index.html
137 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content=
"HTML Tidy for Mac OS X (vers 31 October 2006 - Apple Inc. build 13), see www.w3.org" />
<meta http-equiv="Content-Type" content=
"text/html; charset=utf-8" />
<title>Web Security Experience, Indicators and Trust: Scope and
Use Cases</title>
<link rel="home" title="Top" href="#title" />
<link rel="chapter" title="Abstract" href="#abstract" />
<link rel="chapter" title="Status of this Document" href=
"#status" />
<link rel="contents" title="Table of Contents" href=
"#contents" />
<link rel="chapter" title="1 Overview" href="#Overview" />
<link rel="chapter" title="2 Goals" href="#goals" />
<link rel="section" title="2.1 Document the status quo" href=
"#status-quo" />
<link rel="section" title="2.2 Relevance of security information"
href="#relevance" />
<link rel="section" title=
"2.3 Consistent presentation of security information" href=
"#vocabulary" />
<link rel="section" title=
"2.4 User awareness of security information" href="#workflow" />
<link rel="section" title=
"2.5 Reliable presentation of security information" href=
"#trusted-path" />
<link rel="section" title=
"2.6 Reduce the number of scenarios in which users need to make trust decisions"
href="#trust-decision-management" />
<link rel="section" title=
"2.7 Authoring and deployment techniques" href="#deployment" />
<link rel="section" title="2.8 Best practices for other media"
href="#other-media" />
<link rel="chapter" title="3 Non-goals" href="#non-goals" />
<link rel="section" title=
"3.1 Presentation of all security information" href=
"#completeness" />
<link rel="section" title="3.2 Non-HTTP Web interactions" href=
"#nonhttp" />
<link rel="chapter" title="4 In scope" href="#in-scope" />
<link rel="section" title="4.1 Web interactions" href=
"#web-protocols" />
<link rel="section" title="4.2 User agents" href=
"#user-agents" />
<link rel="section" title="4.3 Entity identification" href=
"#identification" />
<link rel="section" title="4.4 Third-party recommendation" href=
"#recommendation" />
<link rel="section" title="4.5 Historical browsing information"
href="#browser-history" />
<link rel="chapter" title="5 Out of scope" href=
"#out-of-scope" />
<link rel="section" title="5.1 Protocols" href=
"#non-web-protocols" />
<link rel="section" title="5.2 non-Web interactions" href=
"#non-web-interactions" />
<link rel="section" title=
"5.3 Security context information for consumption by automated agents"
href="#automation" />
<link rel="section" title="5.4 New security information" href=
"#vaporware" />
<link rel="section" title="5.5 Content based detection" href=
"#filters" />
<link rel="section" title=
"5.6 Security information about the user's computer" href=
"#trusted-computing" />
<link rel="section" title="5.7 User agent exploits" href=
"#bugs" />
<link rel="section" title="5.8 User separation" href="#kiosk" />
<link rel="section" title="5.9 Content production exploits" href=
"#XSS" />
<link rel="section" title="5.10 Other security challenges" href=
"#out-of-scope-other" />
<link rel="chapter" title="6 Use cases" href="#use-cases" />
<link rel="section" title="6.1 User decisions" href=
"#decisions" />
<link rel="subsection" title=
"6.1.1 Providing sensitive information to a web site" href=
"#secret-sharing" />
<link rel="subsection" title=
"6.1.2 Believing information to come from a known author" href=
"#attribution" />
<link rel="subsection" title=
"6.1.3 Installing software downloaded from a web site" href=
"#authorization" />
<link rel="section" title="6.2 Navigation" href="#navigation" />
<link rel="subsection" title="6.2.1 Unidentified destination"
href="#unidentified-destination" />
<link rel="subsection" title="6.2.2 Unidentified source" href=
"#unidentified-source" />
<link rel="section" title="6.3 User agent type" href=
"#user-agent-type" />
<link rel="subsection" title="6.3.1 Desktop browser" href=
"#desktop-browser" />
<link rel="subsection" title="6.3.2 Smartphone" href=
"#smartphone" />
<link rel="section" title="6.4 Accessibility" href=
"#accessibility" />
<link rel="section" title="6.5 Scenarios" href="#scenarios" />
<link rel="bookmark" title="any-iip-1" href="#any-iip-1" />
<link rel="bookmark" title="any-iip-2" href="#any-iip-2" />
<link rel="bookmark" title="any-iup-1" href="#any-iup-1" />
<link rel="bookmark" title="any-uip-1" href="#any-uip-1" />
