Copyright © 2008 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
This is a Last Call Working Draft of "Web Security Context: User Interface Guidelines". Previous Working Drafts for this specifications had been published under the name "Web Security Context: Experience, Indicators, and Trust." The W3C Membership and other interested parties are invited to review the document and send comments to public-usable-authentication@w3.org (with public archive) through 15 September 2008. We appreciate if comments follow these guidelines for writing good issues.
This document was developed by the Web Security Context Working Group. The Working Group expects to advance this Working Draft to Recommendation Status.
Compared to previous versions of the specification, a number of features have been removed for this Last Call Working Draft, including guidelines for content authors, and the safe web form editor annex. Chapter 3 Conformance of this specification has been redone substantially, and now defines two different conformance levels.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
1 Overview
2 Acknowledgments
3 Conformance
3.1 Product classes
3.2 Language conventions
3.3 Conformance levels
3.4 Conformance claims
4 Interaction and content model
4.1 Overview
4.2 Terms and
definitions
4.2.1 Common User Interface elements
5 Applying TLS to the Web
5.1 Certificate Handling and
Information
5.1.1 Interactively accepting trust anchors or
certificates
5.1.2 Augmented Assurance Certificates
5.1.3 Validated Certificates
5.1.4 Logotype Certificates
5.1.5 Self-signed Certificates and Untrusted Root
Certificates
5.1.6 Petnames
5.2 Types of
TLS
5.3 Mixed
Content
5.4 Error
conditions
5.4.1 TLS errors
5.4.2 Error Conditions based on Third Party or
Heuristic Information
5.4.3 Redirection chains
5.4.4 Insecure form submission
6 Indicators and Interactions
6.1 Identity
and Trust Anchor Signalling
6.1.1 Identity Signal
6.1.2 Identity Signal Content
6.2 Additional Security Context
Information
6.3 TLS
indicator
6.4 Error
handling and signalling
6.4.1 Common Error Interaction Requirements
6.4.2 Notifications and Status
Indicators
6.4.3 Warning/Caution Messages
6.4.4 Danger Messages
6.5 Chrome
Reconfiguration
7 Robustness
7.1 Chrome
and User Interface Practices
7.1.1 Use Shared Secrets to Establish a
Trusted Path
7.1.2 Keep Security Chrome
Visible
7.2 Do not
mix content and security indicators
7.3 Managing User Attention
7.4 APIs
Exposed To Web Content
7.4.1 Obscuring or disabling
Security User Interfaces
7.4.2 Software Installation
7.4.3 Bookmarking APIs
7.4.4 Pop-up Window APIs
8 Security
Considerations
8.1 Active
attacks during initial TLS interactions
8.2 Certificate Status Checking
Failures
8.3 Certificates assure identity, not
security
8.4 Binding "human readable"
names to domain names
8.5 Warning
Fatigue
8.6 Mixing Augmented Assurance and
Validated Certificates
9 References
This specification deals with the trust decisions that users must make online, and with ways to support them in making safe and informed decisions where possible.
In order to achieve that goal, this specification includes recommendations on the presentation of identity information by Web user agents. We also include recommendations on handling errors in security protocols. The error handling recommendations both minimize the trust decisions left to users, and represent known best practice in inducing users toward safe behavior where they have to make these decisions. To complement the interaction and decision related parts of this specification, 7 Robustness addresses the question of how the communication of context information needed to make decisions can be made more robust against attacks.
This document specifies user interactions with a goal toward making security usable, based on known best practice in this area. Subsequent testing of this specification will include conformance, interoperability, and usability testing.
This specification comes with two companion documents: [WSC-USECASES] documents the use cases and assumptions that underly this specification. [WSC-THREATS] documents the Working Group's threat analysis.
This specification is based on text from Mary Ellen Zurko, Stephen Farrell, Anil Saldhana, Ian Fette, Michael Mccormick, Serge Egelman, Johnathan Nightingale, Yngve N. Pettersen, Luis Bariga, Hal Lockhart, Tyler Close, Bill Doyle, Thomas Roessler, as well as input and discussions from the active members of the Web Security Context Working Group, primarily Phillip Hallam-Baker, Mike Beltzner, Joe Steele,Jan Vidar Krey, Maritza Johnson, Rachna Dhamija and Dan Schutzer. It has also benefitted from general public and working group commentary on earlier drafts.
This specification addresses Web user agents as one class of product.
This specification also addresses products that might incporate changes to a web user agents, such as plugins, extensions, and others; they are summarily called [Definition: plugins] in this section.
Such products that might incorporate changes to the web user agent, e.g. through the addition or removal of features, can render an otherwise conforming web user agent non conforming, or vice versa.
Throughout the specification, the RFC 2119 [RFC2119] keywords MUST, MUST NOT, SHOULD, SHOULD NOT, MAY are applied, with their respective meanings.
A user agent conforms to this specification at the [Definition: basic level] if it honors all MUST and MUST NOT clauses of this specification.
A user agent conforms to this specification at the [Definition: advanced level] if it also honors all SHOULD and SHOULD NOT clauses of this specification.
