS-source" />
<link rel="section" title="7.6 Defined by user agent" href=
"#UA-source" />
<link rel="bookmark" title="UA-CAs" href="#UA-CAs" />
<link rel="section" title=
"7.7 State that may be collected by a user agent" href=
"#collected-state-source" />
<link rel="bookmark" title="UA-done-rendering" href=
"#UA-done-rendering" />
<link rel="bookmark" title="HTTP-Referer" href="#HTTP-Referer" />
<link rel="bookmark" title="user-password" href=
"#user-password" />
<link rel="bookmark" title="user-input" href="#user-input" />
<link rel="bookmark" title="user-customization" href=
"#user-customization" />
<link rel="bookmark" title="user-understanding" href=
"#user-understanding" />
<link rel="section" title="7.8 Defined by a third-party" href=
"#third-party-source" />
<link rel="chapter" title="8 Merits of the status quo" href=
"#merits" />
<link rel="section" title=
"8.1 Widely deployed, strong cryptography" href=
"#strong-crypto" />
<link rel="section" title=
"8.2 Many deceptive imitation techniques prevented" href=
"#spoof-prevention" />
<link rel="section" title="8.3 Corrected implementation errors"
href="#fixed-bugs" />
<link rel="section" title="8.4 Password management" href=
"#password-manager" />
<link rel="chapter" title="9 Problems with the status quo" href=
"#problems" />
<link rel="section" title="9.1 Poorly defined area for chrome"
href="#where-is-chrome" />
<link rel="subsection" title="9.1.1 Picture in picture" href=
"#picture-in-picture" />
<link rel="subsection" title=
"9.1.2 Visually extending the chrome" href="#extended-chrome" />
<link rel="subsection" title="9.1.3 Removing the chrome" href=
"#missing-chrome" />
<link rel="section" title="9.2 Poorly defined role for chrome"
href="#what-is-chrome" />
<link rel="subsection" title="9.2.1 Browser window title" href=
"#window-title" />
<link rel="subsection" title="9.2.2 Back and forward buttons"
href="#back-button" />
<link rel="subsection" title="9.2.3 URL bar" href="#URL-bar" />
<link rel="subsection" title="9.2.4 Padlock icon" href=
"#padlock-icon" />
<link rel="subsection" title="9.2.5 Favicon" href="#favicon" />
<link rel="subsection" title="9.2.6 Status bar" href=
"#status-bar" />
<link rel="subsection" title=
"9.2.7 Information bar (aka: notification bar)" href=
"#information-bar" />
<link rel="section" title="9.3 Poor user understanding of chrome"
href="#why-is-chrome" />
<link rel="subsection" title="9.3.1 Padlock icon" href=
"#padlock-icon-semantics" />
<link rel="subsection" title="9.3.2 Hostname" href=
"#hostname-semantics" />
<link rel="subsection" title="9.3.3 Chrome versus page" href=
"#chrome-vs-page" />
<link rel="subsection" title=
"9.3.4 Explanations versus understanding" href=
"#learning-by-doing" />
<link rel="section" title="9.4 Poor usability of chrome" href=
"#when-is-chrome" />
<link rel="subsection" title="9.4.1 Out of sight, out of mind"
href="#ignored-chrome" />
<link rel="subsection" title="9.4.2 Assumed safety" href=
"#assumed-safety" />
<link rel="subsection" title=
"9.4.3 Poor usability of dialog boxes" href="#dialog-box" />
<link rel="chapter" title="10 Process" href="#process" />
<link rel="section" title="10.1 Expertise and experience" href=
"#feedback" />
<link rel="section" title=
"10.2 Reliance on general usability expertise" href=
"#usability-principles" />
<link rel="subsection" title="10.2.1 Affordance" href=
"#affordance" />
<link rel="subsection" title="10.2.2 Conceptual model" href=
"#users-model" />
<link rel="subsection" title=
"10.2.3 Match between system and the real world" href=
"#users-language" />
<link rel="subsection" title="10.2.4 Habit formation" href=
"#habit-formation" />
<link rel="subsection" title="10.2.5 Single locus of attention"
href="#locus-of-attention" />
<link rel="subsection" title=
"10.2.6 Aesthetic and minimalist design" href="#minimalist" />
<link rel="subsection" title=
"10.2.7 Help users recognize, diagnose, and recover from errors"
href="#lpt1-on-fire" />
<link rel="subsection" title=
"10.2.8 Provide explanations, justifying the advice or information given"
href="#justify" />
<link rel="subsection" title="10.2.9 Understand the user" href=
"#know-your-user" />
<link rel="subsection" title="10.2.10 Create task profiles" href=
"#task-profiles" />
<link rel="subsection" title="10.2.11 Consistency" href=
"#consistency" />
<link rel="section" title="10.3 Learning from past efforts" href=
"#usability-wisdom" />
<link rel="subsection" title=
"10.3.1 No user categories in phishing vulnerability" href=
"#uniformity" />
<link rel="subsection" title=
"10.3.2 The user must be aware of the task they are to perform"
href="#awareness" />
<link rel="section" title="10.4 Implementation and testing" href=
"#usability-testing" />
<link rel="chapter" title="11 Acknowledgments" href=
"#acknowledgments" />
<link rel="chapter" title="12 References" href="#references" />
<style type="text/css">
/*<![CDATA[*/
code { font-family: monospace; }
div.constraint,
div.issue,
div.note,
div.notice { margin-left: 2em; }
ol.enumar { list-style-type: decimal; }
ol.enumla { list-style-type: lower-alpha; }
ol.enumlr { list-style-type: lower-roman; }
ol.enumua { list-style-type: upper-alpha; }
ol.enumur { list-style-type: upper-roman; }
div.exampleInner pre { margin-left: 1em;
margin-top: 0em; margin-bottom: 0em}
div.exampleOuter {border: 4px double gray;
margin: 0em; padding: 0em}
div.exampleInner { background-color: #d5dee3;
border-top-width: 4px;
border-top-style: double;
border-top-color: #d3d3d3;
border-bottom-width: 4px;
border-bottom-style: double;
border-bottom-color: #d3d3d3;
padding: 4px; margin: 0em }
div.exampleWrapper { margin: 4px }
div.exampleHeader { font-weight: bold;
margin: 4px}
[id]:hover:after {
content: " #" attr(id) " ";
font-size: 80%;
color: #ccc;
text-decoration: none;
}
a.borken {
background: #f99;
color: #000;
font-weight: bold;
}
p[id]:hover:after {
content: "";
}
a.anchor {
color: inherit;
font-weight: inherit;
text-decoration: none;
font-style: inherit;
}
p[id]:hover:after {
content: " #" attr(id) " ¶ ";
font-size: 80%;
color: #ccc;
text-decoration: none;
}
div.note {
font-weight: bold;
font-style: italic;
color: #008000;
border-left: 2px solid #008000;
margin-left: 0;
padding-left: 2em;
}
span.sqbrackets {
font-style: italic;
color: #005000;
}
div.exampleOuter {
padding-left: 2em;
padding-right: 2em;
border: 1px solid black;
background: #ffa;
}
/*]]>*/
</style>
<link rel="stylesheet" type="text/css" href=
"http://www.w3.org/StyleSheets/TR/W3C-WG-NOTE.css" />
</head>
<body>
<div class="head">
<p><a href="http://www.w3.org/"><img src=
"http://www.w3.org/Icons/w3c_home" alt="W3C" height="48" width=
"72" /></a></p>
<h1><a href="#title" id="title" name="title" class="anchor">Web
Security Experience, Indicators and Trust: Scope and Use
Cases</a></h1>
<h2><a href="#w3c-doctype" id="w3c-doctype" name="w3c-doctype"
class="anchor">W3C Working Group Note 06 March 2008</a></h2>
<dl>
<dt>This version:</dt>
<dd><a href=
"http://www.w3.org/TR/2008/NOTE-wsc-usecases-20080306/">http://www.w3.org/TR/2008/NOTE-wsc-usecases-20080306/</a></dd>
<dt>Latest version:</dt>
<dd><a href=
"http://www.w3.org/TR/wsc-usecases/">http://www.w3.org/TR/wsc-usecases/</a></dd>
<dt>Previous version:</dt>
<dd><a href="http://www.w3.org/TR/2007/WD-wsc-usecases-20071101/">http://www.w3.org/TR/2007/WD-wsc-usecases-20071101/</a></dd>
<dt>Editor:</dt>
<dd>Tyler Close, <a href=
"http://www.hp.com/">Hewlett-Packard</a></dd>
</dl>
<p class="copyright"><a href=
"http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a>&nbsp;©&nbsp;2008&nbsp;<a href="http://www.w3.org/"><acronym title="World Wide Web Consortium">W3C</acronym></a><sup>®</sup>
(<a href="http://www.csail.mit.edu/"><acronym title=
"Massachusetts Institute of Technology">MIT</acronym></a>,
<a href="http://www.ercim.org/"><acronym title=
"European Research Consortium for Informatics and Mathematics">ERCIM</acronym></a>,
<a href="http://www.keio.ac.jp/">Keio</a>), All Rights
Reserved. W3C <a href=
"http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">
liability</a>, <a href=
"http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a>
and <a href=
"http://www.w3.org/Consortium/Legal/copyright-documents">document
use</a> rules apply.</p>
</div>
<hr />
<div>
<h2><a href="#abstract" id="abstract" name="abstract" class=
"anchor">Abstract</a></h2>
<p>This Note refines the objectives for the Web Security
Context Working Group deliverables. It elaborates upon the
group's <a href=
"http://www.w3.org/2005/Security/wsc-charter"><cite>Charter</cite></a>
<a href="#wsc-charter">[WSC-CHARTER]</a> to explain what the
group aims to achieve, what technologies may be used and how
technical proposals will be evaluated. This elaboration is
limited to the group's technical work and does not cover
additional activities the group intends to engage in, such as
ongoing outreach and education.</p>
<p>This Note also includes an initial collection of use cases
that the group expects will drive its technical work.</p>
<p>Since this Note discusses the assumptions, goals, and
processes the group will use to develop its recommendations,
the intended audience is similiar to that of the charter of the
Working Group; group members, the W3C community, developers of
web user agents, web content providers (server administrators),
and parties interested and engaged in what the Web Security
Context Working Group's plans and directions are. It is
explicitly not targeted at the presumed beneficiaries of the
group's work, the users of the web, and it is not expected that
an average user would be able to read this document and
understand it.</p>
</div>
<div>
<h2><a href="#status" id="status" name="status" class=
"anchor">Status of this Document</a></h2>
<p><em>This section describes the status of this document at
the time of its publication. Other documents may supersede this
document. A list of current W3C publications and the latest
revision of this technical report can be found in the <a href=
"http://www.w3.org/TR/">W3C technical reports index</a> at
http://www.w3.org/TR/.</em></p>
<p>This is the W3C Working Group Note "Web Security Experience, Indicators and Trust: Scope and
Use Cases". The W3C Membership and other interested parties are invited to send comments to
<a
href="mailto:public-usable-authentication@w3.org">public-usable-authentication@w3.org</a>
(with <a href=
"http://lists.w3.org/Archives/Public/public-usable-authentication/"> public archive</a>).</p>
<p>This document was produced by the <a href= "http://www.w3.org/2006/WSC/">Web Security Context
Working Group</a>, as part of the <a href= "http://www.w3.org/Security/Activity.html">Security
Activity</a>. Several Working Drafts for this Note were available for review; the material in
this document was subject to a public last call. At the time of publication, the Working Group
has no specific plans to further revise this document.</p>
<p>Publication as a Working Group Note does not imply endorsement by
the W3C Membership. This is a draft document and may be
updated, replaced or obsoleted by other documents at any time.