<link rel="bookmark" title="any-uip-2" href="#any-uip-2" />
<link rel="bookmark" title="smartphone-uip-1" href=
"#smartphone-uip-1" />
<link rel="bookmark" title="any-uup-1" href="#any-uup-1" />
<link rel="bookmark" title="any-iib-1" href="#any-iib-1" />
<link rel="bookmark" title="any-iib-2" href="#any-iib-2" />
<link rel="bookmark" title="any-iub-1" href="#any-iub-1" />
<link rel="bookmark" title="any-uub-1" href="#any-uub-1" />
<link rel="bookmark" title="any-uub-2" href="#any-uub-2" />
<link rel="bookmark" title="any-uub-3" href="#any-uub-3" />
<link rel="bookmark" title="any-uub-4" href="#any-uub-4" />
<link rel="bookmark" title="any-iii-1" href="#any-iii-1" />
<link rel="bookmark" title="any-iui-1" href="#any-iui-1" />
<link rel="bookmark" title="any-iui-2" href="#any-iui-2" />
<link rel="bookmark" title="any-uii-1" href="#any-uii-1" />
<link rel="bookmark" title="any-uii-2" href="#any-uii-2" />
<link rel="bookmark" title="any-uui-1" href="#any-uui-1" />
<link rel="bookmark" title="any-iio-1" href="#any-iio-1" />
<link rel="bookmark" title="any-uuo-1" href="#any-uuo-1" />
<link rel="section" title="6.6 Threats" href="#threats" />
<link rel="subsection" title="6.6.1 Subverted navigation" href=
"#subverted-navigation" />
<link rel="subsection" title="6.6.2 Web site impersonation" href=
"#impersonation" />
<link rel="chapter" title=
"7 Security information available to the user agent" href=
"#available" />
<link rel="section" title=
"7.1 Defined by web content specifications" href=
"#web-content-source" />
<link rel="bookmark" title="dynamic-content" href=
"#dynamic-content" />
<link rel="section" title=
"7.2 Defined by SSL related specifications" href="#SSL-source" />
<link rel="bookmark" title="SSL-certificate-chain" href=
"#SSL-certificate-chain" />
<link rel="section" title=
"7.3 Defined by HTTP related specifications" href=
"#HTTP-source" />
<link rel="bookmark" title="HTTP-redirect" href=
"#HTTP-redirect" />
<link rel="section" title=
"7.4 Defined by IP related specifications" href="#IP-source" />
<link rel="section" title=
"7.5 Defined by DNS related specifications" href="#DNS-source" />
<link rel="section" title="7.6 Defined by user agent" href=
"#UA-source" />
<link rel="bookmark" title="UA-CAs" href="#UA-CAs" />
<link rel="section" title=
"7.7 State that may be collected by a user agent" href=
"#collected-state-source" />
<link rel="bookmark" title="UA-done-rendering" href=
"#UA-done-rendering" />
<link rel="bookmark" title="HTTP-Referer" href="#HTTP-Referer" />
<link rel="bookmark" title="user-password" href=
"#user-password" />
<link rel="bookmark" title="user-input" href="#user-input" />
<link rel="bookmark" title="user-customization" href=
"#user-customization" />
<link rel="bookmark" title="user-understanding" href=
"#user-understanding" />
<link rel="section" title="7.8 Defined by a third-party" href=
"#third-party-source" />
<link rel="chapter" title="8 Merits of the status quo" href=
"#merits" />
<link rel="section" title=
"8.1 Widely deployed, strong cryptography" href=
"#strong-crypto" />
<link rel="section" title=
"8.2 Many deceptive imitation techniques prevented" href=
"#spoof-prevention" />
<link rel="section" title="8.3 Corrected implementation errors"
href="#fixed-bugs" />
<link rel="section" title="8.4 Password management" href=
"#password-manager" />
<link rel="chapter" title="9 Problems with the status quo" href=
"#problems" />
<link rel="section" title="9.1 Poorly defined area for chrome"
href="#where-is-chrome" />
<link rel="subsection" title="9.1.1 Picture in picture" href=
"#picture-in-picture" />
<link rel="subsection" title=
"9.1.2 Visually extending the chrome" href="#extended-chrome" />
<link rel="subsection" title="9.1.3 Removing the chrome" href=
"#missing-chrome" />
<link rel="section" title="9.2 Poorly defined role for chrome"
href="#what-is-chrome" />
<link rel="subsection" title="9.2.1 Browser window title" href=
"#window-title" />
<link rel="subsection" title="9.2.2 Back and forward buttons"
href="#back-button" />
<link rel="subsection" title="9.2.3 URL bar" href="#URL-bar" />
<link rel="subsection" title="9.2.4 Padlock icon" href=
"#padlock-icon" />
<link rel="subsection" title="9.2.5 Favicon" href="#favicon" />
<link rel="subsection" title="9.2.6 Status bar" href=
"#status-bar" />
<link rel="subsection" title=
"9.2.7 Information bar (aka: notification bar)" href=
"#information-bar" />