Conformance of a plugin is defined in terms of the conformance of the user agent that results of the plugin being added to a base user agent. E.g., if a given user agent conforms to this specification on the basic level, and a plugin adds features that lead to conformance on the advanced level, then this plugin conforms on the advanced level with respect to this base user agent.
A claim about a Web user agent's conformance with this specification must state:
A claim about a plugin's conformance with this specification must include all of the above, and also identify the base user agent with respect to which conformance is claimed.
This specification assumes a human user interacting with a Web user agent, interacting with Web resources. Many of the requirements specified are focused on the presentation of security context information to the user, and therefore directly relate to user interfaces. Where requirements or techniques are specific to certain modalities, these are made explicit, and are part of the preconditions for applying the requirement or technique.
When this specification speaks of a Web user agent to describe the application through which a user interacts with the Web, then this term is used on a conceptual level: No assumption is made about implementation details; the "Web user agent" may denote a combination of several applications, extensions to such applications, operating system features, and assistive technologies.
A common web user agent will therefore be a web browser with some number of plug-ins, extensions, call outs to external systems which render particular document formats, and assistive technologies.
This specification makes no specific assumption about the content with which the user interacts, except for one: There is a top-level Web page that is identified by a URI [RFC3986]. This Web page might be an HTML frameset, an application running on top of a proprietary run-time environment, or a document in a format interpreted by plug-ins or external systems served as part of a Web interaction. The page's behavior might be determined by scripting, stylesheets, and other mechanisms.
Some requirements are expressed in terms of user interface components commonly found in current-generation Web user agents.
4.2 Terms and definitions is expected to be consistent with the Web Content Accessibility Guidelines Version 2, [WCAG20].
[Definition: A Web User Agent is any software that retrieves and presents Web content for users.]
[Definition: A Web Page is a resource that is referenced by a URI and is not embedded in another resource, plus any other resources that are used in the rendering or intended to be rendered together with it.]
This section defines terms for user interface elements commonly present in Web User Agents.
[Definition: Primary User Interface denotes the portions of a Web user agent's user interface that are available to users without being solicited by a user interaction.]
Examples of primary user interface include the location bar in common Web user agents, the "padlock" icon present in common Web user agents, or error pages that take the place of a Web page that could not be retrieved.
[Definition: Secondary User Interface denotes the portions of a Web user agent's user interface that are available to the user after they are solicited by a specific user interaction.]
Examples of secondary user interface include the "Page Information" dialogue commonly found in Web user agents, and the "Security Properties" dialogue that can obtained by clicking the padlock icon in common Web user agents.
[Definition: Location Bar is a widget in a Web user agent's user interface which displays (and often allows input of) the textual location (entered as a URL) of the resource being requested (or displayed - after the response is received).]
Public key certificates (see [RFC3280]) are widely used in TLS, but have been the basis for the generation of many inappropriate warnings and other dialogs for users. This section describes some modifications to current certificate processing aimed at improving this aspect of handling web security context and defines some new terms describing various cases related to certificate handling in Web user agents.
Web user agents can base their acceptance of certificates that are presented by Web servers on various sources, including user action, previous interactions involving the same certificate, or, as more traditionally assumed, on validation of a certificate chain where each certificate is issued by a Certification Authority (CA). The practices used by CAs (and the information attested to) vary by CA and are not available in any useful sense to Web user agents.
A trust anchor represents an authoritative entity represented via a public key and associated data. The public key is used to verify digital signatures and the associated data is used to constrain the types of information for which the trust anchor is authoritative. Relying parties use trust anchors to determine if digitally signed information objects are valid by verifying digital signatures using the trust anchor's public key and by enforcing the constraints expressed in the associated data.
Trust anchor installation is typically handled by Web user agent vendors ,systems administrators and device manufacturers, based on out-of-band information. Note that trust anchor update is therefore often handled as part of Web user agent or operating system software update.
However, current Web user agents sometimes support the interactive acceptance of a trust anchor during a session, based on user interaction. Most users cannot sensibly decide how to handle such interactions.
Similarly, end-entity (e.g. web server) certificates that cannot be currently verified using the Basic Path Validation algorithm may trigger current Web user agents to offer the user a choice to accept the certificate in any case, sometimes for a single session, sometimes for all future sessions involving that certificate.
[Definition: A trust anchor or certificate is interactively accepted if the acceptance was caused through a user interaction that happens whlie the user is focused on a primary task unrelated to trust and certificate management.]
For example, if a web server certificate is presented for acceptance by a user during ordinary Web interactions, and is accepted by the user, then this matches the test for interactive acceptance. If, however, a systems administrator (or user) adds a trust anchor's certificate to a browser's store of trust roots, then that certificate is not considered accepted interactively.
Some trust anchors adhere to documented broadly accepted practices (e.g. [EVTLSCERT]) that involve some level of guarantee that certificates chaining up to those roots embody augmented assurance and can therefore be treated more favourably in terms of the primary security indicators. In order to allow a Web user agent to provide such special treatment, the trust anchor, and possibly all certificates in a path chaining up to such a trust anchor may need to be specially marked, e.g. through the use of specific policy object identifiers.
The specific marking mechanisms to be used and the special treatment to be afforded to such certificates are out of scope of this document but will typically be covered by the underlying augmented assurance specification. Web user agent implementors determine the set of such standards that they support and the associated special treatment to apply, other than as outlined below, where we impose some consistency requirements on the handling of this type of certificate.
