FSTC BMA Browser Recommendations

FSTC BMA Browser Recommendations Below are included some of the FSTC recommendations that are applicable for the Safe Browsing Mode and that are within the scope of WSC

Stronger UI

A stronger UI, makes it very clear whether or not the user is visiting a "legitimate site (see below for further discussion of what constitutes legitimacy), and that requires explicit user acton (e.g. overriding a warning) to visit a site that is questionable. The enhanced UI will go well beond the existing locked padlock icon and display strong indicators that

Status indicators:


Strengthen Browser against Local Attack:

Local browser-based defense against spoofed sites:

• Logo images can be attached to SSL certificates using the logographic extensions to X.509 described in IETF RFC 3709. Logos can be optionally attached for the issuer (the CA), the subject (the web site or domain), and community to which the issuer or subject belong.

Certificate logos play a similar role to favicons. Although web browsers will typically display them somewhat differently, both appear as site identifying images in chrome.

Unlike favicons however, certificate logos are cryptographically protected from tampering or forgery. And when tied to a well vetted certificate, they can be traced back to a Real Life entity outside of cyberspace. This latter is important because it allows legal recourse to be taken if an entity displays a logo in violation of trademarks or contractual agreements.

Certificate logos can be used safely if our recommendations are followed:

• Web agents should only display subject or community logos for high grade SSL certificates (such as EV) that require thorough requester vetting outside cyberspace.

• CAs who issue high grade SSL certificates (such as EV) ought to remind requesters that logographic imagery is subject to trademark laws and the requester is responsible to ensure the logo they supply to the RA is (a) legal for use in all countries and (b) visually distinguishable from other logos.

• In support of (b) above sites should follow basic principles of sound logo design: Use company name (text) in addition to imagery; don't rely on color to distinguish one company's logo from another (for color blind users); etc.