View
2.410
Download
0
Category
Preview:
DESCRIPTION
Originally authored and presented by Johnathan Nightingale.
Citation preview
Beyond the Padlock
New Ideas inBrowser Security UI
Johnathan NightingaleHuman Shield
Mozilla Corporationjohnath@mozilla.com
why are you here?
maybe you’re a security geek
or a visual designer
maybe you just like Firefoxes(Who doesn’t?)
you’re someone who cares about security UI
you’re someone who cares about security UIand how we can make it
better
why am I here?
who am ihuman shield?
usability security
coding
usability security
coding
why do we care?
because the internet is not a safe place
because the internet is not a safe place
because the internet is not a safe place
because the threats are changing
“Technology such as cloned part-robot humans used by organised
crime gangs pose the greatest future challenge to police, along
with online scamming.”
Australian Federal Police (AFP) Commissioner Mick Keelty
because most existing UI is sparse...
(A padlock. We’ll come back to this.)
...incomprehensible...
...and maybe not too carefully designed.
"Over the kitchen table, she said she could only remember four figures, so because of
her, four figures became the world standard," he laughs.
John Shepherd-Barron, Inventor of the ATM, on PIN length
because we can do better
the plan
• Security UI in 5 Easy Steps
• The Padlock: A Cautionary Tale
• Larry: More better?
• Thinking About the Future
• Your turn
five rules for security UI
Be MeaningfulUse clear language and concepts.
Avoid ambiguity.
Be RelevantFocus on what matters to your
users, not your compiler.
Be RobustDon’t build user trust around indicators
that can be easily subverted.
Be AvailableDon’t disappear when your users need you most.
Be BraveSometimes you have to make the call on
your users’ behalf.
Meaningful
Relevant
Robust
Available
Brave
Handy Mnemonic... MRRAB?
applying the rules
the padlock
it’s ubiquitouswe’ve got one
so does microsoft
opera has 3 kinds
safari too
it’s ubiquitouswe’ve got one
so does microsoft
opera has 3 kinds
safari too
it’s really ubiquitous
it’s really ubiquitous
but is it good UI?
Remember MRRAB
Meaningful - ?
Remember MRRAB
Meaningful - Not really.
Relevant - ?
Remember MRRAB
Meaningful - Not really.
Relevant - Fairly.
Robust - ?
Remember MRRAB
Meaningful - Not really.
Relevant - Fairly.
Robust - Barely.
Available - ?
Remember MRRABMeaningful - Not really.
Relevant - Fairly.
Robust - Barely.
Available - Only when you don’t need it.
Brave - ?
Remember MRRAB
C-
Meaningful - Not really.
Relevant - Fairly.
Robust - Barely.
Available - Only when you don’t need it.
Brave - Sure.
doing betteran identity indicator in primary chrome
identityLet’s stop talking about safety, since we were never any good at that anyhow.
Let’s talk about what we can know.
It’s valuable, in and of itself, to knowwho you’re dealing with online.
EVThere is a new breed of SSL Certificate now
called “Extended Validation.”
The identity information in these certificates is vetted in a standardized, robust way.
Hooray.
http://www.cabforum.org/
meet larry
in Firefox 3, Larry will indicate identity
(* Mockups change. Don’t over-report.)
even on non-EV sites, Larry will be around
(* Mockups change. Don’t over-report.)
MRRAB?
Meaningful - Identity, period.
Relevant - Knowing identity matters.
Robust - EV Certificates are hard to fake.
Available - Larry is always around.
Brave - Killing the padlock is scary stuff.
Meaningful - Identity, period.
Relevant - Knowing identity matters.
Robust - EV Certificates are hard to fake.
Available - Larry is always around.
Brave - Killing the padlock is scary stuff.
A+++!
Meaningful - Identity, period.
Relevant - Knowing identity matters.
Robust - EV Certificates are hard to fake.
Available - Larry is always around.
Brave - Killing the padlock is scary stuff.
B?
more to think aboutLarry vs. padlock is hardly the only security UI that matters
malware protection
secondary information
security warnings
private browsing
password manager
W3C WSC
Web Security Context Working Grouphttp://www.w3.org/2006/WSC/
Software CompaniesStandards Bodies
Professional OrganizationsCertificate Authorities
Academics
recommendations being considered
Safe Browsing Whitelist
Browser Lock Down
Personally Identifiable Information Bar
Page Security Scoring
Identity Indicator in Primary Chrome ☺
we also
throw some
crazier ideas
around
can we make better use of past actions?
“You’ve been to this site before”
“Nothing’s changed since the last time you were here”
“You’re sending a password to a site you’ve never visited”
how about social networks?
“7 of your Facebook friends have purchased things from this site”
“Your grandchild who knows computers says this site is fine.”
“This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2”
can we stop phishing with tech smarts?
Secure Remote Password Protocol
Let the browser handle password generation
Watch for credit card numbers going out on the wire
and don’t forget...
It has to work for internationalization.
It has to work for accessibility.
It has to work for mobile.
bedtime readingPeter GutmannPhishing Tips and Techniqueshttp://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf
Rachna Dhamija Why Phishing Workshttp://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf
W3C WSC’s Shared Bookmarkshttp://www.w3.org/2006/WSC/wiki/SharedBookmarks
your turn
credits• Security Geek - http://flickr.com/photos/oblivion/351874401/• Mountain Lion - http://flickr.com/photos/ekai/457004988/• Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf• Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts-
robot-crimewave/2007/07/06/1183351416078.html• Robot - http://www.sxc.hu/photo/502945• Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm• Traffic Tree - http://flickr.com/photos/oobrien/7597395/• Freddy the Fox - http://flickr.com/photos/roblee/207435086/• Squity the Goose - http://flickr.com/photos/59547396@N00/63778062• No Road Markings - http://flickr.com/photos/lwr/498246175/• Brave Kitten - http://flickr.com/photos/malingering/69853302/• Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs• Footprints - http://www.sxc.hu/photo/573584• Paper Men - http://www.sxc.hu/photo/431214• No Fishing - http://www.sxc.hu/photo/791573• Cell Phone - http://www.sxc.hu/photo/175602• Microphone - http://www.sxc.hu/photo/793650
Recommended