Web user agents MUST establish that a trust anchor is [Definition: AA-qualified ] through some out of band mechanism consistent with the relevant underlying augmented assurance specification.
Marking a trust anchor as AA-qualified is a security-critical step and most often will involve the use of some application-specific out-of-band mechanism.
Implementations MUST NOT enable users to designate trust roots as AA-qualified as part of a different interaction. Implementations MAY make user interfaces available for the purpose of designating AA-qualified trust roots. Such user interfaces MUST be focused on this specific task. In particular, the notions of an AA-qualified trust root and an interactively accepted trust root are mutually exclusive.
[Definition: An Augmented Assurance Certificate (AAC) is a public key certificate where the issuer asserts that the subject entity has been authenticated by means of some process that adheres to the requirements of an augmented asurance specification supported by the Web user agent. The certificate chain for such a certificate MUST be validated up to a trust root that is recognized as AA-qualified by the user agent.]
To derive a human-readable subject name from an AAC, user agents MUST use the Subject field's Organization (O) attribute.
If the certificate's Subject field does not have an Organization attribute, then user agents MUST NOT consider the certificate as an augmented assurance certificate, even if it chains up to an AA-qualified trust root. User agents MAY consider such a certificate as an ordinary validated certificate.
The term [Definition: validated certificate ] is used to denote a public key certificate that has been verified by chaining up to a locally configured trust anchor. The set of trust anchors used by a given Web User agent is implementation-dependent.
Since Augmented Assurance Certificates chain up to a "special" trust anchor, all valid Augmented Assurance Certificates are also validated certificates.
Certificates or certificate chains that are pinned to a particular destination are not considered validated certificates by virtue of being pinned.
The notion of a validated certificate in this specification corresponds to the domain validated certificate commonly deployed on the Web. This type of certificate attests to a binding between a domain name registration and a key pair; additional certificate attributes are often not validated.
RFC 3709 [RFC3709] defines a certificate extension to embed three kinds of logotypes with an X.509 certificate, for use with public key certificates [RFC3280] or attribute certificates [RFC3281].
[Definition: The Community logotype is a logotype that identifies a community.]
[Definition: The Issuer Organization logotype is a logotype that identifies the organization that issued the certificate.]
[Definition: The Subject Organization logotype is a logotype that identifies the organization to which the certificate was issued.]
Logotype certificates that are validated, are considered validated certificates.
Where this specification suggests or mandates the rendering of (either audio or visual) logotypes, the logotype is chosen as follows:
When the logotype information is derived from an augmented assurance certificate, then the subject logotype MUST be rendered, if present.
Otherwise, when the logotype information is derived from a validated certificate, then the issuer logotype MUST be rendered, if present.
Note that an augmented assurance certificate that does not include a subject logo will cause the issuer logotype, if present, to be rendered.
The rendering of audio logotypes SHOULD be limited to a short amount of time, and clearly separate from any rendering of other security context information. In particular, user agents MAY shorten audio logotypes for playback. When a user agent will both display visual logotype information as well as emit/play audio logotype information, the user agent MUST ensure that the display/play of these two forms are time-synchronized so that the start times of their display/play coincides visibly and audibly.
Self-signed certificates (SSC) which are not trust anchors by themselves are commonly used for appliances and web sites catering to small groups of users, and essentially serve as a container for cryptographic key material in a key exchange that is not verified by any third party. Certificate chains that lead up to custom root certificates which are not part of the user agent's store of trust roots are sometimes used similarly.
In both situations, use of TLS provides confidentiality protection services against passive attackers. No binding of a third-party asserted identity to the cryptographic key is achieved. In both cases, the certificates are not considered validated certificates.
If a Web site consistently presents the same self-signed certificate (or the same certificate chaining up to the same untrusted root) to a client, then this can be strong evidence that protection against an active attacker has been achieved as well. Conversely, a change of certificates for the same site can be evidence that a man in the middle attack occurs -- or it can be a symptom that the legitimate site has changed to a different certificate.
Web user agents MAY support [Definition: pinning] a self-signed certificate or more generally a certificate chain that leads to an untrusted root certificate to a particular Web site, to enable behavior based on recorded state about certificates shown previously by the same site. Such behavior includes, e.g., warning users about changes of certificates, and not showing warning messages if a site shows a certificate consistent with previous visits.
The interaction that enables users to pin a certificate to a destination SHOULD NOT cause a self-signed certificate to be pinned to more than one site, identified through URI scheme, domain, and port. The interaction MUST NOT cause an untrusted root certificate to be accepted automatically for additional sites. A pinned self-signed certificate SHOULD be considered sufficient identification to allow user agents to associate a petname with the site, if supported.
If a client is able to automatically accept a self-signed certificate, or recover from similar problem without user interaction, it MUST support a mechanism to store and use information about certificates that were previously encountered, and to detect changes against historical usage of certificates as described in more detail in section 5.4.1 TLS errors.