<link rel="section" title="9.3 Poor user understanding of chrome"
href="#why-is-chrome" />
<link rel="subsection" title="9.3.1 Padlock icon" href=
"#padlock-icon-semantics" />
<link rel="subsection" title="9.3.2 Hostname" href=
"#hostname-semantics" />
<link rel="subsection" title="9.3.3 Chrome versus page" href=
"#chrome-vs-page" />
<link rel="subsection" title=
"9.3.4 Explanations versus understanding" href=
"#learning-by-doing" />
<link rel="section" title="9.4 Poor usability of chrome" href=
"#when-is-chrome" />
<link rel="subsection" title="9.4.1 Out of sight, out of mind"
href="#ignored-chrome" />
<link rel="subsection" title="9.4.2 Assumed safety" href=
"#assumed-safety" />
<link rel="subsection" title=
"9.4.3 Poor usability of dialog boxes" href="#dialog-box" />
<link rel="chapter" title="10 Process" href="#process" />
<link rel="section" title="10.1 Expertise and experience" href=
"#feedback" />
<link rel="section" title=
"10.2 Reliance on general usability expertise" href=
"#usability-principles" />
<link rel="subsection" title="10.2.1 Affordance" href=
"#affordance" />
<link rel="subsection" title="10.2.2 Conceptual model" href=
"#users-model" />
<link rel="subsection" title=
"10.2.3 Match between system and the real world" href=
"#users-language" />
<link rel="subsection" title="10.2.4 Habit formation" href=
"#habit-formation" />
<link rel="subsection" title="10.2.5 Single locus of attention"
href="#locus-of-attention" />
<link rel="subsection" title=
"10.2.6 Aesthetic and minimalist design" href="#minimalist" />
<link rel="subsection" title=
"10.2.7 Help users recognize, diagnose, and recover from errors"
href="#lpt1-on-fire" />
<link rel="subsection" title=
"10.2.8 Provide explanations, justifying the advice or information given"
href="#justify" />
<link rel="subsection" title="10.2.9 Understand the user" href=
"#know-your-user" />
<link rel="subsection" title="10.2.10 Create task profiles" href=
"#task-profiles" />
<link rel="subsection" title="10.2.11 Consistency" href=
"#consistency" />
<link rel="section" title="10.3 Learning from past efforts" href=
"#usability-wisdom" />
<link rel="subsection" title=
"10.3.1 No user categories in phishing vulnerability" href=
"#uniformity" />
<link rel="subsection" title=
"10.3.2 The user must be aware of the task they are to perform"
href="#awareness" />
<link rel="section" title="10.4 Implementation and testing" href=
"#usability-testing" />
<link rel="chapter" title="11 Acknowledgments" href=
"#acknowledgments" />
<link rel="chapter" title="12 References" href="#references" />
<style type="text/css">
/*<![CDATA[*/
code { font-family: monospace; }
div.constraint,
div.issue,
div.note,
div.notice { margin-left: 2em; }
ol.enumar { list-style-type: decimal; }
ol.enumla { list-style-type: lower-alpha; }
ol.enumlr { list-style-type: lower-roman; }
ol.enumua { list-style-type: upper-alpha; }
ol.enumur { list-style-type: upper-roman; }
div.exampleInner pre { margin-left: 1em;
margin-top: 0em; margin-bottom: 0em}
div.exampleOuter {border: 4px double gray;
margin: 0em; padding: 0em}
div.exampleInner { background-color: #d5dee3;
border-top-width: 4px;
border-top-style: double;
border-top-color: #d3d3d3;
border-bottom-width: 4px;
border-bottom-style: double;
border-bottom-color: #d3d3d3;
padding: 4px; margin: 0em }
div.exampleWrapper { margin: 4px }
div.exampleHeader { font-weight: bold;
margin: 4px}
[id]:hover:after {
content: " #" attr(id) " ";
font-size: 80%;
color: #ccc;
text-decoration: none;
}
a.borken {
background: #f99;
color: #000;
font-weight: bold;
}
p[id]:hover:after {
content: "";
}
a.anchor {
color: inherit;
font-weight: inherit;
text-decoration: none;
font-style: inherit;
}
p[id]:hover:after {
content: " #" attr(id) " ¶ ";
font-size: 80%;
color: #ccc;
text-decoration: none;
}
div.note {
font-weight: bold;
font-style: italic;
color: #008000;
border-left: 2px solid #008000;
margin-left: 0;
padding-left: 2em;
}
span.sqbrackets {
font-style: italic;
color: #005000;
}
div.exampleOuter {
padding-left: 2em;
padding-right: 2em;
border: 1px solid black;
background: #ffa;
}
/*]]>*/
</style>
<link rel="stylesheet" type="text/css" href=
"http://www.w3.org/StyleSheets/TR/W3C-WG-NOTE.css" />
</head>
<body>
<div class="head">
<p><a href="http://www.w3.org/"><img src=
"http://www.w3.org/Icons/w3c_home" alt="W3C" height="48" width=
"72" /></a></p>
