Copyright © 2008 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
The Web Security Context Working Group is publishing this document to provide a basis for initial review of and commentary on its work. The Working Group had taken an inclusive approach toward publishing various technical proposals in its First Public Working Draft. The Working Group has since decided to adopt a two-phase approach, and expects to take an initial set of proposals to Last Call in or around June 2008. Material that the Working Group does not expect to include with that Last Call has been moved into appendices. No claims as to the efficacy of usability-related material are made.
To facilitate access to relevant background, various sections of this document are annotated with references to input documents that are available from the Working Group's Wiki, and to pertinent issues that the group is tracking. The documents in the wiki include background, motivation, and usability concerns on the proposals that reference them. They provide important context for understanding the potential utility of the proposals.
This document was developed by the Web Security Context Working Group. The Working Group expects to advance this Working Draft to Recommendation Status.
Please send comments about this document to public-usable-authentication@w3.org (with public archive). For comments to be most useful, please follow these guidelines for writing useful issues.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
1 Overview
2 Acknowledgements
3 Conformance
3.1 Conformance
Model
3.2 Conformance
Labels
3.2.1 Conformance Labels for Web Content
3.2.2 Conformance Labels for Web User
Agents
4 Interaction and content model
4.1 Overview
4.2 Terms and
definitions
4.2.1 Common User Interface elements
5 Applying TLS to the Web
5.1 Certificate Handling and
Information
5.1.1 Interactively accepting trust anchors or
certificates
5.1.2 Augmented Assurance Certificates
5.1.3 Validated Certificates
5.1.4 Logotype Certificates
5.1.5 Self-signed Certificates and Untrusted Root
Certificates
5.1.6 Petnames
5.2 Types of
TLS
5.3 Mixed
Content
5.4 Error
conditions
5.4.1 TLS errors
5.4.2 Error Conditions based on Third Party or
Heuristic Information
5.4.3 Redirection chains
6 Indicators and Interactions
6.1 Identity
and Trust Anchor Signalling
6.1.1 Identity Signal
6.1.2 Identity Signal Content
6.2 Additional Security Context
Information
6.3 TLS
indicator
6.4 Error
handling and signalling
6.4.1 Common Error Interaction Requirements
6.4.2 Notifications and Status
Indicators
6.4.3 Warning/Caution Messages
6.4.4 Danger Messages
7 Robustness
7.1 Chrome
and User Interface Practices
7.1.1 Use Shared Secrets to Establish a
Trusted Path
7.1.2 Keep Security Chrome
Visible
7.2 Do not
mix content and security indicators
7.3 Managing User Attention
7.4 APIs
Exposed To Web Content
7.4.1 Obscuring or disabling
Security User Interfaces
7.4.2 Software Installation
7.4.3 Bookmarking APIs
7.4.4 Pop-up Window APIs
8 Authoring and deployment
best practices
8.1 Do not use security indicator
images to suggest trustworthiness
8.2 Use TLS
for Login Pages
8.3 Use TLS
Consistently across the web site
8.4 Redirects between Pages with Different
Security Levels
8.5 Security Experience Across
Devices
8.6 Good Practices for the Creation of
Audio Logotypes
9 Security
Considerations
9.1 Active
attacks during initial TLS interactions
10 Acknowledgments
11 References
A Safe Web Form
Editor
A.1 Associating a history with a web
site
A.2 No
support for non-TLS data exchange
A.3 Creating a
new relationship
A.4 Reliable Text
A.5 Selection
of a text string
A.6 On
screen masking of a text string
A.7 Editing
the stored history
A.8 Picture-in-picture
defense
A.9 Detecting a
possible Man-In-The-Middle attack
B Usage Modes
B.1 Framework
B.2 Safe Browsing
Mode
C Security Confidence
Estimate
This specification deals with the trust decisions that users must make online, and with ways to support them in making safe and informed decisions where possible.
In order to achieve that goal, this specification includes recommendations on the presentation of identity information by Web user agents; on handling errors in security protocols in a way that minimizes the trust decisions left to users, and (we hope) induces them toward safe behavior where they have to make these decisions; and on data entry interactions that (we hope, again) will make it easier for users to enter sensitive data into legitimate sites than to enter them into illegitimate sites.
Where this document specifies user interactions with a goal toward making security usable, no claim is made at this time that this goal is met: As noted in the Status of this Document section, this is an initial draft to trigger discussion and commentary; assume that what is proposed here is untested.
To complement the interaction and decision related parts of this specification, 7 Robustness addresses the question of how the communication of context information needed to make decisions can be made more robust against attacks.
Finally, 8 Authoring and deployment best practices is about practices for those who deploy Web Sites. It complements some of the interaction related techniques recommended in this specification. The aim of this section is to provide guidelines for creating Web sites with reduced attack surfaces against certain threats, and with usefully provided security context information.
This specification comes with two companion documents: [WSC-USECASES] documents the use cases and assumptions that underly this specification. [WSC-THREATS] documents the Working Group's threat analysis.
Interaction glossary?ISSUE-118
This section is normative.
Normative material in this specification is marked explicitly.
This specification defines (a) requirements for user interactions and interfaces that are exposed by Web user agents and (b) good practices for Web Content. Requirements for both are phrased in terms of the definitions and concepts found under 4 Interaction and content model, and in terms of the definitions and concepts found under 5 Applying TLS to the Web. These sections are normative, and part of compliance requirements.
Sections that specify requirements for products are clearly marked with the class of product that they apply to. Preconditions that conforming products need to fulfill for the requirement to be applicable are identified. In addition to requirements, the specification includes implementation techniques. These are labelled as NECESSARY (a technique MUST be implemented in order for a product to conform with the requirement) or SUFFICIENT (a technique MAY be implemented, and implementation leads to conformance).
Throughout the specification, the RFC 2119 [RFC2119] keywords MUST, MUST NOT, SHOULD, SHOULD NOT, MAY are applied, with their respective meanings.
Some conformance requirements might actually lead to usability testing as a prerequisite to claiming conformance. Is that a good idea, and how do we deal with it? See also ISSUE-112.
This section is a placeholder for a more detailed explanation of what conformance with this specification will mean for Web Content and for Web User Agents.
To be written.
To be written.
How do our definition of Web Page and the Robustiness section interact? ISSUE-133
This specification assumes a human user interacting with a Web user agent, interacting with Web resources. Many of the requirements specified are focused on the presentation of security context information to the user, and therefore directly relate to user interfaces. Where requirements or techniques are specific to certain modalities, these are made explicit, and are part of the preconditions for applying the requirement or technique.
When this specification speaks of a "Web user agent" to describe the application through which a user interacts with the Web, then this term is used on a conceptual level: No assumption is made about implementation details; the "Web user agent" may denote a combination of several applications, extensions to such applications, operating system features, and assistive technologies.