It is inappropriate to cite this document as other than work in
progress.</p>
<p> This document was produced by a group operating under the
<a
href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
February 2004 W3C Patent Policy</a>. W3C maintains a <a
rel="disclosure" href="http://www.w3.org/2004/01/pp-impl/39814/status">public list of any patent disclosures</a> made in
connection with the deliverables of the group; that page also
includes instructions for disclosing a patent. An individual
who has actual knowledge of a patent which the individual
believes contains <a
href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential
Claim(s)</a> must disclose the information in accordance with
<a
href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section
6 of the W3C Patent Policy</a>. </p>
</div>
<div class="toc">
<h2><a href="#contents" id="contents" name="contents" class=
"anchor">Table of Contents</a></h2>
<p class="toc">1 <a href="#Overview">Overview</a><br />
2 <a href="#goals">Goals</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;2.1 <a href="#status-quo">Document the
status quo</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;2.2 <a href="#relevance">Relevance of
security information</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;2.3 <a href="#vocabulary">Consistent
presentation of security information</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;2.4 <a href="#workflow">User awareness
of security information</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;2.5 <a href="#trusted-path">Reliable
presentation of security information</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;2.6 <a href=
"#trust-decision-management">Reduce the number of scenarios in
which users need to make trust decisions</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;2.7 <a href="#deployment">Authoring and
deployment techniques</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;2.8 <a href="#other-media">Best
practices for other media</a><br />
3 <a href="#non-goals">Non-goals</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;3.1 <a href=
"#completeness">Presentation of all security
information</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;3.2 <a href="#nonhttp">Non-HTTP Web
interactions</a><br />
4 <a href="#in-scope">In scope</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;4.1 <a href="#web-protocols">Web
interactions</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;4.2 <a href="#user-agents">User
agents</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;4.3 <a href="#identification">Entity
identification</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;4.4 <a href=
"#recommendation">Third-party recommendation</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;4.5 <a href=
"#browser-history">Historical browsing information</a><br />
5 <a href="#out-of-scope">Out of scope</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.1 <a href=
"#non-web-protocols">Protocols</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.2 <a href=
"#non-web-interactions">non-Web interactions</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.3 <a href="#automation">Security
context information for consumption by automated
agents</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.4 <a href="#vaporware">New security
information</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.5 <a href="#filters">Content based
detection</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.6 <a href=
"#trusted-computing">Security information about the user's
computer</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.7 <a href="#bugs">User agent
exploits</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.8 <a href="#kiosk">User
separation</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.9 <a href="#XSS">Content production
exploits</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;5.10 <a href=
"#out-of-scope-other">Other security challenges</a><br />
6 <a href="#use-cases">Use cases</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;6.1 <a href="#decisions">User
decisions</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.1.1 <a href=
"#secret-sharing">Providing sensitive information to a web
site</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.1.2 <a href=
"#attribution">Believing information to come from a known
author</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.1.3 <a href=
"#authorization">Installing software downloaded from a web
site</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;6.2 <a href=
"#navigation">Navigation</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.2.1 <a href=
"#unidentified-destination">Unidentified destination</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.2.2 <a href=
"#unidentified-source">Unidentified source</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;6.3 <a href="#user-agent-type">User
agent type</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.3.1 <a href=
"#desktop-browser">Desktop browser</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.3.2 <a href=
"#smartphone">Smartphone</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;6.4 <a href=
"#accessibility">Accessibility</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;6.5 <a href=
"#scenarios">Scenarios</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;6.6 <a href=
"#threats">Threats</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.6.1 <a href=
"#subverted-navigation">Subverted navigation</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.6.1.1
<a href="#URL-typo">URL typo</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.6.1.2
<a href="#misleading-bookmark">Misleading bookmark</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.6.1.3
<a href="#misleading-introduction">Misleading
introduction</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.6.1.4
<a href="#unprotected-navigation">Unprotected
navigation</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;6.6.2 <a href=
"#impersonation">Web site impersonation</a><br />
7 <a href="#available">Security information available to the
user agent</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;7.1 <a href=
"#web-content-source">Defined by web content
specifications</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;7.2 <a href="#SSL-source">Defined by
SSL related specifications</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;7.3 <a href="#HTTP-source">Defined by
HTTP related specifications</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;7.4 <a href="#IP-source">Defined by IP
related specifications</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;7.5 <a href="#DNS-source">Defined by
DNS related specifications</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;7.6 <a href="#UA-source">Defined by
user agent</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;7.7 <a href=
"#collected-state-source">State that may be collected by a user
agent</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;7.8 <a href=
"#third-party-source">Defined by a third-party</a><br />
8 <a href="#merits">Merits of the status quo</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;8.1 <a href="#strong-crypto">Widely
deployed, strong cryptography</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;8.2 <a href="#spoof-prevention">Many
deceptive imitation techniques prevented</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;8.3 <a href="#fixed-bugs">Corrected
implementation errors</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;8.4 <a href=
"#password-manager">Password management</a><br />
9 <a href="#problems">Problems with the status quo</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;9.1 <a href="#where-is-chrome">Poorly
defined area for chrome</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.1.1 <a href=
"#picture-in-picture">Picture in picture</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.1.2 <a href=
"#extended-chrome">Visually extending the chrome</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.1.3 <a href=
"#missing-chrome">Removing the chrome</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;9.2 <a href="#what-is-chrome">Poorly
defined role for chrome</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.2.1 <a href=
"#window-title">Browser window title</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.2.2 <a href=
"#back-button">Back and forward buttons</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.2.3 <a href=
"#URL-bar">URL bar</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.2.4 <a href=
"#padlock-icon">Padlock icon</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.2.5 <a href=
"#favicon">Favicon</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.2.6 <a href=
"#status-bar">Status bar</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.2.7 <a href=
"#information-bar">Information bar (aka: notification
bar)</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;9.3 <a href="#why-is-chrome">Poor user
understanding of chrome</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.3.1 <a href=
"#padlock-icon-semantics">Padlock icon</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.3.2 <a href=
"#hostname-semantics">Hostname</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.3.3 <a href=
"#chrome-vs-page">Chrome versus page</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.3.4 <a href=
"#learning-by-doing">Explanations versus
understanding</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;9.4 <a href="#when-is-chrome">Poor
usability of chrome</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.4.1 <a href=
"#ignored-chrome">Out of sight, out of mind</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.4.2 <a href=
"#assumed-safety">Assumed safety</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;9.4.3 <a href=
"#dialog-box">Poor usability of dialog boxes</a><br />
10 <a href="#process">Process</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;10.1 <a href="#feedback">Expertise and
experience</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;10.2 <a href=
"#usability-principles">Reliance on general usability
expertise</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.1 <a href=
"#affordance">Affordance</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.2 <a href=
"#users-model">Conceptual model</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.3 <a href=
"#users-language">Match between system and the real
world</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.4 <a href=
"#habit-formation">Habit formation</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.5 <a href=
"#locus-of-attention">Single locus of attention</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.6 <a href=
"#minimalist">Aesthetic and minimalist design</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.7 <a href=
"#lpt1-on-fire">Help users recognize, diagnose, and recover
from errors</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.8 <a href=
"#justify">Provide explanations, justifying the advice or
information given</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.9 <a href=
"#know-your-user">Understand the user</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.10
<a href="#task-profiles">Create task profiles</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.2.11
<a href="#consistency">Consistency</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;10.3 <a href=
"#usability-wisdom">Learning from past efforts</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.3.1 <a href=
"#uniformity">No user categories in phishing
vulnerability</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.3.2 <a href=
"#awareness">The user must be aware of the task they are to
perform</a><br />
&nbsp;&nbsp;&nbsp;&nbsp;10.4 <a href=
"#usability-testing">Implementation and testing</a><br />
11 <a href="#acknowledgments">Acknowledgments</a><br />
12 <a href="#references">References</a><br /></p>
</div>
<hr />
<div class="body">
<div class="div1">
<h2><a href="#Overview" id="Overview" name="Overview" class=
"anchor">1 Overview</a></h2>
<p>Web user agents are now used to engage in a great variety
and number of commercial and personal activities. Though the
medium for these activities has changed, the potential for
fraud has not. This Working Group is chartered to recommend
user interfaces that help users make trust decisions on the
Web.</p>
<p>This first Working Group document elaborates upon the
group's <a href=
"http://www.w3.org/2005/Security/wsc-charter"><cite>Charter</cite></a>
<a href="#wsc-charter">[WSC-CHARTER]</a> to explain what the
group aims to achieve, what technologies may be used and how
proposals will be evaluated. This elaboration is limited to
the group's technical work and does not cover additional
activities the group intends to engage in, such as ongoing
outreach and education.</p>
<p>The work outlined in this document is expected to take
existing standards and best practices into account. Where
relevant, such existing work will be leveraged.</p>
</div>
<div class="div1">
<h2><a href="#goals" id="goals" name="goals" class="anchor">2
Goals</a></h2>
<div class="div2">
<h3><a href="#status-quo" id="status-quo" name="status-quo"
class="anchor">2.1 Document the status quo</a></h3>
<p>Security information within the Working Group's scope
will be catalogued, along with corresponding presentations
and user interpretations reported in user studies.</p>
</div>
<div class="div2">
<h3><a href="#relevance" id="relevance" name="relevance"
class="anchor">2.2 Relevance of security
information</a></h3>
<p>The Working Group will analyze common use cases to
determine what security information the user needs to
safely accomplish their current task and recommend security
information that should, or should not, be presented in
each case.</p>
</div>
<div class="div2">
<h3><a href="#vocabulary" id="vocabulary" name="vocabulary"
class="anchor">2.3 Consistent presentation of security
information</a></h3>
<p>The Working Group will recommend a set of terms,
indicators and metaphors for consistent presentation of
security information to users, across all web user agents.
For each of these items, the Working Group will describe
the intended user interpretation, as well as safe actions
the user may respond with in common use cases.</p>
</div>
<div class="div2">
<h3><a href="#workflow" id="workflow" name="workflow"
class="anchor">2.4 User awareness of security
information</a></h3>
<p>The Working Group will recommend presentation techniques
that integrate the consumption of security information by
the user into the normal browsing workflow. Presenting
security information in a way that is typically ignored by
the user is of little value.</p>
</div>
<div class="div2">
<h3><a href="#trusted-path" id="trusted-path" name=
"trusted-path" class="anchor">2.5 Reliable presentation of
security information</a></h3>
<p>The Working Group will recommend presentation techniques
that mitigate deceptive imitation, or hiding, of the user
agent's presentation of security information.</p>
</div>
<div class="div2">
<h3><a href="#trust-decision-management" id=
"trust-decision-management" name=
"trust-decision-management" class="anchor">2.6 Reduce the
number of scenarios in which users need to make trust
decisions</a></h3>
<p>No matter how well security context information is
presented, there will always be users who, in some
situations, will behave insecurely even in the face of
harsh warnings. Thus, the Working Group will also recommend
ways to reduce the number of situations in which users need
to make trust decisions.</p>
</div>
<div class="div2">
<h3><a href="#deployment" id="deployment" name="deployment"
class="anchor">2.7 Authoring and deployment
techniques</a></h3>
<p>The Working Group will recommend authoring and
deployment techniques that cause appropriate security
information (see <a href="#available"><b>7 Security
information available to the user agent</b></a>) to be
communicated to users. Techniques already available at
authoring and deployment time which reduce the need for
communication of security information to the user will be
considered in the recommendations.</p>
</div>
<div class="div2">
<h3><a href="#other-media" id="other-media" name=
"other-media" class="anchor">2.8 Best practices for other
media</a></h3>
<p>Users' interpretation of security information on the web
will necessarily be affected by experience with other media
that are not part of this Working Group's scope; such as
email, print, radio or video. The Working Group will
provide best practice guidelines for other media to follow
so as not to undermine the presentation of security
information on the web.</p>
</div>
</div>
<div class="div1">
<h2><a href="#non-goals" id="non-goals" name="non-goals"
class="anchor">3 Non-goals</a></h2>
<p>This section outlines a range of work items which the
group will not focus on, but which may be covered as
beneficial side effects of the group's work. Work items
listed here won't be a priority, and the group won't expend
collective resources on tackling them.</p>
<div class="div2">
<h3><a href="#completeness" id="completeness" name=
"completeness" class="anchor">3.1 Presentation of all
security information</a></h3>
<p>Web user agents contain a great deal of information
relevant to security. This Working Group does not aim to
recommend a presentation for all of this information.
Recommendations will be narrowly focused on presentations
that satisfy the Working Group's use cases, see <a href=
"#use-cases"><b>6 Use cases</b></a>.</p>
</div>
<div class="div2">
<h3><a href="#nonhttp" id="nonhttp" name="nonhttp" class=
"anchor">3.2 Non-HTTP Web interactions</a></h3>
<p>Recommendations that this group makes may or may not be
relevant to Web related interactions that use protocols
other than HTTP or HTTPS. While the group will aim for its
recommendations to be generically useful -- where
appropriate --, it considers recommendations specific to
other protocols as a Non-Goal.</p>
</div>
</div>
<div class="div1">
<h2><a href="#in-scope" id="in-scope" name="in-scope" class=
"anchor">4 In scope</a></h2>
<p>This section enumerates categories of technology and
information that are within this Working Group's scope, as
initially defined by the group's <a href=
"http://www.w3.org/2005/Security/wsc-charter"><cite>Charter</cite></a>
<a href="#wsc-charter">[WSC-CHARTER]</a>. A complete
enumeration of in scope artifacts is provided by the section
<a href="#available"><b>7 Security information available to
the user agent</b></a>.</p>
<div class="div2">
<h3><a href="#web-protocols" id="web-protocols" name=
"web-protocols" class="anchor">4.1 Web
interactions</a></h3>
<p>User interactions on the Web (see <a href=
"http://www.w3.org/TR/webarch/"><cite>Architecture of the
World Wide Web</cite></a> <a href=
"#web-arch">[WEBARCH]</a>), using the HTTP and HTTPS
protocols, are at the core of the Working Group's scope.
