Accessibility

From Web Security

Protocols

Are there issues in protocols, and "under-the-hood" security, or is it only about interfaces?

Possible problems arise where protocols require interactions, or information that does not exist - for example a requirement for a retinal scan or fingerprint assumes users have retinae and fingertips, which is not always true.

See also CAPTCHAs...

It's about the interface

Various disabilities mean that people's interaction patterns are quite diverse. Security interfaces that fail to cater for this diversity can leave a particular population exposed to a vulnerability, essentially making them an attractive target. This unfortunately mirrors existing real-world behaviour, and is therefore a threat to general security.

What works, what are the problems?

Who knows?

Screen reader notes

Tested on multiple pages with https:// URLs including Facebook and Google. Tested with these screen readers:

Firefox35 + Jaws16, NVDA2014.4 and Window-Eyes9

No security information is announced automatically when the page loads. The full https:// URL is announced by the screen reader when focus moves to the address bar.

When using Shift Tab to move focus backwards through the browser chrome (off the top of the HTML document), there is a "Location is verified by [XYZ]" button. It's between the "Location" button and the address bar. Activating the button causes a message with security information about the website to appear.

Note: The "Location is verified by [XYZ]" button is not available when using Tab to move focus forwards through the browser chrome (off the bottom of the HTML document).

IE11 + Jaws16, NVDA2014.4 and Window-Eyes9

No security information is announced automatically when the page loads. The full https:// URL is announced by the screen reader when focus moves to the address bar.

When using Tab or Shift Tab to move focus through the browser chrome, there is a "Security report" button. It's between the address bar and the set of currently open tabs. Activating the button causes a message with security information about the site to appear.

Chrome39 + Jaws16 and NVDA2014.4

No security information is announced automatically when the page loads. The full https:// URL is announced by the screen reader when focus moves to the address bar. No other means of accessing security information is apparent within the browser chrome.

Note: Jaws does not officially support Chrome although it works in practice.

Chrome39 (Android5.0) + TalkBack

No security information is announced automatically when the page loads. The full https:// URL is announced by the screen reader when focus moves to the address bar.

Swiping to the left from the address bar, there is a "Site information" button. Double tapping the button opens information about the site's security.

Safari8 (OSX10.10) + VoiceOver

No security information is announced automatically when the page loads. The full https:// URL is announced by the screen reader when focus moves to the address bar, followed by "Secure address". There is no apparent means of accessing more detailed security information.

Safari (iOS8.1) + VoiceOver

No security information is announced automatically when the page loads. The full https:// URL is announced by the screen reader when focus moves to the address bar and the URL is double tapped. No other means of accessing security information is apparent within the browser chrome.

Note: Safari on iOS may not display the padlock icon if any content is insecure? Needs verification.

Browser security interfaces

Padlock icons

There are icons used to indicate the security of webpages.

Security extensions