This specification makes no specific assumption about the content with which the user interacts, except for one: There is a top-level Web page that is identified by a URI [RFC3986]. This Web page might be an HTML frameset, an application running on top of a proprietary run-time environment, or a document in a format interpreted by plug-ins or external systems served as part of a Web interaction. The page's behavior might be determined by scripting, stylesheets, and other mechanisms.
Some requirements are expressed in terms of user interface components commonly found in current-generation Web user agents.
4.2 Terms and definitions is expected to be consistent with the Web Content Accessibility Guidelines Version 2, [WCAG20].
The definitions in this section are normative. The examples are informational.
[Definition: A Web User Agent is any software that retrieves and presents Web content for users.]
[Definition: A Web Page is a resource that is referenced by a URI and is not embedded in another resource, plus any other resources that are used in the rendering or intended to be rendered together with it.]
This section defines terms for user interface elements commonly present in Web User Agents. These definitions are normative.
[Definition: Primary User Interface denotes the portions of a Web user agent's user interface that are are available to users without being solicited by a user interaction.]
Examples of primary user interface include the location bar in common desktop Web user agents, the "padlock" icon present in common desktop Web user agents, or error pages that take the place of a Web page that could not be retrieved.
[Definition: Secondary User Interface denotes the portions of a Web user agent's user interface that are available to the user after they are solicited by a specific user interaction.]
Examples of secondary user interface include the "Page Information" dialogue commonly found in desktop Web user agents, and the "Security Properties" dialogue that can obtained by clicking the padlock icon in common desktop Web user agents.
[Definition: Location Bar is a widget in a Web user agent's user interface which displays (and often allows input of) the textual location (entered as a URL) of the resource being requested (or displayed - after the response is received).]
Please refer to the following entries in the Working Group's Wiki for relevant background information: WhatIsASecurePage
This section is normative.
Public key certificates (see [RFC3280]) are widely used in TLS, but have been the basis for the generation of many inappropriate warnings and other dialogs for users. This section describes some modifications to current certificate processing aimed at improving this aspect of handling web security context and defines some new terms describing various cases related to certificate handling in Web user agents.
Web user agents can base their acceptance of certificates that are presented by Web servers on various sources, including user action, previous interactions involving the same certificate, or, as more traditionally assumed, on validation of a certificate chain where each certificate is issued by a Certification Authority (CA). The practices used by CAs (and the information attested to) vary by CA and are not available in any useful sense to Web user agents.
A trust anchor represents an authoritative entity represented via a public key and associated data. The public key is used to verify digital signatures and the associated data is used to constrain the types of information for which the trust anchor is authoritative. Relying parties use trust anchors to determine if digitally signed information objects are valid by verifying digital signatures using the trust anchor's public key and by enforcing the constraints expressed in the associated data.
Trust anchor installation is typically handled by Web user agent vendors and systems administrators, based on out-of-band information. Note that trust anchor update is therefore often handled as part of Web user agent or operating system software update.
However, current Web user agents sometimes support the interactive acceptance of a trust anchor during a session, based on user interaction. Most users cannot sensibly decide how to handle such interactions.
Similarly, end-entity (e.g. web server) certiicates that cannot be currently verified using the Basic Path Validation algorithm may trigger current Web user agents to offer the user a choice to accept the certifiate in any case, sometimes for a single session, sometimes for all future sessions involving that certificate.
[Definition: A trust anchor or certificate is interactively accepted if the acceptance was caused through a user interaction that happens whlie the user is focused on a primary task unrelated to trust and certificate management.]
For example, if a web server certificate is presented for acceptance by a user during ordinary Web interactions, and is accepted by the user, then this matches the test for interactive acceptance. If, however, a systems administrator (or user) adds a trust anchor's certificate to a browser's store of trust roots, then that certificate is not considered accepted interactively.
Please refer to the following entries in the Working Group's Wiki for relevant background information: RecommendationDisplayProposals/EVCerts
Let others besides industry define AAC criteria. ISSUE-134
Some trust anchors adhere to broadly accepted industry standards (e.g. [EVTLSCERT]) that involve some level of guarantee that certificates chaining up to those roots embody augmented assurance and can therefore be treated more favourably in terms of the primary security indicators. In order to allow a Web user agent to provide such special treatment, the trust anchor, and possibly all certificates in a path chaining up to such a trust anchor may need to be specially marked, e.g. through the use of specific policy object identifiiers.
The specific marking mechanisms to be used and the special treatment to be afforded to such certificates are out of scope of this document but will typically be covered by the underlying augmented assurance specification. Web user agent implementers determine the set of such standards that they support and the associated special treatment to apply, other than as outlined below, where we impose some consistency requirements on the handling of this type of certificate.
Web user agents MUST establish that a trust anchor is [Definition: AA-qualified ] through some out of band mechanism consistent with the relevant underlying augmented assurance specification.
Marking a trust anchor as AA-qualified is a security-critical step and most often will involve the use of some application-specific out-of-band mechanism.
Implementations MUST NOT enable users to designate trust roots as AA-qualified as part of a different interaction. Implementations MAY make user interfaces available for the purpose of designating AA-qualified trust roots. Such user interfaces MUST be focused on this specific task. In particular, the notions of an AA-qualified trust root and an interactively accepted trust root are mutually exclusive.
[Definition: An Augmented Assurance Certificate (AAC) is a public key certificate where the issuer asserts that the subject entity has been authenticated by means of some process that adheres to the requirements of an augmented asurance specification supported by the Web user agent. The certificate chain for such a certificate MUST be validated up to a trust root that is recognized as AA-qualified by the user agent.]
To derive a human-readable subject name from an AAC, user agents MUST use the Subject field's Organization (O) attribute.
If the certificate's Subject field does not have an Organization attribute, then user agents MUST NOT consider the certificate as an augmented assurance certificate, even if it chains up to an AA-qualified trust root. User agents MAY consider such a certificate as an ordinary validated certificate.
The term [Definition: validated certificate ] is used to denote a public key certificate that has been verified by chaining up to a locally configured trust anchor. The set of trust anchors used by a given Web User agent is implementation-dependent.
Since Augmented Assurance Certificates chain up to a "special" trust anchor, all valid Augmented Assurance Certificates are also validated certificates.
Self-signed certificates and certificates that chain up to untrusted root certificates, even if pinned to a particular destination, are not considered validated certificates.
Please refer to the following entries in the Working Group's Wiki for relevant background information: RecommendationDisplayProposals/Letterhead
RFC 3709 [RFC3709] defines a certificate extension to embed three kinds of logotypes with an X.509 certificate, for use with public key certificates [RFC3280] or attribute certificates [RFC3281].
[Definition: The Community logotype is a logotype that identifies a community.]