Where Web interactions involve other application-level
protocols (including, e.g., SOAP or FTP), the Working Group
considers these in its scope and will aim that its
recommendations be applicable; however, applicability to
non-HTTP Web interactions (see <a href="#nonhttp"><b>3.2
Non-HTTP Web interactions</b></a>) is a non-goal.</p>
</div>
<div class="div2">
<h3><a href="#user-agents" id="user-agents" name=
"user-agents" class="anchor">4.2 User agents</a></h3>
<p>A user agent is software to access Web content,
including desktop graphical browsers, text browsers, voice
browsers, mobile phones, multimedia players, plug-ins, and
some software assistive technologies used in conjunction
with browsers such as screen readers, screen magnifiers,
and voice recognition software. This definition is in line
with <a href=
"http://www.w3.org/TR/WAI-WEBCONTENT/"><cite>Web Content
Accessibility Guidelines 1.0</cite></a> <a href=
"#wcag">[WCAG]</a>.</p>
<p>Use cases considered by this Working Group must involve
a web user agent, operated by a human user. In all
instances, the use case is only relevant to this Working
Group if the presentation of security information should
affect the user's interaction with the web resource.</p>
</div>
<div class="div2">
<h3><a href="#identification" id="identification" name=
"identification" class="anchor">4.3 Entity
identification</a></h3>
<p>A web browsing session is like a conversation, where the
user converses with various entities, some known, and
others newly encountered. Each resource the user interacts
with is identified by a URI. Through specifics of the
underlying protocol, including DNS and SSL, other
designators are bound to these resources and the entities
that provide them. Recommending a presentation for these
designators that helps the user recognize which entity they
are currently conversing with, and when they are switching
to a different entity, is a primary concern of this Working
Group.</p>
</div>
<div class="div2">
<h3><a href="#recommendation" id="recommendation" name=
"recommendation" class="anchor">4.4 Third-party
recommendation</a></h3>
<p>A user's perception of an entity is strongly influenced
by the opinions of others. The recommendations of
certificate authorities, visited web sites or reputation
services integrated into the user agent are in scope for
this Working Group.</p>
</div>
<div class="div2">
<h3><a href="#browser-history" id="browser-history" name=
"browser-history" class="anchor">4.5 Historical browsing
information</a></h3>
<p>The Working Group may also use information about past
interactions between the user and an entity in presentation
recommendations. Relevant historical browsing information
includes entity designators used in past browsing sessions,
as well as information provided by the user to the entity
during those sessions.</p>
</div>
</div>
<div class="div1">
<h2><a href="#out-of-scope" id="out-of-scope" name=
"out-of-scope" class="anchor">5 Out of scope</a></h2>
<p>This section enumerates a number of possible work items
that the Working Group will not consider.</p>
<div class="div2">
<h3><a href="#non-web-protocols" id="non-web-protocols"
name="non-web-protocols" class="anchor">5.1
Protocols</a></h3>
<p>The Working Group considers recommendations for lower
level protocols (such as SS7, ISDN, or NANP) out of
scope.</p>
</div>
<div class="div2">
<h3><a href="#non-web-interactions" id=
"non-web-interactions" name="non-web-interactions" class=
"anchor">5.2 non-Web interactions</a></h3>
<p>The Working Group considers recommendations specific to
interactions that do not involve the Web (e.g., rich text
display in an e-mail user agent) out of its scope. However,
where such interactions use Web Technologies,
recommendations may turn out to be applicable.</p>
</div>
<div class="div2">
<h3><a href="#automation" id="automation" name="automation"
class="anchor">5.3 Security context information for
consumption by automated agents</a></h3>
<p>The Working Group will only consider Web interactions in
which a human participates in making a trust decision this
group is chartered to address. Situations in which all
security relevant information is consumed and acted upon
only by automated agents are out of scope.</p>
</div>
<div class="div2">
<h3><a href="#vaporware" id="vaporware" name="vaporware"
class="anchor">5.4 New security information</a></h3>
<p>The Working Group will neither create nor extend any
protocol or data format, nor create recommendations for
protocols or data formats that are not yet widely deployed.
Recommendations will only be made for the presentation of
currently deployed security information.</p>
</div>
<div class="div2">
<h3><a href="#filters" id="filters" name="filters" class=
"anchor">5.5 Content based detection</a></h3>
<p>Techniques commonly used by intrusion detection systems,
virus scanners and spam filters to detect illegitimate
requests based on their content are out of scope for this
Working Group. These techniques include recognizing known
attacks by analyzing the served URLs, graphics or markup.
The heuristics used in these tools are a moving target and
so not a suitable subject for standardization. The Working
Group will not recommend any checks on the content served
by web sites.</p>
</div>
<div class="div2">
<h3><a href="#trusted-computing" id="trusted-computing"
name="trusted-computing" class="anchor">5.6 Security
information about the user's computer</a></h3>
<p>Security information about the user's computer, such as
that provided by virus scanners, or trusted computing
infrastructure, is out of scope for this Working Group. No
recommendations will rely on such services, or any aspect
of trusted computing. As a result, presentation techniques
recommended by this Working Group may be undermined by
malware that has infected the user's computer.</p>
</div>
<div class="div2">
<h3><a href="#bugs" id="bugs" name="bugs" class=
"anchor">5.7 User agent exploits</a></h3>
<p>Attacks that exploit a programming error in the user
agent are out of scope. This Working Group's
recommendations assume a properly functioning user
agent.</p>
</div>
<div class="div2">
<h3><a href="#kiosk" id="kiosk" name="kiosk" class=
"anchor">5.8 User separation</a></h3>
<p>Many computers are shared among multiple users, either
in the home, or as a kiosk in a public place. In such
scenarios, the activity of one user must not be accessible
to another. Providing this functionality may be best done
by the operating system, or other software, and is out of
scope for this Working Group.</p>
</div>
<div class="div2">
<h3><a href="#XSS" id="XSS" name="XSS" class="anchor">5.9
Content production exploits</a></h3>
<p>Programs that produce HTML, or other web content,
commonly suffer from quoting errors that enable Cross-site
scripting (<a href=
"http://en.wikipedia.org/wiki/Cross-site_scripting">XSS</a>)
attacks. The web user agent is in a poor position to detect
these attacks, since it sees only the output. Web content
formats are not currently designed such that the receiver
can readily distinguish content that was produced on
purpose versus content that was produced by accident.
Consequently, this kind of attack is out of scope for this
Working Group.</p>
</div>
<div class="div2">
<h3><a href="#out-of-scope-other" id="out-of-scope-other"
name="out-of-scope-other" class="anchor">5.10 Other
security challenges</a></h3>
<p>As stated in the <a href=
"http://www.w3.org/2005/Security/wsc-charter">charter</a>,
the mission of the Web Security Context Working Group is to
specify a baseline set of security context information that
should be accessible to Web users, and practices for the
secure and usable presentation of this information, to
enable users to come to a better understanding of the
context that they are operating in when making trust
decisions on the Web. While the work this group does may
have a positive and beneficial effect on other security
challenges on the web, directly addressing such challenges
is out of scope. This section lists several specific
challenges, but the list may not be exhaustive.</p>
</div>
</div>
<div class="div1">
<h2><a href="#use-cases" id="use-cases" name="use-cases"
class="anchor">6 Use cases</a></h2>
<p>This Working Group is concerned with: the trust decisions
users must make when using the Web; what information may
inform these decisions; and usable ways of communicating
needed information to the user. Our use-cases are first
structured by the kind of decision facing the user, where
each kind of decision brings different risks. The information
available to inform a decision is primarily determined by how
the user navigated to the web page where the decision arose.
Our use-cases are further categorized by the different means
of navigating the Web. Finally, the feasible user
interactions for communicating relevant information are
limited by the I/O features of the web user agent. Our
use-cases are finally tailored to the kind of web user
agent.</p>
<div class="div2">
<h3><a href="#decisions" id="decisions" name="decisions"
class="anchor">6.1 User decisions</a></h3>
<div class="div3">
<h4><a href="#secret-sharing" id="secret-sharing" name=
"secret-sharing" class="anchor">6.1.1 Providing sensitive
information to a web site</a></h4>
<p>Many activities on the Web, such as logging into an
account or completing a purchase, require providing
sensitive information to a web site. If the user is
interacting with the intended site, and they are not
reassured of this case, they may not complete a desired
transaction. If the site is not the intended one, and the
user is not warned of this case, a thief may receive
sensitive information.</p>
</div>
<div class="div3">
<h4><a href="#attribution" id="attribution" name=
"attribution" class="anchor">6.1.2 Believing information
to come from a known author</a></h4>
<p>The Web is most often used for viewing information
produced by others. Sometimes, the user may form an
opinion, or make a decision, based on this information.
This act may be greatly influenced by who the user
believes to be the information's author. If the user is
misled about authorship, a thief may convince the user to
take an unwarranted action. If the user is unsure about
authorship, they may not act on needed advice.</p>
</div>
<div class="div3">
<h4><a href="#authorization" id="authorization" name=
"authorization" class="anchor">6.1.3 Installing software
downloaded from a web site</a></h4>
<p>Not all content available on the Web remains confined
to the web browser. Some content can be installed as an
executable application on the user's computer, or as an
extension to an existing application, or extend the web
browser itself. On today's popular operating systems, an
installed application has much greater access to the
user's computer than does a web page. An application may
abuse this additional authority by stealing the user's
files, rendering the computer unusable, or using it to
attack yet other computers. Choosing to not install an
application may also be detrimental, as a needed security
patch is not applied, or desired functionality is not
acquired.</p>
</div>
</div>
<div class="div2">
<h3><a href="#navigation" id="navigation" name="navigation"
class="anchor">6.2 Navigation</a></h3>
<p>A hyperlink is navigated from a source to a destination.
Information about each may be relevant to a trust decision
the user makes on the destination web page, but this
information is not always available. Even when available,
this information may not be meaningful to the user. The
identification provided by either source or destination may
not correspond to any entity known to the user. A source or
destination is considered identified when the presented
information can be attributed to an authenticated entity,
such as via an SSL server certificate.</p>
<div class="div3">
<h4><a href="#unidentified-destination" id=
"unidentified-destination" name=
"unidentified-destination" class="anchor">6.2.1
Unidentified destination</a></h4>
<p>Information about the destination of a hyperlink may
be unavailable because:</p>
<ul>
<li>
<p>the web page does not support authentication, such
as provided by SSL</p>
<p>(In the absence of SSL, communication with the
destination host may be intercepted by a compromised
DNS lookup, or an illegitimate wifi access
point.)</p>
</li>
<li>
<p>the provided authentication certificate is
unrecognized, or expired</p>
</li>
</ul>
</div>
<div class="div3">
<h4><a href="#unidentified-source" id=
"unidentified-source" name="unidentified-source" class=
"anchor">6.2.2 Unidentified source</a></h4>
<p>In addition to the ways destination information may be
unavailable, source information may be unavailable
because:</p>
<ul>
<li>
<p>navigation was initiated from another application,
such as an email or chat client</p>
</li>
<li>
<p>the user typed in the destination URL</p>
</li>
<li>
<p>the source web page makes no warranty as to the
purpose of the hyperlink, such as is common for a
search engine or open discussion forum</p>
</li>
</ul>
</div>
</div>
<div class="div2">
<h3><a href="#user-agent-type" id="user-agent-type" name=
"user-agent-type" class="anchor">6.3 User agent
type</a></h3>
<p>The use-cases address two different kinds of user agent,
each distinguished by characteristic I/O features.</p>
<div class="div3">
<h4><a href="#desktop-browser" id="desktop-browser" name=
"desktop-browser" class="anchor">6.3.1 Desktop
browser</a></h4>
<p>A desktop browser typically has:</p>
<ul>
<li>
<p>a large, full color viewing area</p>
</li>
<li>
<p>a pointing device</p>
</li>
<li>
<p>a full-size keyboard</p>
</li>
<li>
<p>speakers</p>
</li>
</ul>
</div>
<div class="div3">
<h4><a href="#smartphone" id="smartphone" name=
"smartphone" class="anchor">6.3.2 Smartphone</a></h4>
<p>The user agent in a mobile browser typically differs
from its desktop counterpart in several ways:</p>
<ul>
<li>
<p>Screen: a small, limited color viewing area</p>
</li>
<li>
<p>Navigation input: small keyboard, stylus or
pointing device</p>
</li>
<li>
<p>Small keyboard pad: on-screen keyboard and
predictive text technology, such as T9</p>
</li>
<li>
<p>Tactile feedback: vibration</p>
</li>
<li>
<p>A/V interfaces</p>
</li>
</ul>
<p>Traffic cost awareness, slow connection speed and
trust in the mobile network infrastructure may also
affect how users interact with their smartphone's user
agent. These factors influence how security indicators
are presented by different smartphone user agents.</p>
<p>In mobile browsers, the chrome has fewer options and
overlaps with the phone's menus. Obtaining secondary
information is cumbersome, requiring several clicks. Due
to a lack of screen space, the padlock is shown but the
URL is only partially shown, if at all. Password
management is not supported in all phones. In some cases,
an accessed web page has a modified look and feel,
different from simply viewing the page on a small screen.
