• RobustOverride

Title

Overriding SCI Displays (shortname: override)

Overview

NoteKDECurrentPractice calls out that the Konqueror browser has started to make certain UI elements permanent (statusbar). @@ I presume this means that it is making areas that users use for trust decisions permanent. In particular, that content from a web site cannot disable or otherwise turn off areas where primary SCI is displayed.

Goals

Related to status-quo, although the current wording of status-quo targets it at security information and its presentation and interpretation, as opposed to its robustness and assurance.

All robustness proposals (attempt to) satisfy the trusted-path goal.

Applicability

Any web user agent that (proactively) presents SCI to the user (or a channel presumed to eventually lead to the user, such as accessiblity aides).

Requirement | Good Practice

Web user agents MUST NOT provide scripting or other capabilities to web site content whose purpose is to disable presentation of security content information to the user.

In order to verify conformance, web user agents MUST document the interfaces they use to present SCI to the user.

Techniques

The most obvious technique is to not provide scripting or other calls to disable the features that present SCI. It is in the spirit of this proposal that any functionality that can be used to disable presentation of SCI unintentionally would be considered a bug in conformance of this proposal, when that was discovered. @@ Is this covered adequately?

Examples (informational)

@@ As a conforming implementation, can anyone cite more specifically what Konqueror did to make the status bar permanent, and what it did before that allowed it not to be?

Attack resistance and limitations

ThreatTrees 2.C.iii

References

NoteKDECurrentPractice