[Definition: The Issuer Organization logotype is a logotype that identifies the organization that issued the certificate.]
[Definition: The Subject Organization logotype is a logotype that identitifies the organization to which the certificate was issued.]
Logotype certificates that are validated, are considered validated certificates.
Where this specification suggests or mandates the rendering of (either audio or visual) logotypes, the logotype is chosen as follows:
When the logotype information is derived from an augmented assurance certificate, then the subject logotype MUST be rendered, if present.
Otherwise, when the logotype information is derived from a validated certificate, then the issuer logotype MUST be rendered, if present.
Note that an augmented assurance certificate that does not include a subject logo will cause the issuer logotype, if present, to be rendered.
The rendering of audio logotypes SHOULD be limited to a short amount of time, and clearly separate from any rendering of other security context information. In particular, user agents MAY shorten audio logotypes for playback. When a user agent will both display visual logotype information as well as emit/play audio logotype information, the user agent MUST ensure that the display/play of these two forms are time-synchronized so that the start times of their display/play coincides visibly and audibly.
Self-signed certificates (SSC) are commonly used for appliances and web sites catering to small groups of users, and essentially serve as a container for cryptographic key material in a key exchange that is not verified by any third party. Custom root certificates which are not part of the user agent's store of trust roots (technically, another instance of self-signed certificates, but at the top of a nontrivial certificate chain) are used similarly.
In both situations, use of TLS provides confidentiality protection services against passive attackers. No binding of a third-party asserted identity to the cryptographic key is achieved. In both cases, the certificates are not considered validated certificates.
If a Web site consistently presents the same self-signed certificate (or the same certificate chaining up to the same untrusted root) to a client, then this can be strong evidence that protection against an active attacker has been achieved as well. Conversely, a change of certificates for the same site can be evidence that a man in the middle attack occurs -- or it can be a symptom that the legitimate site has changed to a different certificate.
Web user agents MAY support [Definition: pinning] a self-signed certificate or more generally a certificate chain that leads to an untrusted root certificate to a particular Web site, to enable behavior based on recorded state about certificates shown previously by the same site. Such behavior includes, e.g., warning users about changes of certificates, and not showing warning messages if a site shows a certificate consistent with previous visits.
The interaction that enables users to pin a certificate to a destination SHOULD NOT cause a self-signed certificate to be pinned to more than one site, identified through URI scheme, domain, and port. The interaction MUST NOT cause an untrutsed root certificate to be accepted automatically for additional sites. It SHOULD enable users to assign a petname to the site.
For TLS-secured pages, the user MAY assign the authenticated entity a [Definition: petname]. If the web page uses a validated certificate, this assignment MUST create a binding from the petname to each of the host identifiers the certificate is valid for. These identifiers are found in the CN attribute and the subjectAltNames attribute, as specified in [RFC2818]. If the Web page uses a pinned self-signed certificate or certificate chain, this assignment MUST create a binding from the petname to the pinned destination only. It MUST NOT create a binding from the petname to any other destination.
To discover the petname that corresponds to the entity that is authenticated through a validated certificate, user agents MUST use identifiers from the certificate only. In particular, when the certificate includes domain name wildcards, then the same petname will be associated to all sites that present a validated certificate which includes the same wildcard.
Presentation of a petname MUST support renaming and deleting of a petname binding.
When the user assigns a petname, the petname presentation implementation MUST warn the user if the chosen petname is similar to one currently in use. The meaning of similar is up to the implementation, but MUST at least include an identical petname.
A web user agent that supports petnames MUST also support a presentation of bookmarks that presents the association between each bookmark and the petname of the hosting site. If the hosting site could be assigned a petname, but the user has not yet done so, the presentation MUST present those bookmarks as being associated with a distinct, but not yet petnamed site. If the hosting site cannot be assigned a petname, because the hosting site does not support the previously established constraints for assignment of a petname, the presentation MUST indicate so. This bookmark presentation MUST support assignment, renaming and deletion of petnames.
The most common mechanism for applying TLS to the Web is
the use of the https URI scheme [RFC2818]; the alternative upgrade
mechanism [RFC2817] is used
rarely, if at all. For the purposes of this specification,
the most relevant property of [RFC2818] is that the URI used to
identify a resource includes an assertion that use of TLS
is desired.
This specification uses the term [Definition: HTTP transaction ] regardless of
whether any kind of TLS protection was applied; in
particular, the transactions arising when an
https URL is dereferenced are subsumed under
this term.
[Definition: (normative) An HTTP transaction is TLS-protected if an upgrade according to [RFC2817] is performed successfully, or if the resource was identified through a URL with the https URI scheme, the TLS handshake was performed successfully, and the HTTP transaction has occured through the TLS channel.]
Note that an HTTP transaction may be considered
TLS protected
even though weak algorithms (including NULL
encryption) are negotiated.
[Definition: (normative) An HTTP transaction is strongly TLS-protected if it is TLS-protected, an https URL was used, strong TLS algorithms were negotiated for both confidentiality and integrity protection, and one of the following conditions are true:]
If we are react to certs that don't match a URL then we need a well defined matching rule. This should probably be solved by way of some appropriate normative references. ISSUE-106, ISSUE-121
TLS modes that do not require the server to show a
certificate (such as the DH_anon mode) do not
lead to a strongly TLS-protected transaction.
[Definition: (normative) Strong TLS algorithms are defined as the algorithms recommended by ref-ALGORITHMS.]
What reference should we have here? ISSUE-128
[Definition: (normative) An HTTP transaction is weakly TLS-protected if it is TLS-protected, but strong TLS protection could not be achieved for one of the following reasons:]
DH_anonWeakly TLS-protected interactions may provide security services such as confidentiality protection against passive attackers, or integrity protection against active attackers (without confidentiality protection). These properties are often desirable, even if strong TLS protection cannot be achieved.
If a given Web page consists of a single resource only, then all content that the user interacts with has security properties derived from the HTTP transaction used to retrieve the content.
[Definition: A Web page is called TLS-secured if the top-level resource and all other resources that can affect or control the page's content and presentation have been retrieved through strongly TLS protected HTTP transactions. ]
[Definition: A Web page is called mixed content if the top-level resource was retrieved through a strongly TLS protectd HTTP transaction, but some dependent resources were retrieved through weakly protected or unprotected HTTP transactions.]
This definition implies that inline images, stylesheets, script content, and frame content for a secure page need to be retrieved through strongly TLS protected HTTP transactions in order for the overall page to be considered TLS-secured.
This section covers TLS-related error conditions, and maps them to the classes of error handling interactions (see 6.4 Error handling and signalling) that are used when these conditions arise.
If multiple error conditions apply, the most severe signalling level SHOULD be used, as defined in 6.4 Error handling and signalling.