For TLS-secured pages, the user agent MAY allow the user to assign the authenticated entity a [Definition: petname]. If the web page uses a validated certificate, this assignment MUST create a binding from the petname to each of the host identifiers the certificate is valid for. These identifiers are found in the CN attribute and the subjectAltNames attribute, as specified in [RFC2818]. If the Web page uses a pinned self-signed certificate or certificate chain, this assignment MUST create a binding from the petname to the pinned destination only. It MUST NOT create a binding from the petname to any other destination.
To discover the petname that corresponds to the entity that is authenticated through a validated certificate, user agents MUST use identifiers from the certificate only. In particular, when the certificate includes domain name wildcards, then the same petname will be associated to all sites that present a validated certificate which includes the same wildcard.
Presentation of a petname MUST support renaming and deleting of a petname binding.
When the user assigns a petname, the petname presentation implementation MUST warn the user if the chosen petname is similar to one currently in use. The meaning of similar is up to the implementation, but MUST at least include an identical petname.
A web user agent that supports petnames MUST also support a presentation of bookmarks that presents the association between each bookmark and the petname of the hosting site. If the hosting site could be assigned a petname, but the user has not yet done so, the presentation MUST present those bookmarks as being associated with a distinct, but not yet petnamed site. If the hosting site cannot be assigned a petname, because the hosting site does not support the previously established constraints for assignment of a petname, the presentation MUST indicate so. This bookmark presentation MUST support assignment, renaming and deletion of petnames.
The most common mechanism for applying TLS to the Web is
the use of the https URI scheme [RFC2818]; the alternative upgrade
mechanism [RFC2817] is used
rarely, if at all. For the purposes of this specification,
the most relevant property of [RFC2818] is that the URI used to
identify a resource includes an assertion that use of TLS
is desired.
This specification uses the term [Definition: HTTP transaction ] regardless of
whether any kind of TLS protection was applied; in
particular, the transactions arising when an
https URL is dereferenced are subsumed under
this term.
[Definition: An HTTP transaction is TLS-protected if an upgrade according to [RFC2817] is performed successfully, or if the resource was identified through a URL with the https URI scheme, the TLS handshake was performed successfully, and the HTTP transaction has occurred through the TLS channel.]
Note that an HTTP transaction may be considered
TLS protected
even though weak algorithms (including NULL
encryption) are negotiated.
[Definition: An HTTP transaction is strongly TLS-protected if it is TLS-protected, an https URL was used, strong TLS algorithms were negotiated for both confidentiality and integrity protection, and one of the following conditions are true:]
TLS modes that do not require the server to show a
certificate (such as the DH_anon mode) do not
lead to a strongly TLS-protected transaction.
The ability to provide privacy and secure the connection between a user agent and web server is in part determined by the strength and capabilities of the TLS protocol and underlying cryptographic mechanisms. The TLS protocol is versioned to keep pace with protocol features and cipher suites that are available. Cipher suites are grouped according to algorithms and the key length used by cryptographic functions to provide cipher strength.
When this document speaks of [Definition: Strong TLS algorithms], then the following must hold:
[Definition: An HTTP transaction is weakly TLS-protected if it is TLS-protected, but strong TLS protection could not be achieved for one of the following reasons:]
DH_anonWeakly TLS-protected interactions may provide security services such as confidentiality protection against passive attackers, or integrity protection against active attackers (without confidentiality protection). These properties are often desirable, even if strong TLS protection cannot be achieved.
If a given Web page consists of a single resource only, then all content that the user interacts with has security properties derived from the HTTP transaction used to retrieve the content.
[Definition: A Web page is called TLS-secured if the top-level resource and all other resources that can affect or control the page's content and presentation have been retrieved through strongly TLS protected HTTP transactions. ]
[Definition: A Web page is called mixed content if the top-level resource was retrieved through a strongly TLS protected HTTP transaction, but some dependent resources were retrieved through weakly protected or unprotected HTTP transactions.]
This definition implies that inline images, stylesheets, script content, and frame content for a secure page need to be retrieved through strongly TLS protected HTTP transactions in order for the overall page to be considered TLS-secured.
A Web User Agent that can display an AA indicator MUST NOT display this indicator unless all elements of the page are loaded from servers presenting a validated certificate, over strongly TLS-protected interactions.
This section covers TLS-related error conditions, and maps them to the classes of error handling interactions (see 6.4 Error handling and signalling) that are used when these conditions arise.
If multiple error conditions apply, the most severe signalling level currently known MUST be used, as defined in 6.4 Error handling and signalling.
When, for a TLS-protected HTTP connection, the certificate chain presented by the server does not lead to a trusted root certificate, and the certificate chain presented was not pinned to the destination at hand, the following applies to user agents that are capable of storing and using information about certificates that were previously encountered:
In the same circumstances, the following applies to user agents that are not capable of using information about previously encountered certificates.
Note that, when untrusted certificates are accepted without user interaction, an additional exposure to man-in-the-middle attacks is created. See 8.1 Active attacks during initial TLS interactions for a more detailed discussion of this scenario.
User agents SHOULD store the state of certificates that were previously encountered. (specifically, whether or not a site previously presented a validated certificate). Historical TLS information stored for the purposes of evaluating security relevant changes of behavior MAY be expunged from the user agent on the same schedule as other browsing history information. Historical TLS information MUST NOT be expunged prior to other browsing history information. For purposes of this requirement, browsing history information includes visit logs, bookmarks, and information stored in a user agent cache.