These changes may create suspicion among security-aware
users. User agents rarely check for certificate
revocation, since doing so generates network traffic.
Some certificate authorities commonly found in desktop
browsers are not included in smartphone user agents.
Consequently, the user may be presented with warnings
that do not appear when the same site is visited using a
desktop user agent. Large pages that do not fit in the
phone's RAM can cause unexpected behavior in the user
agent's security indicators.</p>
</div>
</div>
<div class="div2">
<h3><a href="#accessibility" id="accessibility" name=
"accessibility" class="anchor">6.4 Accessibility</a></h3>
<p>The use cases in this document make no particular
assumptions about the capabilities and cultural background
of the user in question. <a href="#wcag">[WCAG]</a></p>
<ul>
<li>
<p>They may not be able to see, hear, move, or may not
be able to process some types of information easily or
at all.</p>
</li>
<li>
<p>They may have difficulty reading or comprehending
text.</p>
</li>
<li>
<p>They may not have or be able to use a keyboard or
mouse.</p>
</li>
<li>
<p>They may have a text-only screen, a small screen, or
a slow Internet connection.</p>
</li>
<li>
<p>They may not speak or understand fluently the
language in which the document is written.</p>
</li>
<li>
<p>They may be in a situation where their eyes, ears,
or hands are busy or interfered with (e.g., driving to
work, working in a loud environment, etc.)</p>
</li>
<li>
<p>They may have an early version of a browser, a
different browser entirely, a voice browser, or a
different operating system.</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#scenarios" id="scenarios" name="scenarios"
class="anchor">6.5 Scenarios</a></h3>
<p>In the table below, each cell contains links to
use-cases that fall into the category determined by the
cell's placement in the table. The hypertext of each link
names the type of user-agent being used; where "any" means
the use-case is not specific to a type of user agent.</p>
<table border="1">
<tbody>
<tr>
<th></th>
<th><a href="#secret-sharing">Providing</a></th>
<th><a href="#attribution">Believing</a></th>
<th><a href="#authorization">Installing</a></th>
</tr>
<tr>
<th>Identified source, Identified destination</th>
<td id="iip"><a href="#any-iip-1">case1</a>, <a href=
"#any-iip-2">case2</a></td>
<td id="iib"><a href="#any-iib-1">case8</a>, <a href=
"#any-iib-2">case9</a></td>
<td id="iii"><a href="#any-iii-1">case15</a></td>
</tr>
<tr>
<th>Identified source, Unidentified destination</th>
<td id="iup"><a href="#any-iup-1">case3</a></td>
<td id="iub"><a href="#any-iub-1">case10</a></td>
<td id="iui"><a href="#any-iui-1">case16</a>,
<a href="#any-iui-2">case17</a></td>
</tr>
<tr>
<th>Unidentified source, Identified destination</th>
<td id="uip"><a href="#any-uip-1">case4</a>, <a href=
"#any-uip-2">case5</a>, <a href=
"#smartphone-uip-1">case6</a></td>
<td id="uib"></td>
<td id="uii"><a href="#any-uii-1">case18</a>,
<a href="#any-uii-2">case19</a></td>
</tr>
<tr>
<th>Unidentified source, Unidentified
destination</th>
<td id="uup"><a href="#any-uup-1">case7</a></td>
<td id="uub"><a href="#any-uub-1">case11</a>,
<a href="#any-uub-2">case12</a>, <a href=
"#any-uub-3">case13</a>, <a href=
"#any-uub-4">case14</a></td>
<td id="uui"><a href="#any-uui-1">case20</a></td>
</tr>
</tbody>
</table>
<ol class="enumar">
<li id="any-iip-1">
<p><a href="#iip">Identified source, Identified
destination, Providing</a></p>
<p>Once a week, Alice pays her bills. She opens her web
browser, follows the habitual bookmark to her bank's
site, logs in by entering her credentials, and follows
the routine course through the online banking
system.</p>
</li>
<li id="any-iip-2">
<p><a href="#iip">Identified source, Identified
destination, Providing</a></p>
<p>Betty's home wireless router has a web interface for
making configuration changes. When the router is
installed, it generates a self-signed SSL server
certificate. Sometime later, Betty attempts to make a
configuration change. How does Betty know she's
connected to the router she setup earlier, and not her
neighbor's?</p>
</li>
<li id="any-iup-1">
<p><a href="#iup">Identified source, Unidentified
destination, Providing</a></p>
<p>Once a week, Alice pays her bills. She opens her web
browser, follows the habitual bookmark to her bank's
site, and is directed to an unfamiliar site at a new
domain, announcing that her bank has recently acquired
another one and changed names a bit. She is asked to
enter her usual credentials, succeeds, and quickly
adapts to the new online banking system.</p>
</li>
<li id="any-uip-1">
<p><a href="#uip">Unidentified source, Identified
destination, Providing</a></p>
<p>In the advertising leading up to a re-run of the
1970s movie classic "The Sting," Doyle sees an offer
for a new-fashioned investment that he can't refuse,
offered by a brand that he has heard of before. He
memorizes the URL that is given toward the end of the
advertising. Coming back home, he mis-types the URI at
first, corrects a spelling error, and then reaches a
web site that matches the investment firm's branding
and name. He's asked for identifying information that
he provides.</p>
</li>
<li id="any-uip-2">
<p><a href="#uip">Unidentified source, Identified
destination, Providing</a></p>
<p>Example Inc. has use of example.com, example.net and
example.org. Each is used to manage a different part of
the company's online operations. Betty initially found
Example at example.com and created her online account
through a page hosted at that domain. She has yet to
interact with any of Example's other hosts. Sometime
later, Betty receives an email claiming to be from
Example and alerting her to a pending task that she
must attend to. The email provides a hyperlink to a
page that will help Betty complete the task. After
clicking on the hyperlink, Betty's user agent displays
a page from the example.net host. The page asks Betty
to enter her username and passphrase before being
allowed to access her account. How is Betty to know
that her Example credentials can be safely entered into
the page?</p>
</li>
<li id="smartphone-uip-1">
<p><a href="#uip">Unidentified source, Identified
destination, Providing, smartphone</a></p>
<p>While on the move, Alice suddenly remembers she has
to make an urgent banking transaction. She has used her
mobile browser previously for retrieving information
from the web, but this time she decides to use her
phone due to the urgency. She starts her mobile phone
browser and enters a URL that she recalls having seen
on her home desktop browser. After some delay, longer
than usual, the phone starts showing a page. Due to
screen size, Alice notices that the layout is somewhat
familiar, but still not the same as the one in her
dekstop. She can't see the full URL either. Alice
scrolls and spots the link that takes her to the
transaction page and clicks on it. After some delay,
the phone displays a page asking her to enter her usual
bank credentials. How is Alice to know that her bank
credentials can be safely entered into the page?</p>
</li>
<li id="any-uup-1">
<p><a href="#uup">Unidentified source, Unidentified
destination, Providing</a></p>
<p>Example Inc. has a popular online service that
processes many credit card transactions a day. Betty
occasionally uses the service and trusts it with her
credit card information. Malcolm is a thief with an
idea. He creates an imitation of the Example web site
and begins directing users to it. Malcolm contacts
victims through email, or even the phone, and links to
his imposter site from popular blogs and chat forums.
He's also given his imposter site a domain name that is
just a typo away from Example's authentic web site, so
some victims will arrive by accident. Betty is about to
enter her credit card information into a site that
looks just like Example's. How is she to know if it's
the authentic site, or the imposter?</p>
</li>
<li id="any-iib-1">
<p><a href="#iib">Identified source, Identified
destination, Believing</a></p>
<p>Betty occasionally visits the example.com web site.
On each connection, Betty's user agent receives an SSL
server certificate issued by the same certificate
authority. On the current connection, the received
certificate was issued by a different certificate
authority. What should the user agent display? Can
Example Inc. affect this display through the content of
the new certificate?</p>
</li>
<li id="any-iib-2">
<p><a href="#iib">Identified source, Identified
destination, Believing</a></p>
<p>Betty clicks on a hyperlink to the web page at
<code>&lt;https://www.example.com/&gt;</code>. The
received HTML page includes content received from
<code>&lt;https://www.example.net/&gt;</code>. Betty's
user agent is unaware of any relationship between the
www.example.com and www.example.net web sites.</p>
</li>
<li id="any-iub-1">
<p><a href="#iub">Identified source, Unidentified
destination, Believing</a></p>
<p>Betty visits the web page at
<code>&lt;https://www.example.com/&gt;</code>. The
received HTML page includes content received from
<code>&lt;http://www.example.com/&gt;</code>, i.e.,
content received using a different security
context.</p>
</li>
<li id="any-uub-1">
<p><a href="#uub">Unidentified source, Unidentified
destination, Believing</a></p>
<p>Betty tries to connect to a web site at
<code>&lt;https://www.example.com/&gt;</code>. Her user
agent's SSL implementation detects that the domain name
specified in the certificate differs from
www.example.com. What should the user agent
display?</p>
</li>
<li id="any-uub-2">
<p><a href="#uub">Unidentified source, Unidentified
destination, Believing</a></p>
<p>Betty is planning a trip to a foreign country.
Searching the web, she finds a widely recommended local
travel agency. When she connects to their web site, her
user agent does not recognize the certificate authority
that issued the travel agency's SSL server certificate.
What should the user agent display?</p>
</li>
<li id="any-uub-3">
<p><a href="#uub">Unidentified source, Unidentified
destination, Believing</a></p>
<p>Like many users, Betty has grown accustomed to
quickly clicking through any warning dialogs presented
by her user agent. Out of habit, Betty dismisses
another one, then quickly becomes suspicious about some
of the web page's content.</p>
</li>
<li id="any-uub-4">
<p><a href="#uub">Unidentified source, Unidentified
destination, Believing</a></p>
<p>Betty has travelled to a foreign country. In a
coffee shop, she is reading a political web site from
her home country. She wonders whether the information
that is displayed to her is authentic, and whether
there will be eavesdropping on her interactions.</p>
</li>
<li id="any-iii-1">
<p><a href="#iii">Identified source, Identified
destination, Installing</a></p>
<p>Once a week, Alice pays her bills. She opens her web
browser, follows the habitual bookmark to her bank's
site. Her bank's web site informs her that, as a
countermeasure to recent attacks against online banking
customers, she needs to install a piece of proprietary
software on her computer that will be the conduit for
her future interactions with the bank.</p>
</li>
<li id="any-iui-1">
<p><a href="#iui">Identified source, Unidentified
destination, Installing</a></p>
<p>Frank regularly reads a frequent flyer forum while
sipping his first cup of coffee in the morning. He
clicks on a link and walks off to the coffee-maker for
a refill. Returning, he notes that his computer screen
now includes pop-up advertising for a new
cheque-management program which is purportedly offered
by his bank. A free demonstration version is available
for download. The advertising is served from an
advertising agency's web site, not from the bank's.</p>
</li>
<li id="any-iui-2">
<p><a href="#iui">Identified source, Unidentified
destination, Installing</a></p>
<p>Vicki is interested in finding out more about art
auctions in the greater Boston area. She engages a
search engine and tries to follow a link there. Her web
browser consults a reputation service which has
recorded that the link target will attempt to subvert
the browser and install malicious software.</p>
</li>
<li id="any-uii-1">
<p><a href="#uii">Unidentified source, Identified
destination, Installing</a></p>
<p>Watching more cinema advertising, Doyle sees a
somewhat irritating, but intriguing movie teaser that
ends with a dark screen that has a URL fading away
quickly. He mis-memorizes the URL. Coming back home, he
types in what he remembers, and gets directed to a web
site that immediately causes a software download. A
pop-up window informs him (in graphical layout that
matches the teaser's last screen) that software will be
installed on his system in order to enable him to fully
benefit from the web site's multimedial offerings.</p>
</li>
<li id="any-uii-2">
<p><a href="#uii">Unidentified source, Identified
destination, Installing</a></p>
<p>Steve runs a suite of security software on his
machine that regularly upgrades certain components. The
typical workflow is that a specific browser window is
opened automatically. Steve will then control the
selection of software upgrades, will download them from
the web, and they will then be installed.</p>
</li>
<li id="any-uui-1">
<p><a href="#uui">Unidentified source, Unidentified
destination, Installing</a></p>
<p>Once a week, Alice pays her bills. She opens her web
browser, follows the habitual bookmark to her bank's
site. A download process starts, and a pop-up window
informs Alice that she needs to install a piece of
software locally that will henceforth be her conduit
for her future online interactions with her bank.</p>
</li>
<li id="any-iio-1">
<p>Identified source, Identified destination, No
interaction</p>
<p>Betty tries to connect to a web site at
<code>&lt;http://www.example.com/&gt;</code>. She
visits this site frequently to read various news and
articles. Since her last visit, the site example.com
has been compromised by some method, and visitors are
now being infected with malware. At the time of the
current request, Betty's user agent now has information
saying that example.com is a known bad site. What
interaction, if any, should occur?</p>
</li>
<li id="any-uuo-1">
<p>Unidentified source, Unidentified destination, No
interaction</p>
<p>Frank regularly reads his email in the morning. This
morning he receives an email that purports to be from
his bank and asks him to verify a recent transaction by
clicking on the link embedded in the email. The link
does not display the usual URL that he types to get to
his bank's website, but it does have his bank's name in
it. He clicks on the link and is directed to a phishing
site. The phishing site has been shut down as a known
fraudulent site, so when Frank clicks on the link he
receives the generic Error 404: File Not Found page.
