Papers:Sending the Right Signals: Difference between revisions

v1.0 FINAL
(v1.0 FINAL)
Line 25: Line 25:
The physical world is obviously different from the online world. What is less obvious is that we all carry a set of expectations and experiences -- a "default philosophy" -- based on our real world experiences, and we interpret everything through this philosophy, including our "virtual world" experiences online (for more on this idea, see ''[http://www.smallpieces.com/ Small Pieces, Loosely Joined]'' by David Weinberger). There are some fundamental differences between signals available to an individual in the physical and online worlds, however, and these differences are what make internet users so vulnerable to attack.
The physical world is obviously different from the online world. What is less obvious is that we all carry a set of expectations and experiences -- a "default philosophy" -- based on our real world experiences, and we interpret everything through this philosophy, including our "virtual world" experiences online (for more on this idea, see ''[http://www.smallpieces.com/ Small Pieces, Loosely Joined]'' by David Weinberger). There are some fundamental differences between signals available to an individual in the physical and online worlds, however, and these differences are what make internet users so vulnerable to attack.


* '''Tangibility:''' Perhaps the most obvious difference is that the physical world is tangible whereas the virtual world is not. When an individual visits a location in the physical world, they can examine it directly and in many dimensions. In the virtual world we are limited to the dimensions presented to us by the software used to view the virtual objects. As a result, we experience objects in the physical world in many more dimensions than those of the virtual. The additional dimensions (such as weight, smell, depth, tactile sensation) all provide contextual signals which are absent from objects in the virtual world, and which can contribute to one's evaluation of trust.
* '''Tangibility:''' Perhaps the most obvious difference is that the physical world is tangible whereas the virtual world is not. When an individual visits a location in the physical world, they can examine it directly and in many dimensions. In the virtual world we are limited to the dimensions presented to us by the software used to view the virtual locations. As a result, we experience locations in the physical world in many more dimensions than those of the virtual. The additional dimensions (such as weight, smell, depth, tactile sensation) all provide contextual signals which are absent from locations in the virtual world, and which can contribute to one's evaluation of trust.


* '''Cost of Impersonation:''' Closely related to tangibility is the cost of impersonation. Impersonating physical world objects is both complex and costly because they must be convincing in so many dimensions and because the human brain is so adept at recognizing patterns and exceptions to patterns. Impersonating virtual world objects, however, is relatively easy as they exist in far fewer dimensions, and thus can be duplicated much more cheaply and easily.
* '''Cost of Impersonation:''' Closely related to tangibility is the cost of impersonation. Impersonating physical world locations is both complex and costly because they must be convincing in so many dimensions and because the human brain is so adept at recognizing patterns and exceptions to patterns. Impersonating virtual world locations, however, is relatively easy as they exist in far fewer dimensions, and thus can be duplicated much more cheaply and easily.


* '''Familiarity:''' As individuals, we have existed in the physical world for our entire lives. As a civilization, we have existed in the physical world for hundreds of years. This familiarity yields expectations of how objects in the physical world will look, feel and behave. The virtual world, on the other hand, is new and unfamiliar to many of its users. As a result, there is less of an expectation of how an entity should appear in the virtual world. While it is true that many virtual entities such as banks have patterned themselves after one another (i.e.: similar features, navigation structure and use of a prominent client login area) these patterns are young and malleable. The physical world, on the other hand, has well established patterns that result in a expectation of what an entity such as a bank would look like (ie: tellers, thick doors, slips of paper, a security guard).
* '''Familiarity:''' As individuals, we have existed in the physical world for our entire lives. As a civilization, we have existed in the physical world for hundreds of years. This familiarity yields expectations of how locations in the physical world will look, how objects will feel and behave. The virtual world, on the other hand, is new and unfamiliar to many of its users. As a result, there is less of an expectation of how a location should appear in the virtual world. While it is true that many virtual locations such as online banks have patterned themselves after one another (i.e.: similar features, navigation structure and use of a prominent client login area) these patterns are young and malleable. The physical world, on the other hand, has well established patterns that result in a expectation of what a location such as a bank would look like (ie: tellers, thick doors, slips of paper, a security guard).


* '''Consistency:''' Signals from the physical world are consistently presented to us through our own senses. We cannot modify our senses, merely interpret the signals that we receive through them. In the virtual world, however, there is an intermediary between the object and our senses. The software used to present a virtual object presents signals about that object in an arbitrary fashion. As a result, signals from the virtual world are not necessarily consistently presented, but are instead dependent on the tool with which we are viewing the virtual object.
* '''Consistency:''' Signals from the physical world are consistently presented to us through our own senses. We cannot modify our senses, merely interpret the signals that we receive through them. In the virtual world, however, there is an intermediary between the location and our senses. The software used to present a virtual location presents signals about that location in an arbitrary fashion. As a result, signals from the virtual world are not necessarily consistently presented, but are instead dependent on the tool with which we are viewing the virtual location.