When certificate information is presented in these interactions, human-readable information derived from the certificates (e.g., Common Name or Organization attributes) in question MUST NOT be presented as trustworthy.
When certificate information is presented in these interactions, web user agents MUST NOT display identity information derived from a self signed or untrusted certificate in a warning or error message. Web user agents MAY display this information in a dialog or other secondary chrome reachable through the warning or error message or dialog.
When, for a TLS-protected HTTP connection, the certificate presented is found to have been revoked, error signalling of class danger (6.4.4 Danger Messages) MUST be used.
When, for a TLS-protected HTTP connection, the certificate presented is found to have been expired, error signalling of class danger (6.4.4 Danger Messages) MUST be used. Note that user agents that apply Relaxed Path Validation to non-AA certificates will never detect this error condition for such certificates.
When the URL corresponding to the transaction at hand does not match the certificate presented, and a validated certificate is used, then error signalling of level danger(6.4.4 Danger Messages) MUST be used.
If TLS negotiation otherwise fails, error signalling of level danger (6.4.4 Danger Messages) MUST be used.
User agents that use third party services or heuristic approaches to assess the possible danger of a pending Web transaction MUST use error signalling of class danger (6.4.4 Danger Messages) to signal positively identified dangers, e.g., identified malicious downloads or exploits of user agent vulnerabilities.
To signal risks that are identified with high likelihood, but involve further user decisions (e.g., phishing heuristics were triggered), error signalling of class warning or above (6.4.3 Warning/Caution Messages , 6.4.4 Danger Messages) MUST be used.
Page redirection (whether by 302-style http headers, or html/javascript logic) can happen so quickly in some cases that it is possible for UI to appear as though a continuous, secure connection has been maintained, even if navigation between pages has involved redirects over weakly TLS-protected or unsecured http channels. This can engender false confidence in the integrity and privacy of user data. Web user agents SHOULD inform users, using an error of class Warning or above (6.4.3 Warning/Caution Messages , 6.4.4 Danger Messages), when navigation between TLS-secured pages involves redirects which travel over weakly TLS-protected, or unsecured HTTP channels.
Users interacting with a TLS-secured page are likely to develop the impression that information submitted during these interactions will be submitted through strongly TLS-protected. User agents SHOULD warn users, using an error of class Warning or above (6.4.3 Warning/Caution Messages , 6.4.4 Danger Messages), if form submissions from a TLS-secured page are directed to an unsecured channel.
This section specifies practices for signalling information about the identity of the Web site a user interacts with. All signals specified in this section are passive. No claim is made about the effectiveness of these signals to counter impersonation attacks.
Web user agents MUST make information about the identity of the Web site that a user interacts with available. This [Definition: identity signal ] SHOULD be part of primary user interface during usage modes which entail the presence of signalling to the user beyond only presenting page content. Otherwise, it MUST at least be available through secondary user interface. Note that there may be usage modes during which this requirement does not apply: For example, a Web browser which is interactively switched into a presentation mode that does not display any chrome need not preserve security indicators in primary user interface. On the other hand, a user agent such as a smart phone, air plane seatback or TV set which has a usage mode that makes minimal (but visible) chrome elements available does need to preserve security indicators in such a mode.
If a positive form of identity is available, the identity signal MUST be part of primary user interface when any identity sources that are from unauthenticated or untrusted sources are (also) part of the primary user interface. These sources include URLs.
User interactions to access this identity signal MUST be consistent across all Web interactions facilitated by the user agent, including interactions during which the Web user agent has no trustworthy information about the identity of the Web site that a user interacts with. In this case, user agents MUST indicate that no information is available.
User agents with a visual user interface that make the identity signal available in primary user interface SHOULD do so in a consistent visual position. Web Content MUST not obscure security chrome, 7.4.1 Obscuring or disabling Security User Interfaces.
Information displayed in the identity signal MUST be derived from validated certificates, or from user agent state. Web user agents MUST NOT use information as part of the identity signal that is taken from unauthenticated or untrusted sources.
During interactions with a TLS-secured Web page for which a petname has been defined, the identity signal MUST include that petname.
During interactions with a TLS-secured Web page for which the top-level resource has been retrieved through a strongly TLS-protected interaction that involves an augmented assurance certificate, and for which all dependent resources have been retrieved through interactions that involve validated certificates, the following applies:
The identity signal MUST include human-readable information about the certificate subject, derived as specified in 5.1.2 Augmented Assurance Certificates, to inform the user about the owner of the Web page, unless a petname is displayed.
For Web user agents that use a visual user interface capable of displaying bitmap graphics the identity signal MAY include display of a suitable logotype, selected according to the rules in 5.1.4 Logotype Certificates.
Web user agents that use sound to communicate with the user MAY render an audio logotype that is embedded in the certificate using the logotype extension, according to the requirements in 5.1.4 Logotype Certificates.
During interactions with a TLS-secured Web page for which the top-level resource has been retrieved through a strongly TLS-protected interaction that involves an validated certificate (including an augmented assurance certificate), the following applies:
If the identity signal does not include any other human readable information about the identity of the certificate subject (derived, e.g., from an augmented assurance certificate or a petname), then it MUST include an applicable DNS name retrieved from the subject's Common Name attribute or from a subjectAltName extension.