Frank is not sure what has occurred.</p>
</li>
</ol>
</div>
<div class="div2">
<h3><a href="#threats" id="threats" name="threats" class=
"anchor">6.6 Threats</a></h3>
<p>The scenarios provided above are vulnerable to a wide
range of threats. Threats which are in scope for this
Working Group are further discussed in <a href=
"#in-scope"><b>4 In scope</b></a>. Section <a href=
"#out-of-scope"><b>5 Out of scope</b></a> covers threats
which, though dangerous and important, will not be directly
addressed by this Working Group. A comprehensive threat
tree, for both in scope and out of scope threats, is work
in progress; see <a href=
"http://www.w3.org/TR/wsc-threats/"><cite>Web User
Interaction: Threat Trees</cite></a> <a href=
"#ref-wsc-threats">[WSC-THREATS]</a>.</p>
<div class="div3">
<h4><a href="#subverted-navigation" id=
"subverted-navigation" name="subverted-navigation" class=
"anchor">6.6.1 Subverted navigation</a></h4>
<p>When following a hyperlink, the user may have an
expectation, based on how they found the hyperlink, for
what the destination page should be. These expectations
will be misplaced if an attacker can replace the expected
hyperlink with one that leads to a different destination
page.</p>
<div class="div4">
<h5><a href="#URL-typo" id="URL-typo" name="URL-typo"
class="anchor">6.6.1.1 URL typo</a></h5>
<p>In scenarios where the user types a URL into their
browser, there is a risk of mistyping. An attacker can
acquire the rights to common typo variants of a
hostname and so cause the navigation to lead to an
attack page, instead of the expected page.</p>
</div>
<div class="div4">
<h5><a href="#misleading-bookmark" id=
"misleading-bookmark" name="misleading-bookmark" class=
"anchor">6.6.1.2 Misleading bookmark</a></h5>
<p>In scenarios where the user navigates to a page via
a bookmark, there is a risk of selecting the wrong
bookmark. Browsers commonly identify bookmarks by the
corresponding page title, the value of which is chosen
by the page author. If an attacker can convince the
user to bookmark a page, using another pretense, the
user will have a bookmark identified by a name of the
attacker's choosing and leading to a page of the
attacker's choosing.</p>
</div>
<div class="div4">
<h5><a href="#misleading-introduction" id=
"misleading-introduction" name=
"misleading-introduction" class="anchor">6.6.1.3
Misleading introduction</a></h5>
<p>Discussion forums and search engines serve content
produced by others, or derived from content produced by
others. A user may apply the trust they have for these
sites to the hyperlinks they serve. Most often, this
trust is well placed, since the sites aim to serve
useful hyperlinks. An attacker, posing as a normal site
contributor, may cause the site to serve a hyperlink to
an attack page. In this case, a user may follow the
hyperlink, and apply their trust for the site to the
attacker's page.</p>
</div>
<div class="div4">
<h5><a href="#unprotected-navigation" id=
"unprotected-navigation" name="unprotected-navigation"
class="anchor">6.6.1.4 Unprotected navigation</a></h5>
<p>Most of the URLs currently in use do not use SSL, or
similar protection. An attacker with access to the
network layer can replace a requested URL with one of
their own choosing. Consequently, even a hyperlink that
refers to the expected destination page can be made to
refer to a page of the attacker's choosing.</p>
</div>
</div>
<div class="div3">
<h4><a href="#impersonation" id="impersonation" name=
"impersonation" class="anchor">6.6.2 Web site
impersonation</a></h4>
<p>If an attacker is unable to subvert the navigation
step, it still may be possible to convince the user that
the attack page is the expected page. Techniques for
doing this are described in <a href="#problems"><b>9
Problems with the status quo</b></a>. That section
discusses deficiencies in the browser user interface.</p>
</div>
</div>
</div>
<div class="div1">
<h2><a href="#available" id="available" name="available"
class="anchor">7 Security information available to the user
agent</a></h2>
<p>This section provides an enumeration of the security
information this Working Group has determined to be in scope
and so available for use in recommendations. The Working
Group's scope is detailed in sections <a href=
"#in-scope"><b>4 In scope</b></a> and <a href=
"#out-of-scope"><b>5 Out of scope</b></a>. Information is
grouped into sub-sections according to the references that
should be consulted to determine its semantics.</p>
<div class="div2">
<h3><a href="#web-content-source" id="web-content-source"
name="web-content-source" class="anchor">7.1 Defined by web
content specifications</a></h3>
<ul>
<li>
<p>MIME type</p>
<p>The reported MIME type, along with other information
the user agent may collect, such as filename extension,
affect what user agent features are triggered by the
receipt of web content.</p>
</li>
<li>
<p>target URI</p>
<p>The target URI for an HTTP request is constructed
according to the instructions provided by the web
content from which the request was produced. The target
URI determines the recipient of the request.</p>
</li>
<li id="dynamic-content">
<p>presence of client-side dynamic content</p>
<p>The rendering of a web page composed of only static
content has a completion point, after which the
rendered view remains constant until the user chooses
to navigate to another web page. Dynamic content is
anything that changes this interaction or is given
additional access to user agent functions. Java and
Javascript are two current examples, as is an HTML META
tag specifying a page refresh.</p>
</li>
<li>
<p>Is the rendered view composed from multiple
resources, such as referenced images or
stylesheets?</p>
<p>The message communicated by a web page may be
significantly affected by partial rendering. The web
content specifies what resources the web page's author
considered part of the rendered view.</p>
</li>
<li>
<p>Is the rendered view composed from resources from
distinct hosts?</p>
<p>When a web page includes by reference a resource
from another host, the rendered view may be
significantly different than the page author expected.
For example, the HTML IMG tag can lead to such
surprises.</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#SSL-source" id="SSL-source" name="SSL-source"
class="anchor">7.2 Defined by SSL related
specifications</a></h3>
<ul>
<li id="SSL-certificate-chain">
<p>SSL server certificate chain <a href=
"#pkix">[PKIX]</a></p>
<ul>
<li>
<p>certificate authority</p>
</li>
<li>
<p>distinguished name</p>
</li>
<li>
<p>public key</p>
</li>
<li>
<p>validity timeframe</p>
</li>
<li>
<p>extended validation <a href="#ev-cert">[EV
Cert]</a></p>
</li>
</ul>
</li>
<li>
<p>Ciphersuite</p>
<ul>
<li>
<p>public key algorithm and key length</p>
</li>
<li>
<p>symmetric key algorithm and key length</p>
</li>
<li>
<p>message digest algorithm</p>
</li>
</ul>
</li>
<li>
<p>revocation status</p>
<p>Both CRLs <a href="#pkix">[PKIX]</a> and OCSP
<a href="#ocsp">[OCSP]</a> provide information about
the revocation status of a certificate.</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#HTTP-source" id="HTTP-source" name=
"HTTP-source" class="anchor">7.3 Defined by HTTP related
specifications</a></h3>
<ul>
<li id="HTTP-redirect">
<p>HTTP redirect <a href="#http">[HTTP]</a></p>
</li>
<li>
<p>HTTP-Auth handshake <a href="#http-auth">[HTTP
Auth]</a></p>
</li>
<li>
<p>cookie handling <a href="#http-cookie">[HTTP
Cookie]</a></p>
</li>
<li>
<p>Must requests be transmitted using SSL? <a href=
"#https">[HTTPS]</a></p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#IP-source" id="IP-source" name="IP-source"
class="anchor">7.4 Defined by IP related
specifications</a></h3>
<ul>
<li>
<p>server IP address</p>
</li>
<li>
<p>localhost versus intranet versus internet</p>
</li>
<li>
<p>network diagnostic information, such as provided by
ping or traceroute</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#DNS-source" id="DNS-source" name="DNS-source"
class="anchor">7.5 Defined by DNS related
specifications</a></h3>
<ul>
<li>
<p>server hostname</p>
</li>
<li>
<p>DNSSEC protection of hostname lookup <a href=
"#dnssec">[DNSSEC]</a></p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#UA-source" id="UA-source" name="UA-source"
class="anchor">7.6 Defined by user agent</a></h3>
<ul>
<li id="UA-CAs">
<p>installed certificate authorities</p>
</li>
<li>
<p>installed search engines</p>
</li>
<li>
<p>default window layout</p>
</li>
<li>
<p>default bookmarks</p>
</li>
<li>
<p>default configuration</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#collected-state-source" id=
"collected-state-source" name="collected-state-source"
class="anchor">7.7 State that may be collected by a user
agent</a></h3>
<ul>
<li id="UA-done-rendering">
<p>Has rendering of a page completed?</p>
</li>
<li id="HTTP-Referer">
<p>referring page</p>
</li>
<li>
<p>SSL session <a href="#tls">[TLS]</a>, if any, that
protected content transmission</p>
</li>
<li id="user-password">
<p>submitted passwords</p>
</li>
<li id="user-input">
<p>submitted form values</p>
</li>
<li>
<p>bookmarks</p>
</li>
<li>
<p>browsing history</p>
</li>
<li>
<p>installed client certificates</p>
</li>
<li>
<p>installed server certificates</p>
</li>
<li>
<p>How was the URL entered?</p>
<ul>
<li>
<p>typed into address bar</p>
</li>
<li>
<p>pasted into address bar</p>
</li>
<li>
<p>clicked hyperlink</p>
</li>
<li>
<p>command from another application</p>
</li>
</ul>
</li>
<li id="user-customization">
<p>user agent customization</p>
</li>
<li id="user-understanding">
<p>user response to prompts</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#third-party-source" id="third-party-source"
name="third-party-source" class="anchor">7.8 Defined by a
third-party</a></h3>
<ul>
<li>
<p>reputation service</p>
</li>
<li>
<p>other visited web pages that link to the current
page</p>
</li>
<li>
<p>search engine results</p>
</li>
</ul>
</div>
</div>
<div class="div1">
<h2><a href="#merits" id="merits" name="merits" class=
"anchor">8 Merits of the status quo</a></h2>
<p>Successive generations of web user agents have improved
upon past implementations and achieved greater deployment of
security relevant infrastructure. This work provides a base
upon which this Working Group will build its recommendations.
