Page Security Score: A Meta SCI
- This requirement addresses the following WSC goals:
2.2 Relevance of security information
- This goal is directly addressed by assigning weights to SCIs in the page security score (PSS) formula.
2.3 Consistent presentation of security information
- This goal is satisfied by giving all user agents the same scoring techniques and requiring them to use the score as the semantic behind their primary security content display.
2.4 User awareness of security information
- This goal is supported by requiring user agents to make PSS available to end users.
2.5 Reliable presentation of security information
- This goal is met by basing SCI displays on an industry standard score, rather than letting each agent make subjective or proprietary choices about security semantics.
2.7 Authoring and deployment techniques
- This requirement includes techniques for both calculating and displaying PSS.
This requirement proposes that all the security context indicators (SCIs) be aggregated into a single page security score (PSS) using a standard formula. Web agents should score pages and make the score available to users. Web agents should also derive primary chrome indicators (padlock, colored bar, thermometer, etc.) from this standard score in order to provide a consistent and trustworthy security context semantic to users.
This requirement applies to all HTTP user agents that display web content to humans.
- The user agent MUST compute a security score for each page rendered, using the Techniques described below.
- The user agent MUST make the security score available to the end user, although it need not be displayed as a primary SCI in chrome.
- The user agent MUST make available to the end user the formula, or formula standard and version, by which the security score is calculated.
- The user agent SHOULD provide a visual indicator in chrome (primary SCI) that is derived from the security score, using the Techniques described below.
- The scoring technique will require discussion and testing before it can be finalized. Even if it becomes a standard, it will likely undergo further iterative refinement under version control. The following scoring technique is offered as an example or starting point:
Page Security Scoring Formula Version One (PSSFv1)
- This proposed formula yields a page security score (PSS) from 0 to 99, with 0 representing the least secure page and 99 representing the most secure.
HIST1 = 5 if user visited this domain in the past, else 0;
HIST2 = 5 if user visited this particular page in the past, else 0;
HIST3 = 5 if user has saved credentials for this site in the past or bookmarked this particular page in the past, else 0;
CA1 = 0 if no SSL/TLS, 5 if server X.509 certificate is self-signed, 10 if issued from an untrusted root, 15 if from a trusted root, 20 if it's an Extended Validation (EV) certificate;
CA2 = -5 if server certificate has expired, else 0
CA3 = 0 if no SSL/TLS, (CA2-CA1) if server certificate has been revoked, 5 if it has not been revoked according to a CRL, 10 if it has not been revoked according to a successful OCSP call or a valid stapled OCSP response, (CA2-CA1)/2 if revocation status indeterminate;
TLS1 = 0 if no SSL/TLS, 5 if SSLv1, 10 if SSLv2, 15 if SSLv3 or TLS 1.0 or higher;
TLS2 = 0 if no SSL/TLS, 5 if null cipher, 15 if AES or Triple DES (3DES-EDE) with proper key length, 10 for any other cipher suite;
TLS3 = 5 if all resources on the page are https, else 0;
DNS1 = 0 if host name resolved from local HOST file, 5 if hard IP address used (no name resolution), 10 if name resolved via DNS, 15 if DNSSEC;
DNS2 = 0 if no SSL/TLS, (CA1)/5 if server certificate name matches URL host name, else -(CA1+DNS1)
PSS = HIST1 + HIST2 + HIST3 + CA1 + CA2 + CA3 + TLS1 + TLS2 + TLS3 + DNS1 + DNS2
- The highest a page can score under the PSS version 1 formula is 99, which can only be attained if the page uses both EV SSL and DNSSEC among other factors. A typical bookmarked https page on the WWW today, without EV SSL or DNSSEC, would score 88 under the formula if all other security indicators are positive. The highest a page can score without EV SSL is 93. The highest a page can score without DNSSEC is 95. The highest a non-https page can score under the formula is 30, which can only be attained if the page was previously visited and uses DNSSEC. Without DNSSEC the highest a non-https page can score is 25. The lowest a page can score under the formula is zero (0).
Primary Display Techniques
- User agents that derive a primary chrome SCI from the PSS should allow for at least 4 different gradations. Using the PSSFv1 formula above, the obvious gradations for a 4-level schema would be the ranges 0-24, 25-49, 50-74, 75-99. However the formula should be tested against a broad variety of web sites to determine its true distribution, and this could lead to some adjustments in gradation ranges. Gradations can be rendered visually in various ways, such as colors (red, orange, yellow, green) or images (such as faces - angry, frown, sad, happy). The gradation rendering should be based on an intuitive continuum of images. User agents may choose to present the PSS at full granularity without gradation in the primary SCI. For example, a thermometer bar with 100 different "temperatures". These display techniques can also be combined in various ways. For example, a colored thermometer bar.
This proposal depends upon all the security information described in PageInfoSummary. Each piece of information described there is a weighted input to the page security score (PSS) formula.
- This requirement supports all the use cases.
Attack resistance and limitations
Expected User behavior
- The less technical but security conscious user is expected to notice the primary SCI and make decisions about online behavior based on the level of security risk. The technically smart user (e.g., sys admin) is expected to reap the same benefits as above, plus gain additional information from the raw page score to guide safe online behavior. The less technical user who is not security diligent is unlikely expected to benefit as much from this requirement.
- If the score or the primary SCI derived from the score are poorly implemented (ambiguous or confusing) then adding this capability to agents could do more harm than good, particularly in the case of users who are less technical but who pay attention to security cues.