Transparent and usable security on the Web

Security on the web is turning into a major challenge. The web itself is now global, and available to millions of people who are not security experts. Further, it is being developed by millions of people, and not all of those are security experts either.

Some of the common challenges today include

There are already a number of initiatives that provide a useful model for dealing with browser security. Groups such as Secunia [SEC] who test for flaws and publish information allow the community to track overall progress, and to understand some of the risks. However most people do not read such information. It is, of course, more commonly read by developers, who use it both to predict new types of attack and to check on things that they need to fix.

Poorly secured "back-end" systems are a challenge. To some extent these can be remedied by large-scale software incorporating an entire security architecture, but this also has ongoing drawbacks. In particular it closes the market down to a few players, instead of the current healthy competitive arena. In addition, it is likely that this will encourage developers to simply assume security is the responsibility of their software, rather than take the active interest necessary in any good security model.

If poor security practices are common on the part of developers, users become conditioned to disabling important security protection in order to achieve their everyday goals. It is therefore helpful to bring "reasonable" pressure to bear on content developers, and one means of doing this is for the user agent to make it clear what level of security is offered, and how this security is asserted.

If users can easily and clearly determine how secure a site is, since they will act on that behaviour to some extent. It is important not to over-estimate the impact this can have, however. There are a number of services on the web today whose security is clearly broken, but whose users don't change for other reasons. Some hypothetical examples are government services which are necessary to their users, such as taxation and welfare systems. Similarly, an airline whose security is poor but whose flights are cheap will likely retain many of their users until the potential offered by a security hole becomes actual damage from a real exploitation of that hole. Even then, the "blame game" driven by market realities often means that the true picture is obscured.

Phishing attacks are increasingly common. Sites go to great pains to inform their users that they should not rely on links in email, especially if they cannot see where the link goes. Various hacks are applied in email systems to try and draw attention to URIs that demonstrate characteristics typical of phishing attacks. In the long term, a more powerful trust network is going to be necessary, but deploying this and resolving problems of allowing free communication is a difficult problem.

However in the short term there are already some useful methods available for providing clear guidance to users. Opera 8 took an important step in this direction, making certificate information significantly more prominent. More recently, a number of browsers agreed to go even further in providing information. Importantly, this will be presented in a standard way recognisable across different browsers and platforms.

Although providing exactly the same interface is not always possible or desirable (for example what can be presented on my large-screen laptop is inappropriate for my small-screen mobile phone), a high degree of consistency is valuable. It simplifies the process of teaching users what they should be looking for, and gives clear and unambiguous feedback to service developers that their users will be warned about the basic reliability of a service.

Collaboration between developers is important in security. While we don't need to share source code, agreeing on basic approaches to security (protocols, etc) is obviously important. More than this, agreement that leads to clarity for users is important. Security is complex, and is easily seen as presenting a problem for the user. The most common way of breaching it is not technological at all, but relies on convincing the user to disable it themselves - something that is relatively simple if it gets in the way.

Finally, it is important in security work to take into account two challenges for any global system - accessibility and internationalisation. Systems such as the so-called CAPTCHA present serious problems to users with visual impairment of any kind (whether inherent or due to the systems they are using). Software which presents information visually using colours must make sure that colourblind users are also able to understand the information. Similarly, certificates signed by companies with chinese names in a chinese alphabet are obviously highly appropriate for a chinese market, but may cause recognition difficulties to an arabic- or spanish-speaking user. While the challenges raised by this issue are generally understood, and solutions are available, if the developers of security systems ignore them they are building in a serious weakness, since in most cases a legal requirement will be made to open the system for "appropriate users". (This was the case, for example, with some apparently secured documents - certain people could legally require access in a way which simply stripped the security, and since qualification relied on being blind rather than being in any way reliable, the net effect was to completely invalidate the security model).