- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 7 Feb 2007 01:46:21 +0100
- To: ses@ll.mit.edu
- Cc: public-wsc-wg@w3.org
Here's proposed material following from the use case structuring
discussion that we had in San Jose; this is intended to be input
material for Stuart's threat trees. This is a first cut -- I've
made edits to some of the existing use cases, changed some of them,
and so on. I suspect that Stuart might be tempted to change things
to be a bit more rigorous; Rachna, Maritza and MEZ might be on the
look-out for spelling out user mental models more reasonably than I
have done.
I've dug a bit deeper than we did at the face-to-face as far as the
"user tasks" are concerned: The "user task" and "trigger" slides can
be more easily described as "what kind of interaction the user
should have expected" and "what the site asks of him" -- software
installation when asking for software v. software installation when
asking to scroll down a bit, to give just one example.
Working on these use cases, I wonder if the "known organization"
choice isn't actually a strawman for somthing else -- such as a
pre-existing user expectation about what he's going to see, vs. no
such pre-existing expectation.
I think I've enumerated the different aspects. I don't claim that
the use cases I've listed actually exhaust every single combination.
Between them, though, I hope to have caught all significant ones.
Please raise a red flag now if you think something has been lost.
Here we go... Occasional editorial remarks in square brackets. Oh,
and I'll pay beer for those who decipher the easter eggs.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
We distinguish a number of properties in the basic use cases that we
address.
Destination site. A user may have interacted with a site before
(i.e., the web site is present in the user's browsing history); he
may also have submitted forms to that site before. The site might
belong to an organization that the user knows of (and intends to
interact with), or it might belong to an organization that the user
does not know of, and may or may not have an intention to interact
with. For a site that has been visited before, the site's
appearance might have changed significantly.
User's navigation toward the destination site. The user might have
followed a bookmark. He might have followed a web link from a known
site, or from a search engine. He might have entered a search term
into his browser's address bar and used a feature that directly
redirects him to his favorite search engine's top hit.
The user might also have discovered a site in a cinema advert, heard
about it over the phone, or jotted down a URI on a napkin -- that he
then mis-typed into his web browser.
Finally, a web browser might have been launched by some local
application.
Intended interaction. A user might be interested in retrieving
information from the public Web, and might therefore interact with a
web site in some way. He might be interested in engaging in
commerce or other activities that make him expect to submit
sensitive information -- be it credentials or personal data. He
might be interested in downloading software for his local system,
fully aware that this implies that he trusts the software provider
to behave correctly far beyond the confines of the browser sandbox.
Actual interaction. The web site's behavior may correspond to what
the user intends, or the site might cause unexpected behavior: An
information site asks for sensitive information; a photo download
triggers software installation; an innocuous mouse click that is
intended to raise a window on the user's viewport causes a pop-up or
pop-under window to open. A time-based trigger might cause the
interaction without any activity on the user's side. A user
interaction (such as closing a window) might unexpectedly expose a
pop-under window that has been launched much earlier.
1. Once a week, Alice pays her bills. She opens her web browser,
follows the habitual bookmark to her bank's site, logs in by
entering her credentials, and follows the routine course through the
online banking system.
Destination site: prior interaction, known organization
Navigation: bookmark
Intended interaction: submission of sensitive information
Actual interaction: submission of sensitive information
[This is the apple pie use case.]
2. Once a week, Alice pays her bills. She opens her web browser,
follows the habitual bookmark to her bank's site, and is directed to
an unfamiliar site at a new domain, announcing that her bank has
recently acquired another one and changed names a bit. She is asked
to enter her usual credentials, succeeds, and quickly adapts to the
new online banking system.
Destination site: no prior interaction, known organization
Navigation: bookmark, then follows a link
Intended interaction: submission of sensitive information
Actual interactoin: submission of sensitive information
Variation: Alice has the habit of typing her bank's URL.
3. Once a week, Alice pays her bills. She opens her web browser,
follows the habitual bookmark to her bank's site. Her bank's web
site informs her that, as a countermeasure to recent attacks against
online banking customers, she needs to install a piece of
proprietary software on her computer that will be the conduit for
her future interactions with the bank.
Destination site: prior interaction, known organization
Navigation: bookmark
Intended interaction: submission of sensitive information,
but site convinces Alice to install software
Actual interaction: installation of software
Variation: Alice has the habit of typing her bank's URL.
4. Once a week, Alice pays her bills. She opens her web browser,
follows the habitual bookmark to her bank's site. A download
process starts, and a pop-up window informs Alice that she needs to
install a piece of software locally that will henceforth be her
conduit for her future online interactions with her bank.