The identity signal MUST include the Issuer field's Organization attribute to inform the user about the party responsible for that information.
Subject logotypes derived from certificates SHOULD NOT be rendered, unless the certificate used is an augmented assurance certificate.
Note that this behavior does not apply when self-signed certificates or certificate chains that chain up to an untrusted root certificate are used.
During interactions with a mixed content Web page, the identity signal MUST NOT include any positive indicators exceeding those in use for unprotected HTTP transactions. In this situation, the identity signal MAY include indicators that point out any error conditions that occurred.
During interactions with mixed content, Web user agents MUST NOT render any logotypes derived from certificates.
Web user agents MUST provide additional security context information as described in this section through one or more user-accessible information sources. These information sources can be implemented in either primary or secondary user interface. Where security context information is provided in both primary and secondary chrome, the presentation and semantics of the presented information MUST be consistent.
The information sources MUST make the following security context information available:
The information sources SHOULD make the following security context information available:
Additionally, the information sources MAY make the following security context information available:
User agents that provide information about the presence or absence of Cookies [RFC2965] MUST NOT make any claims that suggest that the absence of cookies implies an absence of any user tracking, as there are numerous tracking and session management techniques that do not rely on Cookies.
Web user agents MUST make information about the state of TLS protection available. The [Definition: TLS indicator] SHOULD be part of primary user interface during usage modes which entail the presence of signalling to the user beyond only presenting page content. Otherwise, it MUST at least be available through secondary user interface. As in the case of 6.1.1 Identity Signal, there may be usage modes during which this requirement does not apply. Web content MUST not obscure security chrome, 7.4.1 Obscuring or disabling Security User Interfaces.
User interactions to access the TLS indicator MUST be consistent across all Web interactions. This includes when TLS has not been used to protect those interactions. In this case, web user agents SHOULD indicate the interaction was not TLS protected. User agents with a visual user interface that make the TLS indicator available in primary user interface SHOULD do so in a consistent visual position.
The TLS indicator MUST present a distinct state that is used only for TLS-secured Web pages. The User Agent SHOULD inform users when they are viewing a page that, along with all dependent resources, was retrieved through at least weakly TLS protected transactions, including mixed content.
The user agent MAY accomplish this by using a third state in the TLS indicator, or via another mechanism (such as a dialog, infobar, or other means).
This section defines common error interaction requirements and, ordered by increasing severity, practices to signal the following classes of errors:
Error signalling that occurs as part of primary chrome SHOULD be phrased in terms of threat to user's interests, not technical occurrence.
Primary chrome error messages MUST NOT be phrased solely in terms of art, e.g., jargon. They SHOULD NOT refer the user to enter the destination site that caused the error, e.g., to provide feedback or obtain assistance. For error messages that interrupt the user's flow of interaction, user agents SHOULD enable the user to easily return to the user agent state prior to initiation of the last user interaction that led to the error signal.
For advanced users, error interactions SHOULD have an option for advanced users to request a detailed description of the condition that caused the interaction to occur.
The error interactions characterized in this section typically involve communication of security context information. See 7.1 Chrome and User Interface Practices for best practices for the presentation of such information.
Notifications and status indicators are used when the browser cannot accurately determine a security risk based on the current security context information available. These indicators SHOULD also be used for situations in which the risk level may vary based on user preference.
For visual user agents, notifications and status indicators MUST be displayed in the user agent's persistent primary chrome. These indicators MAY include user interaction (e.g., forcing the user to click a button to continue the primary task). They MUST include a succinct textual description of their meaning.
Warning / Caution messages MUST be used when the system has good reason to believe that the user may be at risk based on the current security context information, but a determination cannot positively be made. These warnings SHOULD be used if the likelihood of danger is present, but cannot be confirmed.
Warning / Caution messages MUST interrupt the user's current task, such that the user must acknowledge the message.
For user agents with a visual user interface, headings of these warnings MUST include words meaning "caution" or "warning". The headings of these warnings MUST be the locus of attention.
Warning / Caution messages MUST provide the user with distinct options how to proceed (i.e., these messages MUST NOT lead to a situation in which the only option presented to the user is to dismiss the warning and continue). The options presented on these warnings MUST be descriptive to the point that their meanings can be understood in the absence of any other information contained in the warning interaction. These warnings SHOULD include one recommended option, and a succinct text component denoting which option is recommended. In the absence of a recommended option, the warning MUST present the user with a method of finding out more information (e.g., a hyperlink, secondary window, etc) if the options cannot be understood.
Danger Messages MUST be used when there is a positively identified danger to the user (i.e., not merely a risk).
The interactions communicating these messages MUST be designed such that the user's task is interrupted.
These interactions MUST be presented in a way that makes it impossible for the user go to or interact with the destination web site that caused the danger situation to occur, without first explicitly interacting with the Danger Message.
If a Web User Agent permits the user to administratively reconfigure the primary user interface in such a way as to suppress any of the displays required by this specification, then it MUST provide a simple administrative mechanism, such as a single button in a configuration menu, to reset the display to be in conformance with this specification.