This section calls out the aspects of the currently deployed
web infrastructure that have already narrowed the problem
space we need to address, or that we intend to learn from or
build on.</p>
<div class="div2">
<h3><a href="#strong-crypto" id="strong-crypto" name=
"strong-crypto" class="anchor">8.1 Widely deployed, strong
cryptography</a></h3>
<p>Since its first deployment, the SSL protocol has
undergone multiple revisions, culminating in the current
TLS/1.1 protocol. Both client and server implementations
are widely deployed, enabling applications to communicate
in a way that is designed to prevent eavesdropping,
tampering, and message forgery.</p>
</div>
<div class="div2">
<h3><a href="#spoof-prevention" id="spoof-prevention" name=
"spoof-prevention" class="anchor">8.2 Many deceptive
imitation techniques prevented</a></h3>
<p>The most current generation of desktop web browsers
contain several changes aimed at protecting users from the
types of spoofing attacks seen in the past. Some of these
changes are invisible to users, such as preventing a web
site from opening a window which is larger than the visible
desktop. Other changes are more noticeable, such as warning
dialogs which alert users when they arrive at a website
that matches an entry on a list of suspected phishing
sites.</p>
</div>
<div class="div2">
<h3><a href="#fixed-bugs" id="fixed-bugs" name="fixed-bugs"
class="anchor">8.3 Corrected implementation errors</a></h3>
<p>Recent web browsers correct many of the security
relevant implementation errors in past browsers. Many
errors in the implementation and application of the SSL
protocol are now corrected.</p>
</div>
<div class="div2">
<h3><a href="#password-manager" id="password-manager" name=
"password-manager" class="anchor">8.4 Password
management</a></h3>
<p>Modern browsers include a password manager that can
autofill the corresponding user login credentials for a web
site. This feature provides several usability benefits that
can help users notice and avoid web based attempts to steal
their passwords. Autofilling provides a presentation cue
indicating the credentials have been previously submitted
to the web site. The user may then infer that the current
operation is simply a repeat of a past trust decision,
rather than a new trust decision: the decision to give the
web site the corresponding password has already been made.
A password manager can also eliminate the step of typing a
password into a web page, a step highly vulnerable to
phishing.</p>
</div>
</div>
<div class="div1">
<h2><a href="#problems" id="problems" name="problems" class=
"anchor">9 Problems with the status quo</a></h2>
<p>Though much implementation progress has been made, there
remain problems with the basic design for communicating
security information to the user, which is the core of the
mission of this Working Group. In current user agents,
security information is primarily presented through modal
dialog boxes and indicators in the browser's chrome. Chrome
is the representation through which the user interacts with
the user agent itself, as distinct from the web content
accessed. In graphical layout terms, chrome is the part of
the user agent window outside of the area displaying the
current web page. This user interface has a number of
inherent problems, as well as problems created by the current
realization.</p>
<div class="div2">
<h3><a href="#where-is-chrome" id="where-is-chrome" name=
"where-is-chrome" class="anchor">9.1 Poorly defined area
for chrome</a></h3>
<p>The above definition of chrome reveals a major
shortcoming in the concept. Chrome is primarily defined by
where it is not, rather than where it is. As a result,
there are a number of tricks for confusing the user about
which parts of their screen contain browser chrome.</p>
<div class="div3">
<h4><a href="#picture-in-picture" id="picture-in-picture"
name="picture-in-picture" class="anchor">9.1.1 Picture in
picture</a></h4>
<p>Modern desktop operating systems support overlapping
windows of varying sizes. A smaller browser window
overlaying a larger browser window can be visually
indistinguishable from a larger browser window displaying
a picture of a smaller browser window in the web page
area. Using dynamic content technology, this picture of a
window can be given functionality that closely mimicks
that of a real browser window. In this case, the user may
treat the web page content as a real browser window and
believe the imitation chrome is real chrome.</p>
<p>This level of visual deception may be unnecessary to
fool many users. Studies have demonstrated that many
users still do not fully grasp the flexibility of the
desktop metaphor and wrongly believe the security
indicators of one browser window also pertain to another
located on top of, or next to it. <a href=
"#why-phishing-works">[Why Phishing Works]</a></p>
</div>
<div class="div3">
<h4><a href="#extended-chrome" id="extended-chrome" name=
"extended-chrome" class="anchor">9.1.2 Visually extending
the chrome</a></h4>
<p>The strongest visual cue the user is given for the
boundary between the chrome area and the web page area is
a change in background color. The chrome uses the
background color for application menus, typically a light
grey, and the web page area uses whatever background
color it wishes, but typically white. There is nothing
preventing the web page from using the same background
color as the chrome area for part of the web page area
near the chrome. In this case, the chrome area may appear
to be extended with additional security indicators
specified by the web page. In addition, color only cues
often do not work for users who are color blind.</p>
<p>Curiously, recent releases of prominent browsers now
use a similar technique to present security information
to the user from the web page area. Typically the chrome
extension uses a light yellow background and appears near
the top of the web page area. A web page could provide an
identical presentation with a message like: "This web
page is guaranteed by Example Inc. to be safe for
e-commerce."; where the name Example Inc. would instead
be a brand name widely trusted by users. Since users have
been conditioned by the browser to expect relevant
security information to be presented in this way, they
may trust the message.</p>
</div>
<div class="div3">
<h4><a href="#missing-chrome" id="missing-chrome" name=
"missing-chrome" class="anchor">9.1.3 Removing the
chrome</a></h4>
<p>Employing the above visual tricks may be unnecessary
for a successful attack, since the browser may support
removing the chrome from a browser window, at the
discretion of the visited web site. In this event, the
vacated area of the browser window becomes additional web
page area. Simply depriving the user of the chrome's
security indicators may be sufficient, or the attacker
could display imitation chrome in the same area the user
expects to find real chrome.</p>
</div>
</div>
<div class="div2">
<h3><a href="#what-is-chrome" id="what-is-chrome" name=
"what-is-chrome" class="anchor">9.2 Poorly defined role for
chrome</a></h3>
<p>Replacing the real chrome with imitation chrome may be
unnecessary for a successful attack, since currently all of
the indicators in the chrome display information chosen by
the attacker. By choosing values for these indicators which
are likely to deceive the user, the attacker can produce an
imitation of the victim web site using the real chrome,
rather than imitation chrome. It is unclear in what way the
user should rely on the chrome, when the chrome displays
only information chosen by the attacker. Following is an
exhaustive list of the indicators found in the chrome of
common web browsers, and the corresponding source of the
displayed information.</p>
<div class="div3">
<h4><a href="#window-title" id="window-title" name=
"window-title" class="anchor">9.2.1 Browser window
title</a></h4>
<p>The browser's window title is constructed using the
content of the HTML <code>TITLE</code> element from the
displayed web page. The attacker has full control over
the content of the displayed web page.</p>
<p>In a browser with multiple tabs for viewing multiple
web pages, the tab title also uses the content of the
<code>TITLE</code> element.</p>
</div>
<div class="div3">
<h4><a href="#back-button" id="back-button" name=
"back-button" class="anchor">9.2.2 Back and forward
buttons</a></h4>
<p>Both the back and forward navigation buttons provide a
drop down list of previously viewed pages. Each page is
identified by the content of the corresponding HTML
<code>TITLE</code> element.</p>
</div>
<div class="div3">
<h4><a href="#URL-bar" id="URL-bar" name="URL-bar" class=
"anchor">9.2.3 URL bar</a></h4>
<p>The current web page's URL is chosen in tandem by the
creator of the referring hyperlink and the web site
operator. When an attacker is directing victims to an
imposter web site, the attacker is both the creator of
the referring hyperlink and the web site operator.</p>
<p>Some browsers provide an additional display of the
hostname of the visited web site. The displayed hostname
is taken from the current web page's URL. An attacker can
choose any hostname that is not already in use, including
ones that may deceive users. See section <a href=
"#hostname-semantics"><b>9.3.2 Hostname</b></a> for
additional discussion.</p>
</div>
<div class="div3">
<h4><a href="#padlock-icon" id="padlock-icon" name=
"padlock-icon" class="anchor">9.2.4 Padlock icon</a></h4>
<p>The padlock icon indicates the use of SSL. The
decision to use SSL, or not, is again at the discretion
of the creator of the referring hyperlink and the web
site operator. In a phishing scenario, the attacker still
plays both these roles. When the web site operator is an
independent party it may redirect a URL chosen by the
attacker to an SSL protected URL; however, this redirect
is delivered over the original unprotected
connection.</p>
</div>
<div class="div3">
<h4><a href="#favicon" id="favicon" name="favicon" class=
"anchor">9.2.5 Favicon</a></h4>
<p>Websites can specify a small graphic to act as an icon
that appears in the URL bar in most desktop web browsers
and on the tabs in some browsers <a href=
"#favicon-howto">[Favicon]</a>. While the desktop web
browsers control this chrome, none place any restrictions
on the type of websites or the content of the images that
will be displayed. Consequently, an imposter web site can
display the icon of an impersonated web site in the web
browser's chrome.</p>
<p>A website may also choose to display a favicon that
looks exactly like the padlock icon that is displayed in
the URL bar by many browsers to indicate an SSL
connection. In this case, the user may believe that SSL
is being used, when it is not.</p>
</div>
<div class="div3">
<h4><a href="#status-bar" id="status-bar" name=
"status-bar" class="anchor">9.2.6 Status bar</a></h4>
<p>By default, the status bar displays messages from the
browser, such as the target of the hyperlink under the
mouse cursor. The displayed web page can also display any
message of its choosing in this area.</p>
</div>
<div class="div3">
<h4><a href="#information-bar" id="information-bar" name=
"information-bar" class="anchor">9.2.7 Information bar
(aka: notification bar)</a></h4>
<p>Some desktop web browsers use a colored bar called an
information bar (or notification bar) across the top of
the web content window to communicate with users. These
messages are specific to the content of the web content
window, and usually alert the user to the fact that a
potentially undesirable action has been suspended, such
as the automatic installation of software or the opening
of a new web content window.</p>
<p>While the content of the information bar is controlled
by the web browser, a convincing replica of this
interface can easily be created by a malicious web site
and placed at the top of their content.</p>
</div>
</div>
<div class="div2">
<h3><a href="#why-is-chrome" id="why-is-chrome" name=
"why-is-chrome" class="anchor">9.3 Poor user understanding
of chrome</a></h3>
<p>Employing a great deal of deception might also be
unnecessary for a successful attack, since studies have
shown many users have a poor understanding of the chrome.
The current chrome indicators provide a thin summary of raw
technical artifacts drawn from the network protocol's
current exchange. The full meaning of these protocol
artifacts is not necessarily understood by users.</p>
<div class="div3">
<h4><a href="#padlock-icon-semantics" id=
"padlock-icon-semantics" name="padlock-icon-semantics"
class="anchor">9.3.1 Padlock icon</a></h4>
<p>The presence of the padlock icon in the chrome only
indicates the current web page was transmitted using the
SSL protocol. The icon does not denote a guarantee of
trustworthiness, nor is it an indication of legitimacy;
an imposter site can be accessed using the SSL protocol.
On its own, the fact that SSL was used is not actionable.
The fact must first be paired with many others before a
warranted decision can be made. Nevertheless, some
studies have shown the presence of a padlock icon, when
it is noticed, contributes to a user's vague sense of
security <a href="#users-conceptions">[Users'
conceptions]</a>. Relying on the padlock icon in this way
is not supported by the mere use of SSL by a web
page.</p>
</div>
<div class="div3">
<h4><a href="#hostname-semantics" id="hostname-semantics"
name="hostname-semantics" class="anchor">9.3.2
Hostname</a></h4>
<p>DNS is a hierarchical name space. Name assignments on
upper layers of this name space are controlled by various
policy and business processes and often thought of as
identifiers for real-world entities; name assignments on
the lower layers are typically choosen freely and often
thought of as identifiers for individual hosts or
services. However, these intricacies are not widely
understood. Studies show that users will interpret brand
names that occur on any level of a domain name as a
signal that allows them to assume some kind of reliable
association between the brand and the domain name
<a href="#security-toolbars">[Security Toolbars]</a>.</p>
</div>
<div class="div3">
<h4><a href="#chrome-vs-page" id="chrome-vs-page" name=
"chrome-vs-page" class="anchor">9.3.3 Chrome versus
page</a></h4>
<p>Perhaps the most surprising result of user studies is
that the distinction between chrome and page area does
not exist in the minds of many users. Professional
looking content is deemed a more reliable indicator of
legitimacy. A padlock icon appearing in the page area has
the same significance as one in the chrome <a href=
"#security-toolbars">[Security Toolbars]</a>. Whether an
indicator in the chrome is a security indicator, or a
decoration set by the web page is unclear <a href=
"#why-phishing-works">[Why Phishing Works]</a>. Given the
reality of the current functionality of the chrome, these
user perceptions are quite reasonable. Current chrome is
just a decoration whose content is largely, or entirely,
determined by the visited web site.</p>
</div>
<div class="div3">
<h4><a href="#learning-by-doing" id="learning-by-doing"
name="learning-by-doing" class="anchor">9.3.4
Explanations versus understanding</a></h4>
<p>Users come to an understanding of security indicators
predominantly through use and direct experience, and
somewhat through general awareness (discussions with
others, news and other information they might receive).
Users knowing about the padlock icon at all, for example,
shows that user education does happen over time.
