Context Presentation
Modified table, attempting to merge [NoteSecurityContextAvailable] and previous table (below):
context information |
current presentation examples |
known weaknesses and attacks |
HTTP response headers of current page |
wget -S option will show in standard output |
|
Cookie information |
separate dialog boxes to browse, examine, delete. |
cookie information not widely understood (and often appears random) and thus tends to be overlooked/disregarded by users |
referring page |
history on back button |
Possible interactions between re-directs and history |
|
Page information dialog |
|
URL |
displayed in address bar |
use limted size of text field and overflow it |
|
IDN-based attacks against display of URIs |
|
|
users read URIs in error-correcting mode (and don't recognize subtle differences) |
|
SSL |
s in https |
|
|
padlock(several levels) |
|
|
color changes |
|
|
warning dialogs is something is found to appear amiss |
repeated interruptions begin to lose effectiveness and result in being ignored (turns into a "click here to continue" button) |
Certificate chain |
In an advanced area of security configuration settings |
hard to find, presents the wrong information to the wrong recipient |
Certificate revocation status |
dialog warning boxes |
dialog box help is often hard to understand even for the security professional (presenting the wrong information to the wrong recipient) |
any data about the site that did not come from the site |
dialog warning boxes |
repeated interruptions begin to lose effectiveness and result in being ignored (turns into a "click here to continue" button) |
configured trust roots |
There's a place you can go to look at them. Ununderstandable. |
|
|
not available: reputation of CA |
|
|
Trust root's identity is displayed for EV certs |
|
|
Different certification policies at same CA aren't translated into user interface, but available as part of overall cert info display. |
|
|
"This is a certificate authority that you trust for this purpose" (Firefox) |
|
browser history, bookmarks, accumulated user agent state |
history list |
|
|
bookmarks |
|
|
cookie lists |
|
|
allowed pop-up sites |
|
|
dialog for black-listed sites |
|
|
password manager stored sites |
|
reputation service |
IE7 phishing filter checks |
|
|
numerous toolbars |
|
|
Opera has a phishing filter |
|
past introductions from friends |
paper/magazine |
|
|
video/TV |
|
|
text message/e-mail |
these sources can be spoofed (see phishing attacks) |
redirection path |
URIs flahs up |
the speed at which the URIs roll-over/change is governed by the re-direct speed and thus can be quick enough to not be readable |
HTML page |
black-listed sites in browser settings |
|
target URI for a pending request |
mouse-over a hyper-link |
not displayed for form submissions |
|
|
Javascript can over-ride behaviors |
|
view page source |
|
IP Address |
IP address resolved flashes by |
|
|
separately invoked nslookup results |
|
Country of origin for IP address |
relayed by some anti-phishing tools |
|
Black list for evil IP addresses |
relayed by some anti-phishing tools |
|
|
dialog for black-listed IP addresses/sites |
|
Current ISP |
|
misleading in many public access points |
Information from external devices (e.g. phone call) |
page-specific applications (e.g. Amazon.com's "call me" for customer service) |
May cause user to divulge more personal information in order to get a phone call |
Certificate continuity (browser has encountered the certificate in the past) |
in "trusted" servers dialog list |
|
Shared secret knowledge (e.g. a picture or password) |
application-specific mechanisms, embedded into application and page |
casual observation, photographs of user's page |
personalization (e.g. account history, user's full name) |
application-specific mechanisms, embedded into application and page |
too generic and could be built from knowledge mined elsewhere |
Shared public knowledge (e.g. mother's maiden name, zip code) |
application-specific mechanisms, embedded into application and page |
ANTI-PATTERN - deemed "easy" to attack. Too generic and could be built from knowledge mined elsewhere |
Does the page contain active content? (e.g. Javascript) |
sometimes a fly-over shows Javascript snippet |
Javascript can over-ride behaviors |
|
view page source |
|
Does the page contain content sourced from distinct servers |
dialog pop-ups |
portlet/portal styles of presentation can mask this (by design/intent!) |
|
|
repeated interruptions begin to lose effectiveness and result in being ignored (turns into a "click here to continue" button) |
Does the page come from the intranet or the Internet? |
some personal firewalls attempt to discern different networks |
|
Has the page completed loading? |