This section documents best practices for user interfaces that are used to communicate security critical information.
A trusted path can be established between a web user agent and the user through the use of a secret shared between the user and the agent. The shared secret may be an image selected by the user, or can be another type of secret (e.g., text or audio) to meet accessibility requirements. If the shared secret is difficult to guess, it is difficult to exactly emulate, so robust against that aspect of spoofing attacks. Having such a trusted path will not ensure that all users do not fall for phishing attacks (see Emperor's New Security Indicators [EMPEROR]), but known attacks against these trusted paths do not include spoofing.
Web user agents that proactively present security context information to the user (or a channel presumed to eventually lead to the user, such as accessibility aides) MAY accept some presentation information from the user, and associate that information with parts of the user interface that are intended or commonly used to communicate trust information to users.
Techniques to implement this practice for visual user agents include giving the user a selection of backgrounds, skins, or tartans, and customize the graphical look of the web browser with them. Knowing the set of secrets the user can choose from can increase the attackers ability to spoof them, particularly if a small subset is popular. Another technique is to take user specific graphics and use them the same way. If a malicious site can get the user to customize it the same way, it might be possible for the site to spoof the browser.
Techniques for user agents that expose a voice-based user interface include chosing different voices for the presentation of Web content and security context information.
For visual user agents, browser chrome SHOULD always be present to signal security context information. This requirement does not apply when UI is explicitly dismissed by the user.
This requirement is scoped to a specific interaction: When multiple Web pages might be displayed, security critical chrome MAY be not present for those with which the user is not currently interacting. However, chrome used to communicate security context information that relates to the currently interacted Web page MUST always remain on the screen.
To the extent to which users pay attention to passive security indicators at all, noticing and understanding them is made difficult to impossible when the same signal path that is commonly used for security indicators can also be controlled by Web content. For example, the location bar commonly found on browsers is often used to both display the "padlock" security indicator, and a possible "favorite icon" [FAVICON], which can in turn be a simple copy of the very padlock an informed and attentive user might look for.
Web User Agents MUST NOT communicate trust information using user interface elements which can be mimicked within chrome under the control of web content. Site-controlled content (e.g. page title, favicon) MAY be hosted in chrome, but this content MUST NOT be displayed in a manner that confuses hosted content and chrome indicators. This requirement applies to both primary and secondary elements of visual user interfaces.
In particular, Web User Agents SHOULD NOT use a 16x16 image in chrome to indicate security status if doing so would allow the favorite icon to mimic it.
When confronted with multiple modal interactions during a short amount time, users are known to exercise the default option (e.g., by pressing the Return key repeatedly) until the sequence of modal interactions stops blocking the user's intended interaction.
[Definition: An Interaction flooding attack refers to a website with the malicious intent of performing an unintended action (e.g. installing software that would have required an user intervention such as clicking OK on a warning dialog) or by exploiting distraction and task-focus. The website opens a large number of new windows over the desired web content and the malicious action is performed when the user tries to close these new windows and/or clicks on a dialog that indicates a trust decision.]
User interfaces used to inform users about security critical events or to solicit comment MUST employ techniques that prevent immediate dismissal of the user interface, e.g., by using a temporarily disabled "OK" button on user interfaces that make such an interaction paradigm available. When users interact with security relevant notifications (6.4.3 Warning/Caution Messages and above), interactions caused by Web content MUST NOT be granted control of the user agent's interaction.
User agents commonly allow web content to perform certain manipulations of agent UI and functionality such as opening new windows, resizing existing windows, etc. to permit customization of the user experience. These manipulations need to be constrained to prevent malicious sites from concealing or obscuring important elements of the browser interface, or deceiving the user into performing dangerous acts. This section includes requirements and techniques to address known attacks of this kind.
Web user agents MUST prevent web content from obscuring, hiding, or disabling security user interfaces.
Web user agents MUST restrict window sizing and moving operations consistent with 7.1.2 Keep Security Chrome Visible. This prevents attacks wherein browser chrome is obscured by moving it off the edges of the visible screen.
Web user agents MUST NOT allow web content to open new windows with the browser's security UI hidden. Allowing this operation facilitates picture-in-picture attacks, where artificial chrome (usually indicating a positive security state) is supplied by the web content in place of the hidden UI.
Web user agents MUST prevent web content from overlaying chrome. User interactions that are perceived to deal with browser chrome must not be detectable for Web content.
Web user agents MUST NOT expose programming interfaces which permit installation of software, or execution of privileged code without a user intervention.
Web user agents MUST inform the user and request consent when web content attempts to install software outside of the browser environment. The interaction used MUST follow the requirements in 6.4.3 Warning/Caution Messages . Web user agents SHOULD NOT provide features which can be used by web content to install software outside of the browser environment without the user's consent. Web user agents MAY provide mechanisms for users to pre-consent to a class of software installations. Web user agents SHOULD inform the user when web content is installing software outside of the browser environment that is covered by a pre-consent.
Web user agents MAY inform the user when web content attempts to execute software outside of the agent environment, and MAY also request user consent, but SHOULD NOT do so unconditionally for all types of content or software. If the agent chooses to do this then it SHOULD do so for specific content types, software types, or security context based on risk.