When, for a TLS-protected HTTP connection, the certificate chain presented by the server does not lead to a trusted root certificate, and the certificate chain presented was not pinned to the destination at hand, the following applies:
When certificate information is presented in these interactions, human-readable information derived from the certificates (e.g., Common Name or Organization attributes) in question MUST NOT be presented as trustworthy.
The following paragraph takes up the relaxed path validation idea.
When, for a TLS-protected HTTP connection, the certificate presented is found to have been revoked, error signalling of class danger (6.4.4 Danger Messages) MUST be used. If certificate status checks are performed by a user agent, and a certificate is found to be outside its validity period, then the certificate MUST be considered revoked. Otherwise, the fact that a certificate is outside its validity period SHOULD be communicated using error signalling of class warning (6.4.3 Warning/Caution Messages ).
When certificate status checks are attempted, but failed due to network errors or related error conditions, the following applies:
When the URL corresponding to the transaction at hand does not match the certificate presented, and a validated certificate is used, then error signalling of level warning or above (6.4.3 Warning/Caution Messages , 6.4.4 Danger Messages) MUST be used.
If TLS negotiation otherwise fails, error signalling of level danger (6.4.4 Danger Messages) MUST be used.
The requirements in this section do not require user agents to store information about past interactions longer than they otherwise would. Historical TLS information stored for the purposes of evaluating security relevant changes of behavior MAY be expunged from the user agent on the same schedule as other browsing history information. Historical TLS information MUST NOT be expunged prior to other browsing history information. For purposes of this requirement, browsing history information includes visit logs, bookmarks, and information stored in a user agent cache.
User agents that use third party services or heuristic approaches to assess the possible danger of a pending Web transaction MUST use error signalling of class danger (6.4.4 Danger Messages) to signal positively identified dangers, e.g., identified malicious downloads or exploits of user agent vulnerabilities.
To signal risks that are identified with high likelihood, but involve further user decisions (e.g., phishing heuristics were triggered), error signalling of class warning or above (6.4.3 Warning/Caution Messages , 6.4.4 Danger Messages) MUST be used.
When users follow hyperlinks, user agents are often presented with a chain of redirections, maybe based on HTTP codes, maybe based on scripting. In some situations, the link might be located on a TLS-secured page, yet, the chain of redirects involves plain HTTP, or weakly TLS-protected HTTP transactions, thereby leading to additional exposure, with a high potential for user confusion.
Web user agents MUST signal an error of class warning or above (6.4.3 Warning/Caution Messages , 6.4.4 Danger Messages) when a user interaction with a TLS-secured page causes dereferencing of a URL that leads to a chain of Web transactions that:
Note that this applies whether or not the resource in which the non-interactive chain of redirections terminates is TLS protected in any manner. In particular, even if the retrieval of the final resource in the chain of redirections is strongly TLS protected, clients MUST signal an error. Also note that this section is not limited to HTTP level redirection mechanisms; it also covers redirections that are caused by scripting or HTML constructs.
This section does not apply to situations in which, e.g., an HTML form is served by way of a strongly TLS protected transaction, but the user's input is submitted through plain HTTP.
Please refer to the following entries in the Working Group's Wiki for relevant background information: IdentitySignal
This section specifies practices for signalling information about the identity of the Web site a user interacts with. All signals specified in this section are passive. No claim is made about the effectiveness of these signals to counter impersonation attacks.
This section is normative. Examples are informational.
Web user agents MUST make information about the [[identity]] of the Web site that a user interacts with available. This [Definition: [[identity signal]] ] SHOULD be part of primary user interface during usage modes which entail the presence of signalling to the user beyond only presenting page content. Otherwise, it MUST at least be available through secondary user interface. Note that there may be usage modes during which this requirement does not apply: For example, a Web browser which is interactively switched into a no-chrome, full-screen presentation mode need not preserve any security indicators in primary user interface.
If a positive form of identity is available, the identity signal MUST be part of primary user interface when any identity sources that are from unauthenticated or untrusted sources are (also) part of the primary user interface. These sources include URLs.
User interactions to access this identity signal MUST be consistent across all Web interactions facilitated by the user agent, including interactions during which the Web user agent has no trustworthy information about the [[identity]] of the Web site that a user interacts with. In this case, user agents MUST indicate that no information is available.
User agents with a visual user interface that make the identity signal available in primary user interface SHOULD do so in a consistent visual position.
Please refer to the following entries in the Working Group's Wiki for relevant background information: RecommendationDisplayProposals/Letterhead
This section is normative. Examples are informational.
Information displayed in the identity signal MUST be derived from validated certificates, or from user agent state. Web user agents MUST NOT use information as part of the [[identity signal]] that is taken from unauthenticated or untrusted sources.
During interactions with a TLS-secured Web page for which a petname has been defined, the identity signal MUST include that petname.
During interactions with a TLS-secured Web page for which the top-level resource has been retrieved through a strongly TLS-protected interaction that involves an augmented assurance certificate, the following applies:
The identity signal MUST include human-readable information about the certificate subject, derived as specified in 5.1.2 Augmented Assurance Certificates, to inform the user about the owner of the Web page, unless a petname is displayed.
For Web user agents that use a visual user interface capable of displaying bitmap graphics the identity signal MAY include display of a suitable logotype, selected according to the rules in 5.1.4 Logotype Certificates.
Web user agents that use sound to communicate with the user MAY render an audio logotype that is embedded in the certificate using the logotype extension, according to the requirements in 5.1.4 Logotype Certificates.
The text below applies to any domain validated cert, including AA certs. This means that the experience for AA certs is more cluttered.
During interactions with a TLS-secured Web page for which the top-level resource has been retrieved through a strongly TLS-protected interaction that involves an validated certificate (including an augmented assurance certificate), the following applies:
If the identity signal does not include any other human readable information about the identity of the certificate subect (derived, e.g., from an augmented assurance certificate or a petname), then it MUST include an applicable DNS name retrieved from the subject's Common Name attribute or from a subjectAltName extension.
The identity signal MUST include the Issuer field's Organization attribute to inform the user about the party responsible for that information.
Subject logotypes derived from certificates SHOULD NOT be rendered, unless the certificate used is an augmented assurance certificate.
Note that this behavior does not apply when self-signed certificates or certificate chains that chain up to an untrusted root certificate are used.
During interactions with a mixed content Web page, the identity signal MUST NOT include any positive indicators exceeding those in use for unprotected HTTP transactions. In this situation, the identity signal MAY include indicators that point out any error conditions that occurred.
During interactions with mixed content, Web user agents MUST NOT render any logotypes derived from certificates.