<h1><a href="#title" id="title" name="title" class="anchor">Web
Security Experience, Indicators and Trust: Scope and Use
Cases</a></h1>
<h2><a href="#w3c-doctype" id="w3c-doctype" name="w3c-doctype"
class="anchor">W3C Working Group Note 06 March 2008</a></h2>
<dl>
<dt>This version:</dt>
<dd><a href=
"http://www.w3.org/TR/2008/NOTE-wsc-usecases-20080306/">http://www.w3.org/TR/2008/NOTE-wsc-usecases-20080306/</a></dd>
<dt>Latest version:</dt>
<dd><a href=
"http://www.w3.org/TR/wsc-usecases/">http://www.w3.org/TR/wsc-usecases/</a></dd>
<dt>Previous version:</dt>
<dd><a href="http://www.w3.org/TR/2007/WD-wsc-usecases-20071101/">http://www.w3.org/TR/2007/WD-wsc-usecases-20071101/</a></dd>
<dt>Editor:</dt>
<dd>Tyler Close, <a href=
"http://www.hp.com/">Hewlett-Packard</a></dd>
</dl>
<p class="copyright"><a href=
"http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2008 <a href="http://www.w3.org/"><acronym title="World Wide Web Consortium">W3C</acronym></a><sup>®</sup>
(<a href="http://www.csail.mit.edu/"><acronym title=
"Massachusetts Institute of Technology">MIT</acronym></a>,
<a href="http://www.ercim.org/"><acronym title=
"European Research Consortium for Informatics and Mathematics">ERCIM</acronym></a>,
<a href="http://www.keio.ac.jp/">Keio</a>), All Rights
Reserved. W3C <a href=
"http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">
liability</a>, <a href=
"http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a>
and <a href=
"http://www.w3.org/Consortium/Legal/copyright-documents">document
use</a> rules apply.</p>
</div>
<hr />
<div>
<h2><a href="#abstract" id="abstract" name="abstract" class=
"anchor">Abstract</a></h2>
<p>This Note refines the objectives for the Web Security
Context Working Group deliverables. It elaborates upon the
group's <a href=
"http://www.w3.org/2005/Security/wsc-charter"><cite>Charter</cite></a>
<a href="#wsc-charter">[WSC-CHARTER]</a> to explain what the
group aims to achieve, what technologies may be used and how
technical proposals will be evaluated. This elaboration is
limited to the group's technical work and does not cover
additional activities the group intends to engage in, such as
ongoing outreach and education.</p>
<p>This Note also includes an initial collection of use cases
that the group expects will drive its technical work.</p>
<p>Since this Note discusses the assumptions, goals, and
processes the group will use to develop its recommendations,
the intended audience is similiar to that of the charter of the
Working Group; group members, the W3C community, developers of
web user agents, web content providers (server administrators),
and parties interested and engaged in what the Web Security
Context Working Group's plans and directions are. It is
explicitly not targeted at the presumed beneficiaries of the
group's work, the users of the web, and it is not expected that
an average user would be able to read this document and
understand it.</p>
</div>
<div>
<h2><a href="#status" id="status" name="status" class=
"anchor">Status of this Document</a></h2>
<p><em>This section describes the status of this document at
the time of its publication. Other documents may supersede this
document. A list of current W3C publications and the latest
revision of this technical report can be found in the <a href=
"http://www.w3.org/TR/">W3C technical reports index</a> at
http://www.w3.org/TR/.</em></p>
<p>This is the W3C Working Group Note "Web Security Experience, Indicators and Trust: Scope and
Use Cases". The W3C Membership and other interested parties are invited to send comments to
<a
href="mailto:public-usable-authentication@w3.org">public-usable-authentication@w3.org</a>
(with <a href=
"http://lists.w3.org/Archives/Public/public-usable-authentication/"> public archive</a>).</p>
<p>This document was produced by the <a href= "http://www.w3.org/2006/WSC/">Web Security Context
Working Group</a>, as part of the <a href= "http://www.w3.org/Security/Activity.html">Security
Activity</a>. Several Working Drafts for this Note were available for review; the material in
this document was subject to a public last call. At the time of publication, the Working Group
has no specific plans to further revise this document.</p>
<p>Publication as a Working Group Note does not imply endorsement by
the W3C Membership. This is a draft document and may be
updated, replaced or obsoleted by other documents at any time.