Web user agents MUST NOT expose programmatic interfaces that allow bookmarking without explicit user consent. That consent MUST follow the requirements from 6.4.2 Notifications and Status Indicators .
Web user agents MUST NOT expose programmatic interfaces that allow bookmarking an URL that does not match the URL of the page that the user currently interacts with.
With visual user interfaces that use a windowed interaction paradigm, Web user agents SHOULD restrict the opening of pop-up windows from web content, particularly those not initiated by user action. Creating excessive numbers of new popup windows is a technique that can be used to condition users to rapidly dismissing dialogs. This can be employed in interaction flooding attacks.
Web user agents which offer this restriction SHOULD offer a way to extend permission to individual trusted sites. Failing to do so encourages users who desire the functionality on certain sites to disable the feature universally.
5.4.1 TLS errors leads to an additional exposure during the first TLS interaction with a site, even if that site uses validated or extended validation certificates: An active attacker can show a self-signed certificate, which will cause only weak warning signals to the user. Traditional web user agents react to this scenario with a dialogue box that interrupts the user's flow of interaction, but gives users the ability to override the security warning. Empirical evidence shows that this ability is typically exercised by users.
Countermeasures against this threat include the prior designation of high-value sites, for which extended validation or validated certificates are required (causing a stronger warning signal during the attack scenario described above), and communication of certification and TLS expectations by a mechanism separate from HTTP, e.g. through authenticated DNS records.
5.4.1 TLS errors refers to the pinning of a new certificate to a destination. Note that this newly pinned certificate could be the basis for a spoofing attack, or it could represent a refresh of an Self Signed Certificate.
The TLS Errors (5.4.1 TLS errors) section does not document intended behaviour for web user agents when a certificate status check fails for network or other non-revocation reasons. At time of writing, the deployment environment for OCSP status checking is fragile and subject to frequent failures, so it is inappropriate to require user agents to treat such failures as warnings or errors. However, this creates a possibility for attack: site operators using a fraudulently obtained, and revoked, certificate may attempt to attack a CA's revocation infrastructure as a way to suppress revocation errors. User agent countermeasures for this vulnerability include: exposing failures of certificate validation checks to users as warning (6.4.3 Warning/Caution Messages ) or danger (6.4.4 Danger Messages) level messages; or refusal to load sites that fail these checks.
While TLS certificates of all types (i.e. self-signed, validated, or augmented assurance) provide the means for strong encryption of communications, they should not be understood to be, or treated as, blanket security assurances. In particular, validated and AA certificates make guarantees about some level of owner identity verification having been performed (see definitions) but they do not represent any guarantees that a site is operated in a safe manner, or is not otherwise subject to attack. Historically, issues of security and identity have been conflated by user agent interfaces which present SSL/TLS connections as "secure," but implementors of this specification are advised to be cautious and cognizant of this distinction.
Several recommendations in this document concern themselves with the binding between domain names and certificates, but equally important for users is the binding between domain name/certificate and the actual real-world entity involved in the transaction. It is helpful, for example, to know not only that example.com presents a valid certificate, but also that it is the "Example Inc., Norway" with whom the user expects to be interacting. In the case of AA certificates, the identity information provided may be considered sufficient for this purpose, but non-AA validated certificates do not necessarily provide this real-world identity. User agents that wish to provide a mechanism for users to manually establish these linkages are advised to consider the petnames approach (see 5.1.6 Petnames).
Requirements in this document often involve warning (6.4.3 Warning/Caution Messages and 6.4.4 Danger Messages) messages when warranted by conditions in the user agent. However, it is important to be aware, when developing user interfaces, that users will habituate to over-frequent warnings, weakening the impact of the messages and their ability to effectively interrupt the user's task flow.
User agents are advised to constrain the number of warnings and errors presented to the minimum required to satisfy these and other security guidelines. It is also recommended that user agents phrase options in these messages in terms of the action taken (e.g. "Ignore this warning," "Trust this site") rather than using generic labels (e.g. "OK", "Cancel").
The Augmented Assurance indicator tells the user that the owner and author of the webpage being displayed can be identified using information from the associated augmented assurance certificate. Identity signals in this specification only directly address displaying the identity of the party responsible for the top level resource in a web page. User agents may choose to make the identities of other resources that can affect or control the page's content available, but we do not put forward a model for users on how they might use such information in their trust decisions.
The identity of the top level resource vouches for the content of all dependant resources. What resources these are is under the control of the top-level resource, which will typically identify these resources using URIs with domain based authority. Therefore, this specification requires that, in order to display any augmented assurance related indicators, dependent resources must all be strongly TLS protected using validated certificates.
If an augmented assurance page includes content from other strongly TLS-protected resources that are not identified by augmented assurance certificates, the authors for these third party parts of the document cannot be identified to the same extent as for the main document. Given that certain types of content, for example external scripts and styling can change the containing document's entire appearance, and framed content and plugins can be where the user's main interaction occurs, the user's real interaction may be with content under the control of a completely different party than the one identified by the main document's augmented assurance certificate.
Using third party content also makes the main document reliant upon the security of the third party contributor, and expands the available attack surface of the service, thus giving attackers several more lines of attack.