Evaluations of trust in the physical world are assisted by the fact that entities are tangible, costly to impersonate, familiar and consistently interpreted by our own senses. In the virtual world, however, we are hindered by the fact that entities are intangible, easily impersonated, unfamiliar and interpreted by clients that are not necessarily consistent.
Evaluations of trust in the physical world are assisted by the fact that locations are tangible, costly to impersonate, familiar and consistently interpreted by our own senses. In the virtual world, however, we are hindered by the fact that locations are intangible, easily impersonated, unfamiliar and interpreted by clients that are not necessarily consistent.


Any solution that aims to simplify the task of evaluating trustworthiness in the virtual world needs to address these limitations on our abilities. The virtual world, however, is filled with objects that are by definition intangible, by design easily impersonated, and by immaturity unfamiliar. The only factor within our control is the consistency of how signals are presented to the user.
Any solution that aims to simplify the task of evaluating trustworthiness in the virtual world needs to address these limitations on our abilities. The virtual world, however, is filled with locations that are by definition intangible, by design easily impersonated, and by immaturity unfamiliar. The only factor within our control is the consistency of how signals are presented to the user.


= Available Online Signals for Trust =
= Available Online Signals for Trust =
As established above, in the online world an individual must make a judgement of trustworthiness based on the signals available about a virtual object. In addition to signals such as name recognition or look and feel, the online world currently provides three additional signals that we can use to assist users in evaluating trustworthiness:
As established above, in the online world an individual must make a judgement of trustworthiness based on the signals available about a virtual location. In addition to signals such as name recognition or look and feel, the online world currently provides three additional signals that we can use to assist users in evaluating trustworthiness:


* '''Encryption''' lets us comment on the likelihood that the information has been intercepted.
* '''Encryption''' lets us comment on the likelihood that the information has been intercepted.


* '''Certificates''' allow us to comment on the authenticity of an entity's claim to its identity as asserted by a certificate authority (CA).
* '''Certificates''' allow us to comment on the authenticity of an location's claim to its identity as asserted by a certificate authority (CA).


* '''Recommendations''' about the trustworthiness of an entity can be made by an organization or network.
* '''Recommendations''' about the trustworthiness of an location can be made by an organization or network.


Most web browsers available to users today provide some mechanism to indicate these signals to users. Unfortunately, each browser interprets and represents the signals slightly differently:
Most web browsers available to users today provide some mechanism to indicate these signals to users. Unfortunately, each browser interprets and represents the signals slightly differently:


* '''Inconsistent icons:''' Internet Explorer 7, Mozilla, Safari and Opera all use a lock icon to indicate when security signals are present, but Internet Explorer 7 also uses red and yellow shields to indicate when an entity is thought to be suspicious or malicious.
* '''Inconsistent icons:''' Internet Explorer 7, Mozilla, Safari and Opera all use a lock icon to indicate when security signals are present, but Internet Explorer 7 also uses red and yellow shields to indicate when an location is thought to be suspicious or malicious.


* '''Inconsistent colors:''' Mozilla and Opera use a yellow background to indicate when encryption and certificate signals are present. Internet Explorer 7 uses green to indicate a positive interpretation of trust, yellow to indicate suspicion and red to indicate a negative interpretation of trust. Safari doesn't use color to communicate either of these signals.
* '''Inconsistent colors:''' Mozilla and Opera use a yellow background to indicate when encryption and certificate signals are present. Internet Explorer 7 uses green to indicate a positive interpretation of trust, yellow to indicate suspicion and red to indicate a negative interpretation of trust. Safari doesn't use color to communicate either of these signals.


* '''Inconsistent location:''' Internet Explorer 7 and Opera display the entity's claimed identity in the URL bar, and allow an individual to investigate the name of the CA by clicking on this information. Mozilla displays the entity's claimed identity in the bottom right corner of the browser, and the name of the CA is shown when the user hovers over the lock icon in the URL bar. Safari displays both the entity's claimed identity and the name of the CA in dialog presented when the user clicks on the lock icon in the upper right corner of the screen.
* '''Inconsistent location:''' Internet Explorer 7 and Opera display the location's claimed identity in the URL bar, and allow an individual to investigate the name of the CA by clicking on this information. Mozilla displays the location's claimed identity in the bottom right corner of the browser, and the name of the CA is shown when the user hovers over the lock icon in the URL bar. Safari displays both the location's claimed identity and the name of the CA in dialog presented when the user clicks on the lock icon in the upper right corner of the screen.