It is inappropriate to cite this document as other than work in
progress.</p>
<p> This document was produced by a group operating under the
<a
href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
February 2004 W3C Patent Policy</a>. W3C maintains a <a
rel="disclosure" href="http://www.w3.org/2004/01/pp-impl/39814/status">public list of any patent disclosures</a> made in
connection with the deliverables of the group; that page also
includes instructions for disclosing a patent. An individual
who has actual knowledge of a patent which the individual
believes contains <a
href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential
Claim(s)</a> must disclose the information in accordance with
<a
href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section
6 of the W3C Patent Policy</a>. </p>
</div>
<div class="toc">
<h2><a href="#contents" id="contents" name="contents" class=
"anchor">Table of Contents</a></h2>
<p class="toc">1 <a href="#Overview">Overview</a><br />
2 <a href="#goals">Goals</a><br />
2.1 <a href="#status-quo">Document the
status quo</a><br />
2.2 <a href="#relevance">Relevance of
security information</a><br />
2.3 <a href="#vocabulary">Consistent
presentation of security information</a><br />
2.4 <a href="#workflow">User awareness
of security information</a><br />
2.5 <a href="#trusted-path">Reliable
presentation of security information</a><br />
2.6 <a href=
"#trust-decision-management">Reduce the number of scenarios in
which users need to make trust decisions</a><br />
2.7 <a href="#deployment">Authoring and
deployment techniques</a><br />
2.8 <a href="#other-media">Best
practices for other media</a><br />
3 <a href="#non-goals">Non-goals</a><br />
3.1 <a href=
"#completeness">Presentation of all security
information</a><br />
3.2 <a href="#nonhttp">Non-HTTP Web
interactions</a><br />
4 <a href="#in-scope">In scope</a><br />
4.1 <a href="#web-protocols">Web
interactions</a><br />
4.2 <a href="#user-agents">User
agents</a><br />
4.3 <a href="#identification">Entity
identification</a><br />
4.4 <a href=
"#recommendation">Third-party recommendation</a><br />
4.5 <a href=
"#browser-history">Historical browsing information</a><br />
5 <a href="#out-of-scope">Out of scope</a><br />
5.1 <a href=
"#non-web-protocols">Protocols</a><br />
5.2 <a href=
"#non-web-interactions">non-Web interactions</a><br />
5.3 <a href="#automation">Security
context information for consumption by automated
agents</a><br />
5.4 <a href="#vaporware">New security
information</a><br />
5.5 <a href="#filters">Content based
detection</a><br />
5.6 <a href=
"#trusted-computing">Security information about the user's
computer</a><br />
5.7 <a href="#bugs">User agent
exploits</a><br />
5.8 <a href="#kiosk">User
separation</a><br />
5.9 <a href="#XSS">Content production
exploits</a><br />
5.10 <a href=
"#out-of-scope-other">Other security challenges</a><br />
6 <a href="#use-cases">Use cases</a><br />
6.1 <a href="#decisions">User
decisions</a><br />
6.1.1 <a href=
"#secret-sharing">Providing sensitive information to a web
site</a><br />
6.1.2 <a href=
"#attribution">Believing information to come from a known
author</a><br />
6.1.3 <a href=
"#authorization">Installing software downloaded from a web
site</a><br />
6.2 <a href=
"#navigation">Navigation</a><br />
6.2.1 <a href=
"#unidentified-destination">Unidentified destination</a><br />
6.2.2 <a href=
"#unidentified-source">Unidentified source</a><br />
6.3 <a href="#user-agent-type">User
agent type</a><br />
6.3.1 <a href=
"#desktop-browser">Desktop browser</a><br />
6.3.2 <a href=
"#smartphone">Smartphone</a><br />
6.4 <a href=
"#accessibility">Accessibility</a><br />
6.5 <a href=
"#scenarios">Scenarios</a><br />
6.6 <a href=
"#threats">Threats</a><br />
6.6.1 <a href=
"#subverted-navigation">Subverted navigation</a><br />
6.6.1.1
<a href="#URL-typo">URL typo</a><br />
6.6.1.2
<a href="#misleading-bookmark">Misleading bookmark</a><br />
6.6.1.3
<a href="#misleading-introduction">Misleading
introduction</a><br />
6.6.1.4
<a href="#unprotected-navigation">Unprotected
navigation</a><br />
6.6.2 <a href=
"#impersonation">Web site impersonation</a><br />
7 <a href="#available">Security information available to the
user agent</a><br />
7.1 <a href=
"#web-content-source">Defined by web content
specifications</a><br />
7.2 <a href="#SSL-source">Defined by
SSL related specifications</a><br />
7.3 <a href="#HTTP-source">Defined by
HTTP related specifications</a><br />
7.4 <a href="#IP-source">Defined by IP
related specifications</a><br />
7.5 <a href="#DNS-source">Defined by
DNS related specifications</a><br />
7.6 <a href="#UA-source">Defined by
user agent</a><br />
7.7 <a href=
"#collected-state-source">State that may be collected by a user
agent</a><br />
7.8 <a href=
"#third-party-source">Defined by a third-party</a><br />
8 <a href="#merits">Merits of the status quo</a><br />
8.1 <a href="#strong-crypto">Widely
deployed, strong cryptography</a><br />
8.2 <a href="#spoof-prevention">Many
deceptive imitation techniques prevented</a><br />
8.3 <a href="#fixed-bugs">Corrected