Please refer to the following entries in the Working Group's Wiki for relevant background information: PageInfoSummary
Use Cases etc. Public Comment from IEEE Al Gilman on Presentation Structure?ISSUE-41
When security context information is in secondary chrome alone, it will NOT affect user behavior if they do not drill down to it. Studies [WHALENEVIDENCE][XIA] have indicated that users are less likely to examine secondary chrome or take proactive steps to look for contextual information.
Should users be able to reconfigure primary chrome? ISSUE-116 (I think there was discussion of dropping this).
ISSUE-141 tracks more discussion of this part of the specification.
This section is normative.
Web user agents MUST provide additional security context information as described in this section through one or more user-accessible information sources. These information sources can be implemented in either primary or secondary user interface. Where security context information is provided in both primary and secondary chrome, the presentation and semantics of the presented information MUST be consistent.
The information sources MUST make the following security context information available:
The information sources SHOULD make the following security context information available:
Additionally, the information sources MAY make the following security context information available:
User agents that provide information about the presence or absence of Cookies [RFC2965] MUST NOT make any claims that suggest that the absence of cookies implies an absence of any user tracking, as there are numerous tracking and session management techniques that do not rely on Cookies.
Web user agents MUST make information about the state of TLS protection available. The [Definition: TLS indicator] SHOULD be part of primary user interface during usage modes which entail the presence of signalling to the user beyond only presenting page content. Otherwise, it MUST at least be available through secondary user interface. Note that there may be usage modes during which this requirement does not apply: For example, a Web browser which is interactively switched into a no-chrome, full-screen presentation mode need not preserve any security indicators in primary user interface.
User interactions to access the TLS indicator MUST be consistent across all Web interactions. This includes when TLS has not been used to protect those interactions. In this case, web user agents SHOULD indicate the interaction was not TLS protected. User agents with a visual user interface that make the TLS indicator available in primary user interface SHOULD do so in a consistent visual position.
The TLS indicator MUST present a distinct state that is used only for TLS-secured Web pages. The User Agent SHOULD inform users when they are viewing a page that, along with all dependent resources, was retrieved through at least weakly TLS protected transactions, including mixed content.
The user agent MAY accomplish this by using a third state in the TLS indicator, or via another mechanism (such as a dialog, infobar, or other means).
Please refer to the following entries in the Working Group's wiki for background information: CertErr
This section defines common error interaction requirements and, ordered by increasing severity, practices to signal the following classes of errors:
Error signalling that occurs as part of primary chrome SHOULD be phrased consisely when using natural language.
Primary chrome error messages MUST NOT include technical jargon. They SHOULD NOT refer the user to enter the destination site that caused the error, e.g., to provide feedback or obtain assistance. For error messages that interrupt the user's flow of interaction, user agents SHOULD enable the user to easily return to the user agent state prior to initiation of the last user interaction that led to the error signal.
For advanced users, error interactions SHOULD have an option for advanced users to request a detailed description of the condition that caused the interaction to occur.
The error interactions characterized in this section are intended to communciate security context information, and therefore MUST fulfill relevant requirements in 7.1 Chrome and User Interface Practices.
Notifications and status indicators are used when the browser cannot accurately determine a security risk based on the current security context information available. These indicators SHOULD also be used for situations in which the risk level may vary based on user preference.
For visual user agents, notifications and status indicators MUST be displayed in the user agent's persistent primary chrome. These indicators MUST NOT force user interaction (e.g., forcing the user to click a button to continue the primary task). They MUST include a succinct textual description of their meaning.
Warning / Caution messages MUST be used when the system has good reason to believe that the user may be at risk based on the current security context information, but a determination cannot positively be made. These warnings SHOULD be used if the likelihood of danger is present, but cannot be confirmed.
Warning / Caution messages MUST interrupt the user's current task, such that the user must acknowledge the message.
For user agents with a visual user interface, headings of these warnings MUST include words meaning "caution" or "warning". The headings of these warnings MUST be the locus of attention.
Warning / Caution messages MUST provide the user with distinct options how to proceed (i.e., these messages MUST NOT lead to a situation in which the only option presented to the user is to dismiss the warning and continue). The options presented on these warnings MUST be descriptive to the point that their meanings can be understood in the absence of any other information contained in the warning interaction. These warnings SHOULD include one recommended option, and a succinct text component denoting which option is recommended. In the absence of a recommended option, the warning MUST present the user with a method of finding out more information (e.g., a hyperlink, secondary window, etc) if the options cannot be understood.
Danger Messages MUST be used when there is a positively identified danger to the user (i.e., not merely a risk).
The interactions communicating these messages MUST be designed such that the user's task is interrupted.
For visual user agents, these interactions MUST be presented in a way that makes it impossible for the user to view or interact with the destination web site that caused the danger situation to occur. The headings of these warnings MUST include a word meaning "danger." The heading MUST be the locus of attention.
This section documents best practices for user interfaces that are used to communicate security critical information.
A trusted path can be established between a web user agent or web site and the user through the use of a secret shared between the user and the agent or site. The shared secret may be an image selected by the user, or can be another type of secret (e.g., text or audio) to meet accessibility requirements. If the shared secret is difficult to guess, it is difficult to exactly emulate, so robust against that aspect of spoofing attacks. Having such a trusted path will not ensure that all users do not fall for phishing attacks (see Emporer's New Security Indicators [EMPEROR]), but known attacks against these trusted paths do not include spoofing.
Web user agents that proactively present security context information to the user (or a channel presumed to eventually lead to the user, such as accessibility aides) MAY accept some presentation information from the user, and associate that information with parts of the user interface that are intended or commonly used to communicate trust information to users.
Techniques to implement this practice for visual user agents include giving the user a selection of backgrounds, skins, or tartans, and customize the graphical look of the web browser with them. Knowing the set of secrets the user can choose from can increase the attackers ability to spoof them, particularly if a small subset is popular. Another technique is to take user specific graphics and use them the same way. If a malicious site can get the user to customize it the same way, it might be possible for the site to spoof the browser.
Techniques for user agents that expose a voice-based user interface include chosing different voices for the presentation of Web content and security context information.
For visual user agents, in usage modes in which browser chrome is used to signal security context information, that chrome should always be visible during interactions with Web content.
This requirement is scoped to a specific interaction: When multiple Web pages might be displayed, security critical chrome need not be present for those with which the user is not currently interacting. However, chrome used to communicate security context information that relates to the currently interacted Web page must always remain on the screen.
Please refer to the following entries in the Working Group's Wiki for relevant background information: FavIcon,
Certificates can be a source of untrusted information that is controlled by the attacker. ISSUE-104
We currently have no material concerning the mixing of security information and context in non-visual environments. Is there a useful generalization of the requirement to non-visual UIs? Are there problematic known cases similar to the location bar favicon mix known for, e.g., screen readers? ISSUE-115
To the extent to which users pay attention to passive security indicators at all, noticing and understanding them is made difficult to impossible when the same signal path that is commonly used for security indicators can also be controlled by Web content. For example, the location bar commonly found on desktop browsers is often used to both display the "padlock" security indicator, and a possible "favorite icon" [FAVICON], which can in turn be a simple copy of the very padlock an informed and attentive user might look for.