Experience and history with education on using computer
software indicates that users do not learn and act
exactly on what is explicitly taught them (for an example
of that in user security, see <a href=
"#make-up-your-mind">[Make Up Your Mind]</a>). Explicit
user education does not override other problems and does
not consistently alter user behavior.</p>
</div>
</div>
<div class="div2">
<h3><a href="#when-is-chrome" id="when-is-chrome" name=
"when-is-chrome" class="anchor">9.4 Poor usability of
chrome</a></h3>
<p>Even if the chrome was perfectly implemented and fully
understood by users, it still might not, as currently
designed, provide effective protection.</p>
<div class="div3">
<h4><a href="#ignored-chrome" id="ignored-chrome" name=
"ignored-chrome" class="anchor">9.4.1 Out of sight, out
of mind</a></h4>
<p>Browsing the web involves reading text, clicking
hyperlinks and filling out forms; all activities which
take place entirely within the web page area of the
browser window. Consequently, studies have shown that
users rarely consult the chrome, instead focusing on the
task at hand. Even when the chrome has not been tampered
with and is providing the intended presentation, it goes
unnoticed by users <a href="#security-toolbars">[Security
Toolbars]</a>, <a href="#why-phishing-works">[Why
Phishing Works]</a>.</p>
</div>
<div class="div3">
<h4><a href="#assumed-safety" id="assumed-safety" name=
"assumed-safety" class="anchor">9.4.2 Assumed
safety</a></h4>
<p>Current chrome decorates web pages that provide
security information, and remains silent about those that
provide none. This design creates multiple problems.</p>
<p>It is difficult for humans to react to the absence of
something. Studies have shown that users do not reliably
notice the absence of security indicators <a href=
"#why-phishing-works">[Why Phishing Works]</a>.</p>
<p>Users, and even experts, commonly attribute more
security than is warranted to a web page that is not
protected by SSL. A login form on such a page can be
readily modified in transit such that it will send the
user's login credentials to an attacker before logging
the user into the authentic web site.</p>
</div>
<div class="div3">
<h4><a href="#dialog-box" id="dialog-box" name=
"dialog-box" class="anchor">9.4.3 Poor usability of
dialog boxes</a></h4>
<p>Desktop software commonly reports problems through
modal pop-up dialog boxes. Such dialog boxes frequently
appear during normal software use. Also, the user is
frequently given no reasonable course of action other
than clicking the OK button. Consequently, users have
been conditioned to automatically dismiss such dialog
boxes, often without even glancing at their content. User
studies confirm this phenomena also holds for security
warnings from web browsers <a href=
"#why-phishing-works">[Why Phishing Works]</a>.</p>
</div>
</div>
</div>
<div class="div1">
<h2><a href="#process" id="process" name="process" class=
"anchor">10 Process</a></h2>
<p>Though research incorporating usable security goes back to
the principle of "psychological acceptability" from
<cite>Saltzer and Schroeder</cite> <a href=
"#saltzer-schroeder">[Saltzer and Schroeder]</a>, making
security usable is still a nascent area for research <a href=
"#security-and-usability">[Security and Usability]</a>. There
are no worked examples of formal standards from standards
making bodies on usable security to emulate. There are a
limited number of worked examples in deployed products to
learn from. There are a larger number of attempts with
unclear results to learn from. We have yet to get
widely-applicable, satisfactory answers to basic questions on
usable security. Consequently, this Working Group's
recommendations will necessarily contain more innovation than
might a traditional standards effort. This section details
the process the Working Group will employ to mitigate the
significant perils of innovation in a standards effort.</p>
<div class="div2">
<h3><a href="#feedback" id="feedback" name="feedback"
class="anchor">10.1 Expertise and experience</a></h3>
<p>By its very nature, the public reviews of the
deliverables of this Working Group via the W3C standards
process will provide pertinent and timely input from
researchers and practitioners in a variety of disciplines,
including usability and design, security, and
accessibility. That feedback may be based on experience
with other standards efforts, experience prototyping or
developing software or devices, experience with deployment
or use of software or devices, or other forms of anecdotal
evidence. This data represents experience and knowledge
that has not been or cannot be captured via document
principles, previous studies, or the working group's
testing. The Working Group will use such feedback to inform
our recommendations.</p>
</div>
<div class="div2">
<h3><a href="#usability-principles" id=
"usability-principles" name="usability-principles" class=
"anchor">10.2 Reliance on general usability
expertise</a></h3>
<p>Though principles and examples of usable security are
scarce, expertise on the general usability of software is
more plentiful. Principles of usability aim to help the
user understand presented information, discover the actions
that can be taken, predict the implications of those
actions and so learn how the tool can be made to serve the
user's needs. These aims are also a prerequisite for usable
security. Listed below are design principles, drawn from
the research literature, recognized by the Working Group as
relevant to usable security.</p>
<div class="div3">
<h4><a href="#affordance" id="affordance" name=
"affordance" class="anchor">10.2.1 Affordance</a></h4>
<p>An element of a user interface should include cues
that help the user discover its features <a href=
"#design-of-everyday">[Design of Everyday
Things]</a>.</p>
</div>
<div class="div3">
<h4><a href="#users-model" id="users-model" name=
"users-model" class="anchor">10.2.2 Conceptual
model</a></h4>
<p>A user will develop a personal model of what something
does and how it works. The user interface should present
cues that assist the formation of this model and ensure
that the actual and perceived state of the system are
consistent <a href="#design-of-everyday">[Design of
Everyday Things]</a>.</p>
</div>
<div class="div3">
<h4><a href="#users-language" id="users-language" name=
"users-language" class="anchor">10.2.3 Match between
system and the real world</a></h4>
<p>The system should speak the users' language, with
words, phrases and concepts familiar to the user, rather
than system-oriented terms. Follow real-world
conventions, making information appear in a natural and
logical order <a href="#ten-usability-heuristics">[Ten
Usability Heuristics]</a>.</p>
</div>
<div class="div3">
<h4><a href="#habit-formation" id="habit-formation" name=
"habit-formation" class="anchor">10.2.4 Habit
formation</a></h4>
<p>Persistent use of any interface will cause the user to
develop habits. A user interface should leverage habit
formation to shape the user's workflow <a href=
"#humane-interface">[Humane Interface]</a>.</p>
</div>
<div class="div3">
<h4><a href="#locus-of-attention" id="locus-of-attention"
name="locus-of-attention" class="anchor">10.2.5 Single
locus of attention</a></h4>
<p>A user has only a single locus of attention, a feature
or an object in the physical world, or an idea, about
which they are intently and actively thinking. Humans
ignore things that aren't their current locus of
attention. The user's locus of attention is only held in
short term memory and so will be quickly forgotten once
their attention shifts. <a href=
"#humane-interface">[Humane Interface]</a>.</p>
</div>
<div class="div3">
<h4><a href="#minimalist" id="minimalist" name=
"minimalist" class="anchor">10.2.6 Aesthetic and
minimalist design</a></h4>
<p>Dialogues should not contain information which is
irrelevant or rarely needed. Every extra unit of
information in a dialogue competes with the relevant
units of information and diminishes their relative
visibility <a href="#ten-usability-heuristics">[Ten
Usability Heuristics]</a>.</p>
</div>
<div class="div3">
<h4><a href="#lpt1-on-fire" id="lpt1-on-fire" name=
"lpt1-on-fire" class="anchor">10.2.7 Help users
recognize, diagnose, and recover from errors</a></h4>
<p>Error messages should be expressed in plain language
(no codes), precisely indicate the problem, and
constructively suggest a solution <a href=
"#ten-usability-heuristics">[Ten Usability
Heuristics]</a>.</p>
</div>
<div class="div3">
<h4><a href="#justify" id="justify" name="justify" class=
"anchor">10.2.8 Provide explanations, justifying the
advice or information given</a></h4>
<p>If the user is expected to carry out a task or an
action to achieve the desired level of security, they
should have access to an explanation that justifies why
it is necessary.</p>
</div>
<div class="div3">
<h4><a href="#know-your-user" id="know-your-user" name=
"know-your-user" class="anchor">10.2.9 Understand the
user</a></h4>
<p>Design should begin with an understanding of the
intended users. This includes population profiles that
reflect training, motivation, and goals <a href=
"#designing-the-UI">[Designing the User
Interface]</a>.</p>
</div>
<div class="div3">
<h4><a href="#task-profiles" id="task-profiles" name=
"task-profiles" class="anchor">10.2.10 Create task
profiles</a></h4>
<p>With the intended user in mind, designers should
formally write down user tasks <a href=
"#designing-the-UI">[Designing the User
Interface]</a>.</p>
</div>
<div class="div3">
<h4><a href="#consistency" id="consistency" name=
"consistency" class="anchor">10.2.11 Consistency</a></h4>
<p>The cues should be displayed consistently in location
and across sites and web user agents in an attempt to
prevent spoofing and user confusion. <a href=
"#designing-the-UI">[Designing the User
Interface]</a>.</p>
</div>
</div>
<div class="div2">
<h3><a href="#usability-wisdom" id="usability-wisdom" name=
"usability-wisdom" class="anchor">10.3 Learning from past
efforts</a></h3>
<p>A growing body of research documents presentation
techniques that have not proved effective in providing
usable security. The results of these studies will be used
to judge the expected effectiveness of presentation
techniques. The Working Group will keep abreast of ongoing
studies and subject potential recommendations to review by
usability experts from both inside the Working Group, and
from outside.</p>
<p>Section <a href="#problems"><b>9 Problems with the
status quo</b></a> contains a summary of much of what has
been learned about phishing. Additional results are listed
below.</p>
<div class="div3">
<h4><a href="#uniformity" id="uniformity" name=
"uniformity" class="anchor">10.3.1 No user categories in
phishing vulnerability</a></h4>
<p>In Why Phishing Works <a href=
"#why-phishing-works">[Why Phishing Works]</a>, neither
education, age, sex, previous experience, nor hours of
computer use showed a statistically significant
correlation with vulnerability to phishing.</p>
</div>
<div class="div3">
<h4><a href="#awareness" id="awareness" name="awareness"
class="anchor">10.3.2 The user must be aware of the task
they are to perform</a></h4>
<p>The user must be aware that a decision is to be made,
what information should be used to make the decision, and
where to look for the information <a href=
"#johnny">[Johnny]</a>.</p>
</div>
</div>
<div class="div2">
<h3><a href="#usability-testing" id="usability-testing"
name="usability-testing" class="anchor">10.4 Implementation
and testing</a></h3>
<p>Part of a Working Group's activities is developing code
and test suites <a href="#w3c-process">[W3C
Process]</a>.</p>
<p>The Working Group aims to demonstrate and test the WG's
recommendations on usable and robust communication of
security context information through implementations within
the framework of one or more web user agents. The most
likely web user agents to serve as platforms for such
implementations are web browsers. To demonstrate that
recommendations are sufficiently general and interoperable,
we expect implementation in the context of at least two web
user agents.</p>
<p>We are targetting three types of testing of our
recommendations: functional testing, robustness testing,
and usability testing <a href="#w3c-testing">[W3C
Testing]</a>.</p>
<p>All test development and testing is iterative. The
recommendations may need to be modified on the basis of all
three types of testing. Test development starts when work
on the specification starts. Test planning will include
guidelines for developing tests. Test suites are typically
developed when the specifications are in a reasonably
stable state, such as the first full public working draft.
Test development will include test execution instructions.
