Security Context Information; techniques for presentation

WSC WG f2f 2006-11-15

context information Current presentation; how robust is it?
(widely deployed)
possible best practice approach how reliable is the information?

HTTP response headers of current page

nothing
need to check IANA registry some day

Cookie information

cookies lead to dialogue boxes dependent on configuration
used to key display of shared secret in page content -> enable user to recognize site they dealt with before
how far are cookies spread? Where are they replayed?

refering page

history on back button; otherwise, not visible
interaction between redirects and history?

URL

displayed: address bar; attacks use limited size of text field and overflow that with user:pass@site style URIs

IDN-based attacks against display of URIs / domain names; TLD whitelists are being deployed

users read URIs in a typo-correcting mode

SSL on/off; session properties
SSL certificate properties: revocation status, issuer, ...

(( completely useless?
Why does it say it's not valid?
black and white right now
experience diluted -- dialogue boxes that get ignored ))

s in https

padlock

color changes -- Firefox, IE7, informal agreement

warning when attempting to submit form controls to non-SSL site when form was transmitted through TLS

"WARNING, YOU ARE NOW SECURE" dialogues

Information about cyphers used isn't presented, but can be displayed. Users rely on cypher suite configuration.

Warnings about validity period; can be overridden by user

All cert properties are available. But user interface is ununderstandable -- logotype rednered in base64?

EV certificate work at CA/Browser forum -- IE7 implements this; displays organization's name and issuer name

Opera lock item has a number -- MSmith to dig down on what that means

Firefox has different states of lock items. People in the room don't get them -> corollary about usability?

mismatch between domain name in URI and certificate leads to overridable warning

unknown CA leads to overridable warning

current UI allegedly intended for site debugging purposes

IE7: persistent display of certificate errors, even when overridden by users

Future UI meme: "secure"? "Approved cryptographic state" vs. "unapproved cryptographic state"?

Likely out of scope: Separate debugging mode that displays richer but less usable information? Separate user modes?

configured trust roots

There's a place you can go to look at them. Ununderstandable.

not available: reputation of CA

Trust root's identity is displayed for EV certs

Different certification policies at same CA aren't translated into user interface, but available as part of overall cert info display.

"This is a certificate authority that you trust for this purpose" (Firefox)

browser history, bookmarks, accumulated user agent state?

password manager state reflected by pre-filling forms

history sidebar

general form-filler support; list of sites that form information has been cached for

reputation service

IE7 phishing filter checks reputation of some URIs; Opera has "sth similar"

numerous toolbars

past introductions from friends (eg: in email)

redirection path

URIs flash up

HTML page? (eg: spam filter like techniques)

The target URI for a pending request.

mouse over hyperlink -> status bar update

not displayed for form submission buttons

Javascript can override behaviors

IP address

IP address resolved flashes by

Country of origin for IP address

used / relayed by some anti-phishing tools

A blacklist of evil IP addresses.

used / relayed by some anti-phishing tools

Your current ISP?

Information from external devices (eg: phone call)

Certificate continuity (Browser has encountered the certificate in the past)

Shared secret knowledge (eg: a picture, or a password)

personalization (eg: account history, user's full name)

Shared public knowledge (eg: mother's maiden name, zip code) (ANTI-PATTERN)

Does the page contain active content? (eg: Javascript)

Does the page contain content sourced from distinct servers?

Does the page come from the intranet or the Internet?

Has the page completed loading?

HTTP content in an HTTPS page