Web User Agents MUST NOT communicate trust information using user interface elements which can be mimicked within chrome under the control of web content. Site-controlled content (e.g. page title, favicon) MAY be hosted in chrome, but this content MUST NOT be displayed in a manner that confuses hosted content and chrome indicators. This requirement applies to both primary and secondary elements of visual user interfaces.
In particular, Web User Agents SHOULD NOT use a 16x16 image in chrome to indicate security status if doing so would allow the favorite icon to mimic it.
When confronted with multiple modal interactions during a short amount time, users are known to exercise the default option (e.g., by pressing the Return key repeatedly) until the sequence of modal interactions stops blocking the user's intended interaction.
[Definition: An Interaction flooding attack refers to a website with the malicious intent of performing an unintended action (eg. installing software that would have required an user intervention such as clicking OK on a warning dialog) or by exploiting distraction and task-focus. The website opens a large number of new windows over the desired web content and the malicious action is performed when the user tries to close these new windows and/or clicks on a dialog that indicates a trust decision.]
User interfaces used to inform users about security critical events or to solicit comment MUST employ techniques that prevent immediate dismissal of the user interface, e.g., by using a temporarily disabled "OK" button on user interfaces that make such an interaction paradigm available. When users interact with security relevant notifications (6.4.3 Warning/Caution Messages and above), interactions caused by Web content MUST NOT be granted control of the user agent's interaction.
User agents commonly allow web content to perform certain manipulations of agent UI and functionality such as opening new windows, resizing existing windows, etc. to permit customization of the user experience. These manipulations need to be constrained to prevent malicious sites from concealing or obscuring important elements of the browser interface, or deceiving the user into performing dangerous acts. This section includes requirements and techniques to address known attacks of this kind.
Web user agents MUST prevent web content from obscuring, hiding, or disabling security user interfaces.
Techniques to implement this requirement include:
Web user agents SHOULD restrict window sizing and moving operations consistent with 7.1.2 Keep Security Chrome Visible. This prevents attacks wherein browser chrome is obscured by moving it off the edges of the visible screen.
Web user agents SHOULD NOT allow web content to open new windows with the browser's security UI hidden. Allowing this operation facilitates picture-in-picture attacks, where artificial chrome (usually indicating a positive security state) is supplied by the web content in place of the hidden UI.
Web user agents MUST prevent web content from overlaying chrome. User interactions that are perceived to deal with browser chrome must not be detectable for Web content.
Web user agents MUST NOT expose programming interfaces which permit installation of software, or execution of privileged code without a user intervention.
Web user agents MUST inform the user and request consent when web content attempts to install software outside of the browser environment. The interaction used MUST follow the requirements in 6.4.3 Warning/Caution Messages . Web user agents SHOULD NOT provide features which can be used by web content to install software outside of the browser environment without the user's consent. Web user agents MAY provide mechanisms for users to pre-consent to a class of software installations. Web user agents SHOULD inform the user when web content is installing software outside of the browser environment that is covered by a pre-consent.
Web user agents MAY inform the user when web content attempts to execute software outside of the agent environment, and MAY also request user consent, but SHOULD NOT do so unconditionally for all types of content or software. If the agent chooses to do this then it SHOULD do so for specific content types, software types, or security context based on risk.
Web user agents MUST NOT expose programmatic interfaces that allow bookmarking without explicit user consent. That consent MUST follow the requirements from 6.4.2 Notifications and Status Indicators .
Web user agents MUST NOT expose programmatic interfaces that allow bookmarking an URL that does not match the URL of the page that the user currently interacts with.
This was originally "the URL in the location bar". The link between the URL in the location bar and the one the user interacts with is important, but it probably belongs in 6.1-ish parts of the spec.
With visual user interfaces that use a windowed interaction paradigm, Web user agents [[MAY | SHOULD]] restrict the opening of pop-up windows from web content, particularly those not initiated by user action. Creating excessive numbers of new popup windows is a technique that can be used to condition users to rapidly dismissing dialogs. This can be employed in interaction flooding attacks.
Web user agents which offer this restriction SHOULD offer a way to extend permission to individual trusted sites. Failing to do so encourages users who desire the functionality on certain sites to disable the feature universally.
Ensure that the information on HTTPs page doing a HTTP submit is covered here. ISSUE-107
POST triggered via JavaScript? ISSUE-110
WhatIsASecurePage not fully incorporated ISSUE-145
Be clearer about security indicator images ISSUE-161
This specification does not consider the scenario when a FORM on a TLS protected page is submitted via HTTP, as a change in security level.
Web content MUST NOT use visual representations of Web user agent security indicators to suggest trustworthiness.
Renderings of Web user agent trust indicators (e.g., copies of common padlock icons) are occasionally used as part of a messaging that tries to suggest trustworthiness to users. While these indicators are often surprisingly successful messaging tools, that success comes at a price: It trains users to give indicators in content precedence over indicators in chrome. This lessens the effectiveness of any chrome indicators for the sites that re-use them as part of their content; it also has a broader training effect that can be capitalized upon by bad actors.
Web pages MUST use TLS, or similar protection, to protect both the solicitation and transmission of secrets, such as passwords, against disclosure to unauthorized parties.
If a web application solicits a secret, such as a password, over TLS, then it MUST always transmit that secret using that level of protection or better. Any derived secret that convey a similar level of authority as the original secret it MUST also be protected at the same level as the original secret. Other derived secrets SHOULD also be given the same protection. Sensitive transactions also MUST be protected using the same level of protection.
In a web-application, a secret may be used to authorize a transaction. The details of that transaction SHOULD also be transmitted using the same level of protection afforded the secret itself.
SHOULD NOT or MUST NOT in what follows?
Web sites SHOULD NOT serve mixed content, e.g., scripts or images served through plain HTTP connections when they control the appearance of a Web page served through TLS.
Web Sites that require their users to be directed from an insecure web page to a secure web page MUST do it as a single step rather than multi-step (redirect to an unsecure page and then redirect again to a secure page). Web pages MUST use direct links to a secure page rather than using redirects.
Web Sites MUST NOT use unsafe redirection chains involving unsecured HTTP connections to navigate users from one secure page to another one. Instead, navigation within a secure site MUST use a consistent level of protection.
Web content SHOULD be designed to enable a consistent security user experience across different user agents and devices. Web site owners SHOULD perform tests of the TLS security and trust features of their site on various devices.