implementation errors</a><br />
8.4 <a href=
"#password-manager">Password management</a><br />
9 <a href="#problems">Problems with the status quo</a><br />
9.1 <a href="#where-is-chrome">Poorly
defined area for chrome</a><br />
9.1.1 <a href=
"#picture-in-picture">Picture in picture</a><br />
9.1.2 <a href=
"#extended-chrome">Visually extending the chrome</a><br />
9.1.3 <a href=
"#missing-chrome">Removing the chrome</a><br />
9.2 <a href="#what-is-chrome">Poorly
defined role for chrome</a><br />
9.2.1 <a href=
"#window-title">Browser window title</a><br />
9.2.2 <a href=
"#back-button">Back and forward buttons</a><br />
9.2.3 <a href=
"#URL-bar">URL bar</a><br />
9.2.4 <a href=
"#padlock-icon">Padlock icon</a><br />
9.2.5 <a href=
"#favicon">Favicon</a><br />
9.2.6 <a href=
"#status-bar">Status bar</a><br />
9.2.7 <a href=
"#information-bar">Information bar (aka: notification
bar)</a><br />
9.3 <a href="#why-is-chrome">Poor user
understanding of chrome</a><br />
9.3.1 <a href=
"#padlock-icon-semantics">Padlock icon</a><br />
9.3.2 <a href=
"#hostname-semantics">Hostname</a><br />
9.3.3 <a href=
"#chrome-vs-page">Chrome versus page</a><br />
9.3.4 <a href=
"#learning-by-doing">Explanations versus
understanding</a><br />
9.4 <a href="#when-is-chrome">Poor
usability of chrome</a><br />
9.4.1 <a href=
"#ignored-chrome">Out of sight, out of mind</a><br />
9.4.2 <a href=
"#assumed-safety">Assumed safety</a><br />
9.4.3 <a href=
"#dialog-box">Poor usability of dialog boxes</a><br />
10 <a href="#process">Process</a><br />
10.1 <a href="#feedback">Expertise and
experience</a><br />
10.2 <a href=
"#usability-principles">Reliance on general usability
expertise</a><br />
10.2.1 <a href=
"#affordance">Affordance</a><br />
10.2.2 <a href=
"#users-model">Conceptual model</a><br />
10.2.3 <a href=
"#users-language">Match between system and the real
world</a><br />
10.2.4 <a href=
"#habit-formation">Habit formation</a><br />
10.2.5 <a href=
"#locus-of-attention">Single locus of attention</a><br />
10.2.6 <a href=
"#minimalist">Aesthetic and minimalist design</a><br />
10.2.7 <a href=
"#lpt1-on-fire">Help users recognize, diagnose, and recover
from errors</a><br />
10.2.8 <a href=
"#justify">Provide explanations, justifying the advice or
information given</a><br />
10.2.9 <a href=
"#know-your-user">Understand the user</a><br />
10.2.10
<a href="#task-profiles">Create task profiles</a><br />
10.2.11
<a href="#consistency">Consistency</a><br />
10.3 <a href=
"#usability-wisdom">Learning from past efforts</a><br />
10.3.1 <a href=
"#uniformity">No user categories in phishing
vulnerability</a><br />
10.3.2 <a href=
"#awareness">The user must be aware of the task they are to
perform</a><br />
10.4 <a href=
"#usability-testing">Implementation and testing</a><br />
11 <a href="#acknowledgments">Acknowledgments</a><br />
12 <a href="#references">References</a><br /></p>
</div>
<hr />
<div class="body">
<div class="div1">
<h2><a href="#Overview" id="Overview" name="Overview" class=
"anchor">1 Overview</a></h2>
<p>Web user agents are now used to engage in a great variety
and number of commercial and personal activities. Though the
medium for these activities has changed, the potential for
fraud has not. This Working Group is chartered to recommend
user interfaces that help users make trust decisions on the
Web.</p>
<p>This first Working Group document elaborates upon the
group's <a href=
"http://www.w3.org/2005/Security/wsc-charter"><cite>Charter</cite></a>
<a href="#wsc-charter">[WSC-CHARTER]</a> to explain what the
group aims to achieve, what technologies may be used and how
proposals will be evaluated. This elaboration is limited to
the group's technical work and does not cover additional
activities the group intends to engage in, such as ongoing
outreach and education.</p>
<p>The work outlined in this document is expected to take
existing standards and best practices into account. Where
relevant, such existing work will be leveraged.</p>
</div>
<div class="div1">
<h2><a href="#goals" id="goals" name="goals" class="anchor">2
Goals</a></h2>
<div class="div2">
<h3><a href="#status-quo" id="status-quo" name="status-quo"
class="anchor">2.1 Document the status quo</a></h3>
<p>Security information within the Working Group's scope
will be catalogued, along with corresponding presentations
and user interpretations reported in user studies.</p>
</div>
<div class="div2">
<h3><a href="#relevance" id="relevance" name="relevance"
class="anchor">2.2 Relevance of security
information</a></h3>
<p>The Working Group will analyze common use cases to
determine what security information the user needs to
safely accomplish their current task and recommend security
information that should, or should not, be presented in
each case.</p>
</div>
<div class="div2">
<h3><a href="#vocabulary" id="vocabulary" name="vocabulary"
class="anchor">2.3 Consistent presentation of security
information</a></h3>
<p>The Working Group will recommend a set of terms,
indicators and metaphors for consistent presentation of
security information to users, across all web user agents.
