Site Identifying Images in Chrome
Goals
- This requirement supports the following WSC goals:
- 2.1 Document the status quo
- 2.2 Relevance of security information
- 2.3 Consistent presentation of security information
- 2.4 User awareness of security information
- 2.5 Reliable presentation of security information
Overview
The most common currently deployed mechanism to associate identifying images with Web Sites is the favorite icon [FAVICON]. Favorite icons are commonly displayed in browser location bars, alongside bookmarks, or in other parts of graphical user interfaces. The association of a particular bitmap with a particular site is controlled by the site's content.
- This section includes requirements for the display of site identifying icons designed to help separate site-controlled content from trust indicators.
Applicability
- This requirement is applicable to Web User Agents that are capable of displaying bitmap graphics, and use a visual viewport to communicate trust information to users.
Requirement
Variant 1 - Roessler
- Web User Agents MUST NOT display bitmaps controlled by Web Content in areas of the user interface that are intended or commonly used to communicate trust information to users.
Variant 2 - McCormick
- Web User Agents MUST NOT display bitmaps controlled by Web Content in areas of the user interface that are commonly expected to be under the control of the user agent.
Techniques
- The following Techniques are necessary, but not sufficient, to fulfill the requirement:
- Web User Agents MUST NOT display favorite icons [FAVICON] within the visual context of a Location Bar widget, if present.
- Web User Agents MUST NOT display favorite icons in secondary user interface intended to enable users' trust decisions.
- The following Technique is sufficient to fulfill the requirement:
- Web User Agents MUST ignore favorite icon [FAVICON] references that are part of Web content.
Examples
Conforming Product
- A conforming product could be a Web User Agent that uses the favorite icon to identify individual tabs in a tabbed browser interface, or to identify bookmarks, but does not display favorite icons in its location bar.
Non-comforming Product
- A common UI metaphor in recent generations of common Web browsers is to include trust indicators (the padlock, and color coding) in the Location Bar widget that is part of typical primary browser user interfaces. Typically, the padlock is displayed toward the right border of the location bar. The Loation Bar is therefor an area of the user interface that is commonly used to communicate trust information. Browsers that display a favorite icon near the left border of the Location Bar are an example for a non-complying implementation.
- A Web Browser that displays a favorite icon in a dialog box in which certificate properties are presented for inspection when a user handles a TLS error condition
Background
A web browser address bar may display a logo retrieved from a location specified in the web site's content, or discovered in a well known location, known as a favicon. In either case, the choice to display a logo, and what image to use, is at the discretion of the visited web site. In some browsers the favicon logo is also displayed in Bookmarks/Favorites lists and associated toolbar buttons, as well as window titles, tab titles, and elsewhere. Whether consciously or unconsciously, many users are beginning to view favicon logos as security context information. Specifically, they feel that seeing the logo they expected for a particular site is somehow an assurance the site is genuine. @@@ NEEDS REFERENCE @@@ Because the logo appears in browser chrome rather than the HTML page, it creates an impression that the logo is more "official". This is a mistake on the users' part because no central organization controls or approves the assignment of favicons to sites, and no technical security measures are required to ensure the authenticity of a favorite icon. A malicious entity can steal the exact logo used by a legitimate site (or create a visually indistinguishable logo) and associate it with a different site for impersonation purposes.
- Favicons undermine the web security context display in several ways:
- they appear to provide security context but in reality do not
- they blur the distinction between chrome and content
- they enable attackers to place trust indicators (such as the familiar padlock) in areas of browser chrome that are commonly used for trust display, creating a significant risk of user confusion.
Dependencies
- none?
Use-cases
- @@ elaborate -- site impersonation attacks apply @@ A key misuse case would involve the user believing a counterfeit site is legitimate based on its favicon display. A key positive use case would involved the user gaining additional assurance a legitimate site is safe because its EV certificate is branded by a trusted authority.
- @@@ need more work on use cases @@
Expected User behavior
- @@@ See preceding. To develop test cases with expected user behaviors, new use cases would have to be developed first.
Disruption
- Favorite icons are presently an optional part of the Web browsing experience; many sites elect not to display them. They typically replace a generic "bookmark" icon that can be used to, e.g., manipulate bookmarks
SSL Logos -- likely overlap with Secure Letterhead and EV Cert
Certificate Logos
- Logo images can be attached to SSL certificates using the logographic extensions to X.509 described in IETF RFC 3709. Logos can be optionally attached for the issuer (the CA), the subject (the web site or domain), and community to which the issuer or subject belong. Certificate logos play a similar role to favicons. Although web browsers will typically display them somewhat differently, both appear as site identifying images in chrome. Unlike favicons however, certificate logos are cryptographically protected from tampering or forgery. And when tied to a well vetted certificate, they can be traced back to a Real Life entity outside of cyberspace. This latter is important because it allows legal recourse to be taken if an entity displays a logo in violation of trademarks or contractual agreements. Certificate logos can be used safely if our recommendations are followed:
- Web agents should only display subject or community logos for high grade SSL certificates (such as EV) that require thorough requester vetting outside cyberspace.
- CAs who issue high grade SSL certificates (such as EV) ought to remind requesters that logographic imagery is subject to trademark laws and the requester is responsible to ensure the logo they supply to the RA is (a) legal for use in all countries and (b) visually distinguishable from other logos.
- In support of (b) above sites should follow basic principles of sound logo design: Use company name (text) in addition to imagery; don't rely on color to distinguish one company's logo from another (for color blind users); etc.