Destination site: prior interaction, known organization
Navigation: bookmark
Intended interaction: submission of sensitive information
Actual interaction: installation of software
5. In the advertising leading up to a re-run of the 1970s movie
classic "The Sting," Doyle sees an offer for a new-fashioned
investment that he can't refuse, offered by a brand that he has
heard of before. He memorizes the URL that is given toward the end
of the advertising. Coming back home, he mis-types the URI at
first, corrects a spelling error, and then reaches a web site that
matches the investment firm's branding and name. He's asked for
identifying information that he provides.
Destination site: no prior interaction, known organization
Navigation: typing
Intended interaction: submission of sensitive information
Actual interaction: sbumission of sensitive information
Variations: The URI that Doyle typed can be correct or not.
Orthogonal to this, he can end up on the web site he intended to
interact with, or not. Doyle might also have typed a keyword
glanced from the movie screen into a search box.
[This one subsumes the current 6.12]
6. Watching more cinema advertising, Doyle sees a somewhat
irritating, but intriguing movie teaser that ends with a dark screen
that has a URL fading away quickly. He mis-memorizes the URL. Coming
back home, he types in what he remembers, and gets directed to a web
site that immediately causes a software download. A pop-up window
informs him (in graphical layout that matches the teaser's last
screen) that software will be installed on his system in order to
enable him to fully benefit from the web site's multimedial
offerings.
Destination site: no prior interaction, unknown organization
Navigation: typing, with error
Intended interaction: information retrieval
Actual interaction: software installation
Variations: The web site can be the one advertised in the cinema, or
not.
7. Frank regularly reads a frequent flyer forum while sipping his
first cup of coffee in the morning. He clicks on a link and walks
off to the coffee-maker for a refill. Returning, he notes that his
computer screen now includes pop-up advertising for a new
cheque-management program which is purportedly offered by his bank.
A free demonstration version is available for download. The
advertising is served from an advertising agency's web site, not
from the bank's.
Destination site: no prior interaction, unknown organization
Navigation: none
Intended interaction: information retrieval
Actual interaction: software installation
[easter-egg: What's Frank's last name? Why?]
Variations: pop-under instead of pop-up; also, it's deliberately
left open whether Frank's click trigger or a timeout during his
absence causes the pop-up to appear. The software could be on the
bank's web site, on an advertising agency's, or on a prankster's.
[Subsumes 6.15. The case that software is on the bank's web site
motivates the earlier FollowALink use case, see also ACTION-81.]
8. [Current 6.1]
Example Inc. has a popular online service that processes many credit
card transactions a day. Betty occasionally uses the service and
trusts it with her credit card information. Malcolm is a thief with
an idea. He creates an imitation of the Example web site and begins
directing users to it. Malcolm contacts victims through email, or
even the phone, and links to his imposter site from popular blogs
and chat forums. He's also given his imposter site a domain name
that is just a typo away from Example's authentic web site, so some
victims will arrive by accident. Betty is about to enter her credit
card information into a site that looks just like Example's. How is
she to know if it's the authentic site, or the imposter?
Destination site: no prior interaction, unknown organization
(but user expects a particular organization)
Navigation: link or typing
Intended interaction: submission of sensitive information
Actual interaction: submission of sensitive information
9. [Current 6.2]
Example Inc. has use of example.com, example.net and example.org.
Each is used to manage a different part of the company's online
operations. Betty initially found Example at example.com and created
her online account through a page hosted at that domain. She has yet
to interact with any of Example's other hosts. Sometime later, Betty
receives an email claiming to be from Example and alerting her to a
pending task that she must attend to. The email provides a hyperlink
to a page that will help Betty complete the task. After clicking on
the hyperlink, Betty's user agent displays a page from the
example.net host. The page asks Betty to enter her username and
passphrase before being allowed to access her account. How is Betty
to know that her Example credentials can be safely entered into the
page?
Destination site: no prior interaction
known organization
Navigation: any
Intended interaction: submission of sensitive information
Actual interaction: submission of sensitive information
10. [Current 6.3]
Betty's home wireless router has a web interface for making
configuration changes. When the router is installed, it generates a
self-signed SSL server certificate. Sometime later, Betty attempts
to make a configuration change. How does Betty know she's connected
to the router she setup earlier, and not her neighbor's?
Destination site: prior interaction
Navigation: bookmark
Intended interaction: submission of sensitive information
Actual interaction: submission of sensitive information
11. [Current 6.4]
Betty tries to connect to a web site at <https://www.example.com/>.