Web site owners operating TLS-protected sites should anticipate the use of those sites from mobile devices which may have constrained capabilities e.g. diverging sets of trust anchors or limited cryptographic mechanisms.
Audio logotypes embedded with certificates should be designed to minimize possible listener confusion and the time that their rendering takes. Specifically, audio logotypes SHOULD NOT include spoken text. Audio logotypes MAY include short musical phrases.
Can XQuery/XPath contribute to attack vectors? ISSUE-3
Content retrieved by FTP
ISSUE-46.4 Error handling and signalling leads to an additional exposure during the first TLS interaction with a site, even if that site uses validated or extended validation certificates: An active attacker can show a self-signed certificate, which will cause only weak warning signals to the user. Traditional web user agents react to this scenario with a dialogue box that interrupts the user's flow of interaction, but gives users the ability to override the security warning. Empirical evidence shows that this ability is typically exercised by users.
Countermeasures against this threat include the prior designation of high-value sites, for which extended validation or valicated certificates are required (causing a stronger warning signal during the attack scenario described above), and communication of certification and TLS expectations by a mechanism separate from HTTP, e.g. through authenticated DNS records.
This specification is based on text from Thomas Roessler, Mary Ellen Zurko, Stephen Farrell, Ian Fette, Michael Mccormick, Serge Egelman, Johnathan Nightingale, Yngve Pettersen, as well as input and discussions from the active members of the Web Security Context Working Group. It has also benefitted from general public and working group commentary on earlier drafts.
For background material, see the Working Group's wiki: SafeWebFormEditor
This section will be refined further in a future version of this specification. It is not part of this specification's normative material at this point.
Some of the material in this section needs to be reconciled with other parts of the specification, in particular 6.4 Error handling and signalling, and 5 Applying TLS to the Web. More specifically, the present chapter of the document suggests an approach to key continuity management based on a particular matching algorithm for certificates, which is distinct from algorithms common in the PKIX world. (ISSUE-121, ISSUE-122.) The present chapter also proposes a separate set of interactions (see A.9 Detecting a possible Man-In-The-Middle attack) from the one in ; see ISSUE-127.
It is an open issue whether the specification of an interaction mode like the Safe Web Form Editor should be specifically limited or tailored to login transactions, or whether a more general approach is preferable. ISSUE-111
This section is normative.
This section specifies a user-driven interaction for entry of information deemed security critical by the user. This interaction integrates consumption of relevant security information by the user while facilitating the data entry task and providing a record of the user's trust decisions.
The safe form editor keeps a history of text strings the user has given to a Web site via a special purpose text entry tool.
This section specifies the algorithm the user agent MUST use to determine if a visited web site should be considered the same as one in the history database. This algorithm is based solely on a comparison of information provided by X.509 certificate chains. Let the currently visited web site be SiteA, a candidate match in the stored editor bar history be SiteB. For each certificate chain received from SiteB, attempt a match against the one received from SiteA using the following checks:
This matching algorithm needs to be reconciled with PKIX, and with material in 5 Applying TLS to the Web. See ISSUE-121 for a more detailed discussion of some of these aspects, and ISSUE-103 for related material.
The user agent MUST retain sufficient information about all the certificate chains used by a web site to find a match in all cases where the above algorithm indicates there is a match.
The first check in the matching algorithm, which compares public keys, provides a means to transparently update the certificate authority used by a web site. To change certificate authorities, a site acquires a certificate for its existing public key from the new certificate authority. The site should continue using its existing public key until its user base has received the new certificate chain through visits to the site.
Both the first check in the matching algorithm and the second to last, which compares the "CN" attributes of the certificates' subject fields, provide a means to transparently update an organization's name and address. To change this certificate information, an organization acquires a certificate chain that specifies the updated information, but matches against one of these earlier checks.
The above paragraph makes assumptions about CA practices. See ISSUE-122.
It is common for an organization to use multiple, unrelated domain names. The final check in the matching algorithm enables sharing of history across all the hostnames used by an organization.
The editor bar supports safe entry of text strings by the user into a web site with which a continuous relationship has been established. The user can expect this continuity to be securely enforced and the transmissions protected from eavesdropping and tampering. Currently, these properties can only be supported on the web through the use of TLS. The editor bar MUST NOT be enabled for exchanges that are not protected by TLS. If the user hits the editor bar attention key when visiting a site not protected by TLS, the user agent MUST present a message warning the user that data entered in the current form may be seen, or tampered with, by attackers. The user agent MUST offer an interaction to attempt navigating to a secure version of the current page. Exercising that interaction MUST navigate the browser to a URL constructed by changing the current page's URL scheme to a corresponding one that uses TLS. For example, an http: URL is converted to an https: URL.
This web page does not support secure information exchange, and so the editor bar cannot be used here. Information entered into this web page may be seen, or tampered with, by others. Click here to see if the web site supports a secure version of this web page.
When visiting a web site, the user summons the editor bar via an attention key, or a toolbar button, or in some other way. In response to this request, the editor bar searches its history database for an entry corresponding to the current web site, using the algorithm specified in A.1 Associating a history with a web site. If no match is found, the text entry tool MUST NOT be enabled. Instead, the user agent MUST present a message that indicates that the user has not transmitted sensitive data to this site before. Along with this message, the user agent MUST offer distinct interactions through which (a) the user can review sites that they have transmitted sensitive data to before, and (b) the user can proceed to establish a relationship with the site they are visiting.
You have not established a relationship with this web site through the editor bar.
If the user choses interaction (a), a list of hyperlinks to web sites in the editor bar's history database MUST be provided.
If the user choses interaction (b), the user agent must provide a message which communicates identity information based on the TLS certificate used consistent with 6.1 Identity and Trust Anchor Signalling. The user agent MUST offer distinct interactions through which (aa) the user can navigate to a known preferred search engine, and (bb) the user can enter a "petname" for the site they are interacting with.
ExampleCA Inc. claims this web site belongs to "Example Bank Inc. of Sunnydale, California, USA."
If the user choses interaction (aa), the user agent MUST navigate to the user's preferred search engine.
If the user selects the second option, the user agent MUST search the database of existing relationships to find any name similar to the newly chosen one. If any matches are found, the user is notified of the collisions and given the opportunity to instead navigate to the corresponding web site. If no matches are found, the user agent updates its database of stored relationships and enables the text entry tool.
For user agents with a visual user interface, all user interfaces exposed for these interactions SHOULD visually replace the Web content currently displayed to the user.
This section is phrased in terms of visual user interfaces, and includes normative back-references to some of the examples earlier in the specification. ISSUE-124
To defend against web site impersonation, the editor bar is designed to only display text strings provided by the user, or statically provided by the user agent software. Implementations MUST NOT display a text string, or graphic, from any other source within the editor bar user interface. The quoted text in the bootstrap message, the part of the message after "belongs to", MUST be distinguished from the rest of the static text. If the described certificate chain was not issued by one of the user-agent's installed and trusted certificate authorities, the message MUST NOT quote any information from the certificate, instead presenting a message meaning: "This web site's credentials are unrecognized". The same two user actions are still offered by the rest of the message.