* '''Inconsistent terminology:''' Internet Explorer 7 says that an entity is "identified by" a CA. Opera calls the CA the "Certificate issuer" and Mozilla says that an entity is "Signed by" a CA. Safari tells users that a given certificate has been "issued by" a CA. All browsers refer to "encryption", but present the encryption standards differently.
* '''Inconsistent terminology:''' Internet Explorer 7 says that an location is "identified by" a CA. Opera calls the CA the "Certificate issuer" and Mozilla says that an location is "Signed by" a CA. Safari tells users that a given certificate has been "issued by" a CA. All browsers refer to "encryption", but present the encryption standards differently.


* '''Inconsistent signals:''' Some add-on tools for popular browsers create a network of trust that results in a recommendation signal being presented to a user. These signals are not always present, and not available in all web browsers.
* '''Inconsistent signals:''' Some add-on tools for popular browsers create a network of trust that results in a recommendation signal being presented to a user. These signals are not always present, and not available in all web browsers.
Line 61: Line 61:
The technologies and frameworks that exist in the virtual world for providing signals about website authentication are currently in flux. The next generation of web browsers will leverage whichever of these signals are workable at the time of their release. Perhaps that will be SSL/PKI, or SSL/PKI with multi-tiered certificates, or perhaps it will be a network of trust or some other heuristic measure based on meta-browsing habits. These technologies should continue to be allowed to grow in ways that address the hard questions of implementing security infrastructures.
The technologies and frameworks that exist in the virtual world for providing signals about website authentication are currently in flux. The next generation of web browsers will leverage whichever of these signals are workable at the time of their release. Perhaps that will be SSL/PKI, or SSL/PKI with multi-tiered certificates, or perhaps it will be a network of trust or some other heuristic measure based on meta-browsing habits. These technologies should continue to be allowed to grow in ways that address the hard questions of implementing security infrastructures.


It is our position, however, that tools which are used to connect individuals to entities in the virtual world should be consistent in the way they present the available signals to users. This consistency will allow a user to move from browser to browser without having to re-learn how to interpret signals from the browser on the trustworthiness of an entity. Consistency also shapes user expectations, and helps breed familiarity.
It is our position, however, that tools which are used to connect individuals to locations in the virtual world should be consistent in the way they present the available signals to users. This consistency will help users develop an understanding of how to interpret signals when visiting an online location, which will in turn ease the task of making a judgement about the trustworthiness of that location.


Consistency also promotes clarity, since users can focus on understanding a single concept instead of having to interpret multiple expressions of a single concept. Clarity is also enhanced by avoiding technology-centric terms, and by focusing on assisting the user with the single task of making a judgement regarding the trustworthiness of a virtual entity.
Consistency both shapes user expectations, and allows users to transfer their skills between tools used to visit locations in the virtual world. By providing a single, clear set of signals, users will be able to focus on interpreting the trustworthiness of a site instead of having to focus on first interpreting the signals themselves.  


= Example using Existing SSL/PKI Signals=
Organizations like the W3C often focus on ensuring that vendors consistently observe a technology standard. The resources and processes of these organizations should also be used to promote standards of expressing these signals to users. An example expression of our current technologies might be:
Organizations like the W3C often focus on ensuring that vendors consistently observe a technology standard. The resources and processes of these organizations should also be used to promote standards of expressing these signals to users. An example expression of our current technologies might be:


* A connection to an entity should be said to be '''secure''' when the connection is encrypted and it can be reasonably assured that communication is restricted to the user and the entity.
* A connection to a location should be said to be '''secure''' when the connection is encrypted and it can be reasonably assured that communication is restricted to the user and that location.


* If a connection is signed, then the entity should be said to be '''identified''' with some name, by some CA.
* If a connection is signed, then the location should be said to be '''identified''' with some name, by some CA.


* If a signal exists (through FoaF networks, whitelists, preferred CA signatories, etc) that asserts a site to be trustworthy or untrustworthy, then the entity should be said to be '''recommended''' or '''suspected''' by some organization.
* If a signal exists (through FoaF networks, whitelists, preferred CA signatories, etc) that asserts a site to be trustworthy or untrustworthy, then the location should be said to be '''recommended''' or '''suspected''' by some organization.


Even the above example, however, limits us to expressions based on our current technology. Ideally the standards for the expression of security signals would be general in nature, allowing for the user to be insulated from the requirement to understand the underlying technology used to generate those signals.
This example is limited, however, to expressions based on our current technology. Ideally the standards for the expression of security signals would be general in nature, allowing for the user to be insulated from the requirement to understand the underlying technology used to generate those signals.
Confirmed users, Bureaucrats and Sysops emeriti
3,599

edits