For each of these items, the Working Group will describe
the intended user interpretation, as well as safe actions
the user may respond with in common use cases.</p>
</div>
<div class="div2">
<h3><a href="#workflow" id="workflow" name="workflow"
class="anchor">2.4 User awareness of security
information</a></h3>
<p>The Working Group will recommend presentation techniques
that integrate the consumption of security information by
the user into the normal browsing workflow. Presenting
security information in a way that is typically ignored by
the user is of little value.</p>
</div>
<div class="div2">
<h3><a href="#trusted-path" id="trusted-path" name=
"trusted-path" class="anchor">2.5 Reliable presentation of
security information</a></h3>
<p>The Working Group will recommend presentation techniques
that mitigate deceptive imitation, or hiding, of the user
agent's presentation of security information.</p>
</div>
<div class="div2">
<h3><a href="#trust-decision-management" id=
"trust-decision-management" name=
"trust-decision-management" class="anchor">2.6 Reduce the
number of scenarios in which users need to make trust
decisions</a></h3>
<p>No matter how well security context information is
presented, there will always be users who, in some
situations, will behave insecurely even in the face of
harsh warnings. Thus, the Working Group will also recommend
ways to reduce the number of situations in which users need
to make trust decisions.</p>
</div>
<div class="div2">
<h3><a href="#deployment" id="deployment" name="deployment"
class="anchor">2.7 Authoring and deployment
techniques</a></h3>
<p>The Working Group will recommend authoring and
deployment techniques that cause appropriate security
information (see <a href="#available"><b>7 Security
information available to the user agent</b></a>) to be
communicated to users. Techniques already available at
authoring and deployment time which reduce the need for
communication of security information to the user will be
considered in the recommendations.</p>
</div>
<div class="div2">
<h3><a href="#other-media" id="other-media" name=
"other-media" class="anchor">2.8 Best practices for other
media</a></h3>
<p>Users' interpretation of security information on the web
will necessarily be affected by experience with other media
that are not part of this Working Group's scope; such as
email, print, radio or video. The Working Group will
provide best practice guidelines for other media to follow
so as not to undermine the presentation of security
information on the web.</p>
</div>
</div>
<div class="div1">
<h2><a href="#non-goals" id="non-goals" name="non-goals"
class="anchor">3 Non-goals</a></h2>
<p>This section outlines a range of work items which the
group will not focus on, but which may be covered as
beneficial side effects of the group's work. Work items
listed here won't be a priority, and the group won't expend
collective resources on tackling them.</p>
<div class="div2">
<h3><a href="#completeness" id="completeness" name=
"completeness" class="anchor">3.1 Presentation of all
security information</a></h3>
<p>Web user agents contain a great deal of information
relevant to security. This Working Group does not aim to
recommend a presentation for all of this information.
Recommendations will be narrowly focused on presentations
that satisfy the Working Group's use cases, see <a href=
"#use-cases"><b>6 Use cases</b></a>.</p>
</div>
<div class="div2">
<h3><a href="#nonhttp" id="nonhttp" name="nonhttp" class=
"anchor">3.2 Non-HTTP Web interactions</a></h3>
<p>Recommendations that this group makes may or may not be
relevant to Web related interactions that use protocols
other than HTTP or HTTPS. While the group will aim for its
recommendations to be generically useful -- where
appropriate --, it considers recommendations specific to
other protocols as a Non-Goal.</p>
</div>
</div>
<div class="div1">
<h2><a href="#in-scope" id="in-scope" name="in-scope" class=
"anchor">4 In scope</a></h2>
<p>This section enumerates categories of technology and
information that are within this Working Group's scope, as
initially defined by the group's <a href=
"http://www.w3.org/2005/Security/wsc-charter"><cite>Charter</cite></a>
<a href="#wsc-charter">[WSC-CHARTER]</a>. A complete
enumeration of in scope artifacts is provided by the section
<a href="#available"><b>7 Security information available to
the user agent</b></a>.</p>
<div class="div2">
<h3><a href="#web-protocols" id="web-protocols" name=
"web-protocols" class="anchor">4.1 Web
interactions</a></h3>
<p>User interactions on the Web (see <a href=
"http://www.w3.org/TR/webarch/"><cite>Architecture of the
World Wide Web</cite></a> <a href=
"#web-arch">[WEBARCH]</a>), using the HTTP and HTTPS
protocols, are at the core of the Working Group's scope.