The name chosen by the user at the end of the bootstrap interaction, called a [Definition: petname], MUST be the only identifier used by the editor bar user interface to refer to the named site. Each hyperlink in the list provided when the user selects the first option in the first message of the bootstrap interaction MUST use the petname as the hypertext. This list MUST also be accessible to the user via a "Contacts" option. The petname for the current web site MUST also be presented alongside the text entry tool. The user agent MUST provide a means for the user to update the petname used for a web site.
The text entry tool supports user entry of a new text string, or auto-completion of a previously entered text string. The editor MUST provide an indication of which of the two actions is being taken. The text field MUST NOT provide auto-completion of stored editor bar text strings that have not been previously submitted to the currently displayed web site.
The text entry tool history menu supports user selection of a previously entered text string. The menu MUST indicate whether or not an offered selection has been previously submitted to the currently displayed web site. Further, the user action to select a text string previously submitted to the current site MUST be different from that to select a text string previously submitted to some other site. For example, text strings previously submitted to the current site could be displayed in a main menu and other text strings displayed in a sub menu. Consequently, the user would have to click more than once to select a string not previously submitted to the current site, but only once for a string that has been previously submitted.
Both of these selection mechanisms purposely require explicit action by the user. Transmission of a text string in a particular request represents user consent for use of that text string for the purpose of that request. The user agent MUST NOT subvert this consent by auto-filling form fields with information taken from the editor bar history. Information MUST NOT be transferred from the history database to the web page, except as a result of an explicit approval action by the user.
The editor bar specified in this chapter MUST be the only form filling feature of the user agent. A competing form filling feature would undermine the security features of the interaction created by the editor bar.
This section is phrased in terms of visual user agents. ISSUE-125
Some text strings, such as some passwords, are of such high value that displaying them within the user agent, where they may be seen by an onlooker, is too great a risk. This sub-section specifies a mechanism for marking a text string as one which should not be displayed by the user agent.
The text entry tool history menu MUST provide a means for the user to mark a text string as one which is not to be displayed on screen. Invoking this command prompts the user for a "display name". Wherever a text string would be displayed by the editor bar, the provided display name MUST be shown in its place, as well as an indication that the displayed text is a display name, rather than an actual text string. The auto-completion feature of the text entry tool MUST match keystrokes against the display name, instead of the named text string. Whatever way a display name is selected, the named text string MUST be form filled, not the display name text.
Each change to the editor bar history MUST be explicitly made by the user. In particular, a visited web site MUST NOT be able to add, delete, modify or read the editor bar history. A visited web site MUST NOT be able to receive keystrokes sent to the editor bar by the user.
Some identifiers change over time. For example, a credit card number may change when the card is re-issued. The editor bar SHOULD provide a means to delete a text string. Using this feature, the user can reduce interface clutter created by a text string that is no longer in use.
Under some circumstances, a relationship between the editor bar and a site may need to be terminated. The editor bar MUST provide a means for a user to mark a site as one which will no longer be recognized. When this command is invoked, the editor bar MUST behave as if the relationship never existed, for all scenarios specified by this specification.
Many graphical user agents are vulnerable to picture-in-picture attacks: Graphic and script elements within an HTML page are used to simulate the look and feel of browser chrome. The attacker's goal is to recreate a convincing mockup of the browser chrome entirely within the content page, in order to provide (false) indicators of security to the user.
In these user agents, the editor bar MUST be displayed using a theme customized to the user. The user selects this theme at browser installation time. Changes of this theme MUST involve a user interaction that is focused on this specific task. The icon for the Contacts button MUST also be selected by the user at installation time.
See also . ISSUE-127 tracks a number of separate issues with this section.
If the user navigates to a web site by selecting a hyperlink provided by the Contacts button in the editor bar and the site presents a certificate chain that can not be matched to one of its previously stored certificate chains according to the algorithm in A.1 Associating a history with a web site, the user agent MUST alert the user that credentials were provided which cannot be securely matched to those that had been seen in the past.
User agents SHOULD provide the option to send a notification to an alert service of the user agent's choosing.
Please refer to the following entries in the Working Group's Wiki for relevant background information: BrowserLockDown Also, ISSUE-132
This section is normative.
Web user agents that implement optional features of this specification MUST support the configuration of different [Definition: usage modes ] which determine which of thse optional features are active. A usage mode MAY cover other configuration settings of a Web user agent. A user agent SHOULD allow users to view details of why a request to perform a Web transaction was denied if this decision was based on the currently-active usage mode.
Please refer to the following entries in the Working Group's Wiki for relevant background information: SafeWebBrowsingTemplate
Web user agents SHOULD support a [Definition: Safe Browsing Mode ] as one usage mode. Users SHOULD NOT be able to change the settings of this usage mode. This usage mode MUST be made available through an interaction based on a Secure Attention Sequence.
In this usage mode, interactions MUST be limited to a usage-mode specific set of sites.
Should Safe Browsing mode restrict users to a specific set of sites? ISSUE-108
Web user agents MUST require all Web transactions in this usage mode to be strongly TLS protected. Use of self-signed certificates MUST be considered cause for a change of security level.
The optional technique MUST NOT be used.
For Web user agents with a visual user interface, Safe Browsing Mode SHOULD be visually distinguishable from other usage modes.
Please refer to the following entries in the Working Group's Wiki for relevant background information: RecommendationDisplayProposals/PageScore
The user agent SHOULD provide a means of reducing the collection of security context information which is available for any loaded page to a numeric value (termed a "security confidence estimate").
The calculation algorithm for the "security confidence estimate" MAY be made selectable by the end user or offered by separately installed user agent plug-ins.
The user agent SHOULD provide a visual indicator in primary chrome which varies relative to the "security confidence estimate" value. Examples of such visual indicators (non-normative) are gauges, thermometers, a selection of several textual descriptions, and color-gradations.
The visual indicator SHOULD be especially conspicuous in display when the "security confidence estimate" value is different than the value which was observed for the loaded page in previous visits to the loaded page.
The user agent MAY elect to display a visual indicator in primary chrome only when a change in "security confidence estimate" values is observed.
The user agent MUST make the details of all available security context information available to the end user, in either primary or secondary chrome.
If a "security confidence estimate" is provided, the provider of the implementation MUST make the calculation algorithm by which the "security confidence estimate" value is calculated available to the end user. Documentation for the user agent or plug-in which is employed is the likeliest place.
The visual realization of the "security confidence estimate" value will depend on the user agent and end user abilities.