Automation of the tests will be considered but is unlikely,
as the tests will require human visual confirmation. Clear
descriptions of what to expect and how to judge outcome
will be part of each test.</p>
<p>Functional testing against the sample code and
appropriate deployment configurations will verify that the
recommendations can be translated to web user agent code,
with no functional ill effects on the rest of the web user
agent. It will show that implementations can conform to the
recommendations, and that the specifications clearly define
behaviors. This is also called conformance testing.</p>
<p>Robustness testing will verify that the recommendations
are robust against spoofing attacks. Existing spoofing
attacks will be documented, and new spoofing attacks aimed
directly at the recommendations (both required and
recommended) will be developed. All of these attacks will
take the form of web site content returned to the user
agent (most typically DHTML or XML that a web browser
GETs).</p>
<p>Usability testing will verify that the recommendations
provide usable display of security context information. The
type of usability testing we do will depend on both the
direction of our recommendations and the resources the
Working Group is able to tap into. The Working Group aims
to perform lo fidelity prototyping and testing with a
modest number of test subjects (10 - 20) for each proposed
practice that involves user feedback <a href=
"#tiny-fingers">[Tiny Fingers]</a>. This will be reflected
in Candidate Recommendation exit criteria. Prototyping at
this level will provide feedback in early design phases at
a point where needed changes can be made easily. It will
also create a more user-centered design process and will
help in the realization of our goals that address
usability.</p>
<p>More extensive user testing will be desirable, and is
expected to contribute to higher-quality outcomes. More
extensive tests may include:</p>
<ul>
<li>
<p>Incremental testing incorporating feedback from
previous iterations</p>
</li>
<li>
<p>Recruiting participants from broader groups which
better represent target user groups, either in size or
relevant characteristics</p>
</li>
<li>
<p>Lab testing of sample code, for example <a href=
"#johnny-2">[Johnny 2]</a></p>
</li>
<li>
<p>Contextual or "in the wild" testing of sample code
<a href="#social-phishing">[Social Phishing]</a></p>
</li>
<li>
<p>More iterative combinations of the above, throughout
the specification lifecycle</p>
</li>
</ul>
</div>
</div>
<div class="div1">
<h2><a href="#acknowledgments" id="acknowledgments" name=
"acknowledgments" class="anchor">11 Acknowledgments</a></h2>
<p>This note is based on input from Tyler Close, Thomas
Roessler, Mary Ellen Zurko, Bill Doyle, Maritza Johnson,
Phill Hallam-Baker, Hal Lockhart, Brad Porter, Dan Schutzer,
Stephen Farrell, Stuart Schechter, Tim Hahn, Luis Barriga,
Mike Beltzner, Al Gilman, Rich Salz, Ian Fette, and the
members of the Web Security Context Working Group. It has
also benefitted from general public and working group
commentary on earlier drafts.</p>
</div>
<div class="div1">
<h2><a href="#references" id="references" name="references"
class="anchor">12 References</a></h2>
<dl>
<dt class="label"><a name="dnssec" id=
"dnssec"></a>DNSSEC</dt>
<dd><a href="http://www.ietf.org/rfc/rfc4033.txt"><cite>DNS
Security Introduction and Requirements</cite></a>; R.
Arends, R. Austein, M. Larson, D. Massey, S. Rose; IETF RFC
4033; 2005.</dd>
<dt class="label"><a name="design-of-everyday" id=
"design-of-everyday"></a>Design of Everyday Things</dt>
<dd><cite>The Design of Everyday Things</cite>; Donald
Norman; Doubleday; 1988.</dd>
<dt class="label"><a name="designing-trust" id=
"designing-trust"></a>Designing Trust</dt>
<dd><a href=
"http://www.oreilly.com/catalog/securityusability/"><cite>Designing
Systems That People Will Trust</cite></a>; Andrew S.
Patrick, Pamela Briggs, and Stephen Marsh; Security and
Usability: Designing Secure Systems that People Can Use,
ed. Lorrie Faith Cranor and Simson Garfinkel; 2005.</dd>
<dt class="label"><a name="designing-the-UI" id=
"designing-the-UI"></a>Designing the User Interface</dt>
<dd><a href=
"http://www.cs.umd.edu/hcil/pubs/books/dtui.shtml"><cite>Designing
the User Interface</cite></a>; Ben Shneiderman; Addison
Wesley; 2005.</dd>
<dt class="label"><a name="ev-cert" id="ev-cert"></a>EV
Cert</dt>
<dd><a href="http://www.cabforum.org/"><cite>Extended
Validation SSL Certificates - A New, Higher Standard for
Internet Security</cite></a>; CA/Browser Forum; 2006.</dd>
<dt class="label"><a name="favicon-howto" id=
"favicon-howto"></a>Favicon</dt>
<dd><a href=
"http://www.w3.org/2005/10/howto-favicon"><cite>How to Add
a Favicon to your Site</cite></a>; Karl Dubost; W3C Quality
Assurance; 2006.</dd>
<dt class="label"><a name="http" id="http"></a>HTTP</dt>
<dd><a href=
"http://www.w3.org/Protocols/rfc2616/rfc2616.html"><cite>Hypertext
Transfer Protocol -- HTTP/1.1</cite></a>; R. Fielding, J.
Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T.
Berners-Lee; IETF RFC 2616; June 1999.</dd>
<dt class="label"><a name="http-auth" id=
"http-auth"></a>HTTP Auth</dt>
<dd><a href=
"http://www.ietf.org/rfc/rfc2617.txt"><cite>HTTP
Authentication: Basic and Digest Access
Authentication</cite></a>; J. Franks, P. Hallam-Backer, J.
Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart;
IETF RFC 2617; 1999.</dd>
<dt class="label"><a name="http-cookie" id=
"http-cookie"></a>HTTP Cookie</dt>
<dd><a href=
"http://www.faqs.org/rfcs/rfc2965.html"><cite>HTTP State
Management Mechanism</cite></a>; D. Kristol, L. Montulli;
IETF RFC 2965; 2000.</dd>
<dt class="label"><a name="https" id="https"></a>HTTPS</dt>
<dd><a href=
"http://www.ietf.org/rfc/rfc2818.txt"><cite>HTTP Over
TLS</cite></a>; E. Rescorla; IETF RFC 2818; 2000.</dd>
<dt class="label"><a name="humane-interface" id=
"humane-interface"></a>Humane Interface</dt>
<dd><a href=
"http://rchi.raskincenter.org/index.php?title=Home#Jef_Raskin.27s_The_Humane_Interface">
<cite>The Humane Interface: New Directions for Designing
Interactive Systems</cite></a>; Jef Raskin; 2000.</dd>
<dt class="label"><a name="johnny" id=
"johnny"></a>Johnny</dt>
<dd><a href=
"http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf">
<cite>Why Johnny Can't Encrypt: A Usability Evaluation of
PGP 5.0</cite></a>; Alma Whitten and John D Tygar; Usenix;
1999.</dd>
<dt class="label"><a name="johnny-2" id=
"johnny-2"></a>Johnny 2</dt>
<dd><a href=
"http://cups.cs.cmu.edu/soups/2005/2005proceedings/p13-garfinkel.pdf">
<cite>Johnny 2: A User Test of Key Continuity Management
with S/MIME and Outlook Express</cite></a>; Simson L.
Garfinkel, Robert C. Miller; Symposium On Usable Privacy
and Security; 2005.</dd>
<dt class="label"><a name="make-up-your-mind" id=
"make-up-your-mind"></a>Make Up Your Mind</dt>
<dd><a href=
"http://www.acsa-admin.org/2002/papers/7.pdf"><cite>Did You
Ever Have To Make Up Your Mind? What Notes Users Do When
Faced With A Security Decision</cite></a>; Mary Ellen
Zurko, Charlie Kaufman, Katherine Spanbauer, Chuck Bassett;
Proceedings of the 18th Annual Computer Security
Applications Conference; 2002.</dd>
<dt class="label"><a name="ocsp" id="ocsp"></a>OCSP</dt>
<dd><a href=
"http://www.ietf.org/rfc/rfc2560.txt"><cite>X.509 Internet
Public Key Infrastructure Online Certificate Status
Protocol - OCSP</cite></a>; M. Myers, R. Ankney, A.
Malpani, S. Galperin, C. Adams; IETF RFC 2560; 1999.</dd>
<dt class="label"><a name="pkix" id="pkix"></a>PKIX</dt>
<dd><a href=
"http://www.ietf.org/rfc/rfc3280.txt"><cite>Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile</cite></a>; R. Housley, W.
Polk, W. Ford, D.Solo; IETF RFC 3280; 2002.</dd>
<dt class="label"><a name="saltzer-schroeder" id=
"saltzer-schroeder"></a>Saltzer and Schroeder</dt>
<dd><a href=
"http://web.mit.edu/Saltzer/www/publications/protection/"><cite>
The Protection of Information in Computer
Systems</cite></a>; Jerome Saltzer and Michael Schroeder;
Proceedings of the 4th Symposium on Operating System
Principles; ACM Press; 1973.</dd>
<dt class="label"><a name="security-toolbars" id=
"security-toolbars"></a>Security Toolbars</dt>
<dd><a href=
"http://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar.pdf">
<cite>Do Security Toolbars Actually Prevent Phishing
Attacks?</cite></a>; Min Wu, Robert C. Miller and Simson L.
Garfinkel; Conference on Human Factors in Computing Systems
(CHI 2006); 2006.</dd>
<dt class="label"><a name="security-and-usability" id=
"security-and-usability"></a>Security and Usability</dt>
<dd><a href=
"http://www.oreilly.com/catalog/securityusability/index.html">
<cite>Security and Usability: Designing Secure Systems that
People Can Use</cite></a>; Lorrie Faith Cranor, Simson
Garfinkel; O'Reilly; 2005.</dd>
<dt class="label"><a name="social-phishing" id=
"social-phishing"></a>Social Phishing</dt>
<dd><a href=
"http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf">
<cite>Social Phishing</cite></a>; Tom Jagatic, Nathaniel
Johnson, Markus Jakobsson, and Filippo Menczer; School of
Informatics Indiana University, Bloomington; 2005.</dd>
<dt class="label"><a name="tls" id="tls"></a>TLS</dt>
<dd><a href="http://www.ietf.org/rfc/rfc2246.txt"><cite>The
TLS Protocol Version 1.0</cite></a>; T. Dierks, C. Allen;
IETF RFC 2246; 1999.</dd>
<dt class="label"><a name="ten-usability-heuristics" id=
"ten-usability-heuristics"></a>Ten Usability
Heuristics</dt>
<dd><a href=
"http://www.useit.com/papers/heuristic/heuristic_list.html">
<cite>Ten Usability Heuristics</cite></a>; Jakob Nielsen;
<a href="http://www.useit.com">useit.com</a>; 1994.</dd>
<dt class="label"><a name="tiny-fingers" id=
"tiny-fingers"></a>Tiny Fingers</dt>
<dd><cite>Prototyping for tiny fingers</cite>; M. Rettig;
Communications of the ACM, April, Vol.37, No.4.; 1994.</dd>
<dt class="label"><a name="users-conceptions" id=
"users-conceptions"></a>Users' conceptions</dt>
<dd><a href=
"http://projects.ischool.washington.edu/vsd/files/friedman02websecurity.pdf">
<cite>Users' Conceptions of Web Security: A Comparative
Study</cite></a>; B. Friedman, D. Hurley, D.C. Howe, E.
Felten, H. Nissenbaum; Conference on Human Factors in
Computing Systems (CHI 2002); 2002.</dd>
<dt class="label"><a name="w3c-process" id=
"w3c-process"></a>W3C Process</dt>
<dd><a href=
"http://www.w3.org/2005/10/Process-20051014/process.html"><cite>
World Wide Web Consortium Process Document</cite></a>; Ian
Jacobs; W3C; 2005.</dd>
<dt class="label"><a name="w3c-testing" id=
"w3c-testing"></a>W3C Testing</dt>
<dd><a href=
"http://www.w3.org/QA/WG/2005/01/test-faq"><cite>Test
Development FAQ</cite></a>; W3C Quality Assurance;
2005.</dd>
<dt class="label"><a name="wcag" id="wcag"></a>WCAG</dt>
<dd><a href="http://www.w3.org/TR/WAI-WEBCONTENT"><cite>Web
Content Accessibility Guidelines 1.0</cite></a>; Wendy
Chisholm, Gregg Vanderheiden, Ian Jacobs; W3C
Recommendation; 1999.</dd>
<dt class="label"><a name="web-arch" id=
"web-arch"></a>WEBARCH</dt>
<dd><a href=
"http://www.w3.org/TR/webarch/"><cite>Architecture of the
World Wide Web, Volume One</cite></a>; Ian Jacobs, Norman
Walsh; W3C Recommendation; 2004.</dd>
<dt class="label"><a name="wsc-charter" id=
"wsc-charter"></a>WSC-CHARTER</dt>
<dd><a href=
"http://www.w3.org/2005/Security/wsc-charter"><cite>Web
Security Context Working Group Charter</cite></a>. World
Wide Web Consortium, last modified 17 October 2007. This
version is http://www.w3.org/2005/Security/wsc-charter
.</dd>
<dt class="label"><a name="ref-wsc-threats" id=
"ref-wsc-threats"></a>WSC-THREATS</dt>
<dd><a href=
"http://www.w3.org/TR/2007/NOTE-wsc-threats-20071101/"><cite>
Web User Interaction: Threat Trees</cite></a>, T. Roessler,
Editor, Working Group Note (work in progress), 1 November 2007.
This version is
http://www.w3.org/TR/2007/NOTE-wsc-threats-20071101/. The
<a href="http://www.w3.org/TR/wsc-threats/">latest
version</a> is available at
http://www.w3.org/TR/wsc-threats/ .</dd>
<dt class="label"><a name="why-phishing-works" id=
"why-phishing-works"></a>Why Phishing Works</dt>
<dd><a href=
"http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf">
<cite>Why Phishing Works</cite></a>; Rachna Dhamija, J.D.
Tygar and Marti Hearst; Conference on Human Factors in
Computing Systems (CHI 2006); 2006.</dd>
</dl>
</div>
</div>
</body>
</html>