progress bars |
not always accurate; subject to timeouts |
|
spinners, animated thumbnails |
|
HTTP content in HTTPS page |
dialog boxes |
repeated interruptions begin to lose effectiveness and result in being ignored (turns into a "click here to continue" button). Dialog can be disabled. Some clients do not warn if HTTP content is loaded as a result of a redirect from HTTPS or the content is loaded from an applet |
|
Opera lowers security level to "0", removes padlock |
May be too quiet |
POSTing form from HTTPS to HTTP |
dialog boxes |
repeated interruptions begin to lose effectiveness and result in being ignored (turns into a "click here to continue" button). Some clients do not warn if the POST request to HTTP is initiated from an applet |
previous table:
context information |
current presentation; how robust is it? (widely deployed) |
possible best practice approach |
how reliable is the information? |
HTTP response headers of current page |
nothing need to check IANA registry some day |
|
|
Cookie information |
cookies lead to dialogue boxes dependent on configuration used to key display of shared secret in page content -> enable user to recognize site they dealt with before how far are cookies spread? Where are they replayed? |
|
|
refering page |
history on back button; otherwise, not visible; interaction between redirects and history? |
|
|
URL |
displayed: address bar; attacks use limited size of text field and overflow that with user:pass@site style URIs |
||
IDN-based attacks against display of URIs / domain names; TLD whitelists are being deployed |
|||
users read URIs in a typo-correcting mode |
|||
SSL on/off; session properties / SSL certificate properties: revocation status, issuer, ... |
((completely useless? Why does it say it's not valid? black and white right now<br/>experience diluted -- dialogue boxes that get ignored )) |
Future UI meme: "secure"? "Approved cryptographic state" vs. "unapproved cryptographic state"? --- Likely out of scope: Separate debugging mode that displays richer but less usable information? Separate user modes? |
|
s in https |
|||
padlock |
|||
color changes -- Firefox, IE7, informal agreement |
|||
warning when attempting to submit form controls to non-SSL site when form was transmitted through TLS |
|||
"WARNING, YOU ARE NOW SECURE" dialogues |
|||
Information about cyphers used isn't presented, but can be displayed. Users rely on cypher suite configuration. |
|||
Warnings about validity period; can be overridden by user |
|||
All cert properties are available. But user interface is ununderstandable -- logotype rednered in base64? |
|||
EV certificate work at CA/Browser forum -- IE7 implements this; displays organization's name and issuer name |
|||
Opera lock item has a number -- MSmith to dig down on what that means |
|||
Firefox has different states of lock items. People in the room don't get them -> corollary about usability? |
|||
mismatch between domain name in URI and certificate leads to overridable warning |
|||
unknown CA leads to overridable warning |
|||
current UI allegedly intended for site debugging purposes |
|||
IE7: persistent display of certificate errors, even when overridden by users |
|||
browser history, bookmarks, accumulated user agent state? |
password manager state reflected by pre-filling forms |
||
history sidebar |
|||
general form-filler support; list of sites that form information has been cached for |
|||
reputation service |
IE7 phishing filter checks reputation of some URIs; Opera has "sth similar" |
||
numerous toolbars |
|||
past introductions from friends (eg: in email) |
|
|
|
redirection path |
URIs flash up |
|
|
HTML page? (eg: spam filter like techniques) |
|
|
|
The target URI for a pending request. |
mouse over hyperlink -> status bar update |
||
not displayed for form submission buttons |
|||
Javascript can override behaviors |
|||
IP address |
IP address resolved flashes by |
|
|
Country of origin for IP address |
used / relayed by some anti-phishing tools |
|
|
A blacklist of evil IP addresses. |
used / relayed by some anti-phishing tools |
|
|
Your current ISP? |
|
|
|
Information from external devices (eg: phone call) |
|
|
|
Certificate continuity (Browser has encountered the certificate in the past) |
|
|
|
Shared secret knowledge (eg: a picture, or a password) |
|
|
|
personalization (eg: account history, user's full name) |
|
|
|
Shared public knowledge (eg: mother's maiden name, zip code) (ANTI-PATTERN) |
|
|
|
Does the page contain active content? (eg: Javascript) |
|
|
|
Does the page contain content sourced from distinct servers? |
|
|
|
Does the page come from the intranet or the Internet? |
|
|
|
Has the page completed loading? |
|
|
|
HTTP content in an HTTPS page |
|
|
|