Her user agent's SSL implementation detects that the domain name
specified in the certificate differs from www.example.com. What
should the user agent display?
Destination site: prior interaction
Navigation: bookmark
Intended interaction: information retrieval
Actual interaction: information retrieval
Note: This is actually a variation over use case 1, with an error
condition in the SSL security mechanism.
12. [Current 6.5]
Betty is planning a trip to a foreign country. Searching the web,
she finds a widely recommended local travel agency. When she
connects to their web site, her user agent does not recognize the
certificate authority that issued the travel agency's SSL server
certificate. What should the user agent display?
Destination site: no prior interaction, known organization
Navigation: following a link
Intended interaction: information retrieval or submission of
sensitive information
Actual interaction: information retrieval or submission of
sensitive information
Note: This is a variation over other use cases, with a specific
error condition.
13. [Current 6.6]
Betty occasionally visits the example.com web site. On each
connection, Betty's user agent receives an SSL server certificate
issued by the same certificate authority. On the current connection,
the received certificate was issued by a different certificate
authority. What should the user agent display? Can Example Inc.
affect this display through the content of the new certificate?
Destination site: prior interaction, known organization
Navigation: bookmark
Intended interaction: any
Actual interaction: same
Note: This use case is a variation of use case 1, with a possible
error condition in the SSL security mechanism.
14. [Current 6.7, with slight edit]
Betty occasionally visits the example.com web site. On each
connection, Betty's user agent receives an SSL server certificate
with the same Organization name and address. On the current
connection, the received certificate specifies different attributes.
Destination site: prior interaction, known organization
Navigation: bookmark
Intended interaction: any
Actual interaction: same
Note: This use case is a variation of use case 1, and spells out a
possible error condition in the SSL security mechanism.
15. [Current 6.8, with some edit]
Betty clicks on a hyperlink to the web page at
<https://www.example.com/>. The received HTML page includes content
received from <https://www.example.net/>. Betty's user agent is
unaware of any relationship between the www.example.com and
www.example.net web sites.
Note: This use case spells out a complication in the use of the SSL
security mechanism. It is orthogonal to our overall classification
of basic interactions.
16. [Current 6.9]
Betty visits the web page at <https://www.example.com/>. The
received HTML page includes content received from
<http://www.example.com/>, i.e., content received using a different
security context.
Note: This use case spells out a complication in the use of the SSL
security mechanism. It is orthogonal to our overall classification
of basic interactions.
17. [Current 6.10]
Like many users, Betty has grown accustomed to quickly clicking
through any warning dialogs presented by her user agent. Out of
habit, Betty dismisses another one, then quickly becomes suspicious
about some of the web page's content.
This use case is orthogonal to the generalizations that
were discussed earlier in this section. It suggests practices
around the recording and reversibility of past security decisions.
[Relevant to ACTION-91]
18. [Current 6.11; reworked to be more clearly in scope]
Vicki is interested in finding out more about art auctions in the
greater Boston area. She engages a search engine and tries to
follow a link there. Her web browser consults a reputation service
which has recorded that the link target will attempt to subvert the
browser and install malicious software.
This use case is orthogonal to the generalizations that were
discussed earlier in this section. It serves to suggest practices
around the display of results obtained from reputation services.
[Why is Vicki interested in that information? What does she say
when asked whether she plays chess? And what has all this to do with
polo and windmills?]
19. [Merger of 6.13, 6.14.] Betty has travelled to a foreign
country. In a coffee shop, she is reading a political web site from
her home country. She wonders whether the information that is
displayed to her is authentic, and whether others nearby will be
able to eavesdrop on her interactions.
This use case is orthogonal to the generalizations that were
discussed earlier in this section. It serves to suggest practices
around the protection against eavesdropping and alteration that
deployed security technologies provide.
20. Steve runs a suite of security software on his machine that
regularly upgrades certain components. The typical workflow is that
a specific browser window is opened automatically. Steve will then
control the selection of software upgrades, will download them from
the web, and they will then be installed.
Destination site: Known, prior visit
Navigation: no user interaction
Intended interaction: none
Actual interaction: software installation
Variation: A pop-up window opens with a web site that visually
imitates the legitimate software upgrade behavior, but is inteded to
install malicious software.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Based on the discussion in [1], I have also omitted the
widget-related use case. I'm at this point satisfied that widgets
are covered between the software installation related use cases, and
the launching of a browser as an application. (ACTION-37)
1. http://lists.w3.org/Archives/Member/member-wsc-wg/2007Jan/0020.html
That's it for tonight. May the discussions begin.
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 7 February 2007 00:45:08 UTC