Papers:Sending the Right Signals: Difference between revisions

Papers:Sending the Right Signals (view source)

Revision as of 11:11, 25 January 2006

4,232 bytes added , 25 January 2006

no edit summary

Beltzner

Confirmed users, Bureaucrats and Sysops emeriti

3,599

edits

@@ Line 31: / Line 31: @@
 Evaluations of trust in the physical world are assisted by the fact that entities are tangible, costly to impersonate, familiar and consistently interpreted by our own senses. In the virtual world, however, we are hindered by the fact that entities are intangible, easily impersonated, unfamiliar and interpreted by clients that are not neccessarily consistent.
-Any solution that aims to simplify the task of evaluating trustworthiness in the virtual world therefore needs to address these limitations on our abilities.
+Any solution that aims to simplify the task of evaluating trustworthiness in the virtual world therefore needs to address these limitations on our abilities. The virtual world is however by definition intangible, and by virtue of its youth, unfamiliar. This proposal focuses on improving the consistency with which signals are presented to users, as well as on mechanisms for increasing the costs related to impersonation.
 = Signals Presented by Web Browsers =
+Existing technologies for security on the web provide us with two signals that we can use to assist users in evaluating trustworthiness:
+* '''Encryption''' lets us comment on the likelihood that the information has been intercepted.
+* '''Certificate signing''' allows us to comment on the authenticity of an entity's claim to its identity as asserted by a certificate authority (CA).
-** status notification areas
+The three major web browsers available to users today (Internet Explorer, Mozilla, and Opera) all provide some mechanism to indicate these two signals to users. Each browser interprets and represents the signals slightly differently.
-** security status notification techniques
-** terminology used, technologies supported
-* Arguments for consistency
+Internet Explorer 7 also uses a third technology, a "Phishing Filter", to provide a signal that comments on the likelihood that an entity is malicious in nature.
-** ability to move from browser to browser w/o relearning metaphors
-** shapes user expectations
-** promotes clarity
-* What we know doesn't work
+== Internet Explorer 7 ==
-** techno-centric terminology
+Members of the team developing the soon to be released Internet Explorer 7 have  published their plans to [http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx use colour, iconography and text] to represent when an entity is thought to be either secure or insecure.
-** expecting users to think deeply on these issues
-And then, if we feel that a recommendation is needed, I was going to take a flyer with:
+(screenshots)
-* What we propose
+All the indicators are presented in the URL bar widget. Colour and icons will be used to indicate a recommendation of action, and text will inform the user of the entity's claimed identity and the name of the CA that vouches for that identity. The solution indicates both positive and negative assertions of trust.
-** simple notification with plain language to tell user if the site they are visiting is
-*** real:        this website is who it says it is
-*** secure:      this website is encrypted
-*** recommended: this person says this website is safe
-** potentially match up "zones" with these ideas
-== Comments / Proposed Edits ==
+== Mozilla ==
-* I use evaluation of trust as opposed to authentication - should I go through and edit that? [[User:Beltzner|Beltzner]] 02:20, 25 Jan 2006 (PST)
+The Mozilla and Firefox web browsers use a combination of colour, iconography and text to signal when an entity is thought to be secure.
+(screenshots)
+In the URL bar widget, colour and an icon is used to indicate the presence of the signals. In the status bar area, an icon and text is used to indicate the entity's claimed identity. The name of the CA that vouches for that identity is available on a mouse hover in the URL bar or through the "Page Info" display.
+== Opera 8 ==
+Opera uses a combination of colour, iconography and text to signal when an entity is thought to be secure.
+(screenshots)
+In the URL bar widget, colour and an icon are used to indicate the presence of security signals. Text is used in the URL bar to indicate the entity's claimed identity, and clicking on that text reveals further information about the CA that vouches for that identity.
+= Terminology, Icons, and Locations Used =
+While all three browsers are currently similar in their presentation of security signals, they are inconsistent:
+* '''Icons:''' IE7, Mozilla and Opera all use a "lock" icon to indicate when security signals are present, but IE7 alone uses red and yellow "shields" to indicate when an entity is thought to be suspicious or malicious.
+* '''Colours:''' Mozilla and Opera use a yellow background to indicate when security signals are present. IE7 uses green to indicate a positive interpretation of trust, yellow to indicate suspicion and red to indicate a negative interpretation of trust.
+* '''Location:''' IE7 and Opera display the entity's claimed identity in the URL bar, and allow an individual to investigate the name of the vouching authority through a UI gesture. Mozilla displays the entity's claimed identity in the status bar and the CA through a UI gesture in the URL bar.
+* '''Terminology:''' IE7 uses "identified by" to indicate who the CA is. Opera calls the CA the "Certificate issuer" and Mozilla says that an entity is "Signed by" a CA. All browsers refer to "encryption", but present the encryption standards diferently.
+= Proposals for Consistency and Clarity =
+It is Mozilla's position that any security solution requires consistency and clarity for users. Consistency allows a user to move from browser to browser without having to re-learn how to interpret signals from the browser on the trustworthiness of an entity. Consistency also shapes user expectations, and helps breed familiarity.
+Consistency also promotes clarity, since users can focus on understanding a single concept (ie: encrypting, signing) instead of multiple expressions of a single concept (ie: encrypting, locking, signing, identifying.)
+Clarity is also accomplished by avoiding technology-centric terms, and be reducing the requirement for a user to think deeply on issues of trustworthiness.
+It is our position that all browsers consistently present the following signals to users:
+* A connection to an entity should be said to be '''secure''' when the connection is encrypted and it can be reasonably assured that communication is restricted to the user and the entity.
+* If a connection is signed, then the entity should be said to be '''identified''' with some name, by some CA.
+* If a signal exists (through FoaF networks, whitelists, preferred CA signatories, etc) that asserts a site to be trustworthy or untrustworthy, then the entity should be said to be '''recommended''' or '''suspected''' by some organization that accepts responsibility for that judgement.