Where Web interactions involve other application-level
protocols (including, e.g., SOAP or FTP), the Working Group
considers these in its scope and will aim that its
recommendations be applicable; however, applicability to
non-HTTP Web interactions (see <a href="#nonhttp"><b>3.2
Non-HTTP Web interactions</b></a>) is a non-goal.</p>
</div>
<div class="div2">
<h3><a href="#user-agents" id="user-agents" name=
"user-agents" class="anchor">4.2 User agents</a></h3>
<p>A user agent is software to access Web content,
including desktop graphical browsers, text browsers, voice
browsers, mobile phones, multimedia players, plug-ins, and
some software assistive technologies used in conjunction
with browsers such as screen readers, screen magnifiers,
and voice recognition software. This definition is in line
with <a href=
"http://www.w3.org/TR/WAI-WEBCONTENT/"><cite>Web Content
Accessibility Guidelines 1.0</cite></a> <a href=
"#wcag">[WCAG]</a>.</p>
<p>Use cases considered by this Working Group must involve
a web user agent, operated by a human user. In all
instances, the use case is only relevant to this Working
Group if the presentation of security information should
affect the user's interaction with the web resource.</p>
</div>
<div class="div2">
<h3><a href="#identification" id="identification" name=
"identification" class="anchor">4.3 Entity
identification</a></h3>
<p>A web browsing session is like a conversation, where the
user converses with various entities, some known, and
others newly encountered. Each resource the user interacts
with is identified by a URI. Through specifics of the
underlying protocol, including DNS and SSL, other
designators are bound to these resources and the entities
that provide them. Recommending a presentation for these
designators that helps the user recognize which entity they
are currently conversing with, and when they are switching
to a different entity, is a primary concern of this Working
Group.</p>
</div>
<div class="div2">
<h3><a href="#recommendation" id="recommendation" name=
"recommendation" class="anchor">4.4 Third-party
recommendation</a></h3>
<p>A user's perception of an entity is strongly influenced
by the opinions of others. The recommendations of
certificate authorities, visited web sites or reputation
services integrated into the user agent are in scope for
this Working Group.</p>
</div>
<div class="div2">
<h3><a href="#browser-history" id="browser-history" name=
"browser-history" class="anchor">4.5 Historical browsing
information</a></h3>
<p>The Working Group may also use information about past
interactions between the user and an entity in presentation
recommendations. Relevant historical browsing information
includes entity designators used in past browsing sessions,
as well as information provided by the user to the entity
during those sessions.</p>
</div>
</div>
<div class="div1">
<h2><a href="#out-of-scope" id="out-of-scope" name=
"out-of-scope" class="anchor">5 Out of scope</a></h2>
<p>This section enumerates a number of possible work items
that the Working Group will not consider.</p>
<div class="div2">
<h3><a href="#non-web-protocols" id="non-web-protocols"
name="non-web-protocols" class="anchor">5.1
Protocols</a></h3>
<p>The Working Group considers recommendations for lower
level protocols (such as SS7, ISDN, or NANP) out of
scope.</p>
</div>
<div class="div2">
<h3><a href="#non-web-interactions" id=
"non-web-interactions" name="non-web-interactions" class=
"anchor">5.2 non-Web interactions</a></h3>
<p>The Working Group considers recommendations specific to
interactions that do not involve the Web (e.g., rich text
display in an e-mail user agent) out of its scope. However,
where such interactions use Web Technologies,
recommendations may turn out to be applicable.</p>
</div>
<div class="div2">
<h3><a href="#automation" id="automation" name="automation"
class="anchor">5.3 Security context information for
consumption by automated agents</a></h3>
<p>The Working Group will only consider Web interactions in
which a human participates in making a trust decision this
group is chartered to address. Situations in which all
security relevant information is consumed and acted upon
only by automated agents are out of scope.</p>
</div>
<div class="div2">
<h3><a href="#vaporware" id="vaporware" name="vaporware"
class="anchor">5.4 New security information</a></h3>
<p>The Working Group will neither create nor extend any
protocol or data format, nor create recommendations for
protocols or data formats that are not yet widely deployed.
Recommendations will only be made for the presentation of
currently deployed security information.</p>
</div>
<div class="div2">
<h3><a href="#filters" id="filters" name="filters" class=
"anchor">5.5 Content based detection</a></h3>
<p>Techniques commonly used by intrusion detection systems,
virus scanners and spam filters to detect illegitimate
requests based on their content are out of scope for this
Working Group. These techniques include recognizing known
attacks by analyzing the served URLs, graphics or markup.
The heuristics used in these tools are a moving target and
so not a suitable subject for standardization. The Working
Group will not recommend any checks on the content served
by web sites.</p>
</div>
<div class="div2">
<h3><a href="#trusted-computing" id="trusted-computing"
name="trusted-computing" class="anchor">5.6 Security
information about the user's computer</a></h3>
<p>Security information about the user's computer, such as
that provided by virus scanners, or trusted computing
infrastructure, is out of scope for this Working Group. No
recommendations will rely on such services, or any aspect
of trusted computing. As a result, presentation techniques
recommended by this Working Group may be undermined by
malware that has infected the user's computer.</p>
</div>
<div class="div2">
<h3><a href="#bugs" id="bugs" name="bugs" class=
"anchor">5.7 User agent exploits</a></h3>
<p>Attacks that exploit a programming error in the user
agent are out of scope. This Working Group's
recommendations assume a properly functioning user
agent.</p>
</div>
<div class="div2">
<h3><a href="#kiosk" id="kiosk" name="kiosk" class=
"anchor">5.8 User separation</a></h3>
<p>Many computers are shared among multiple users, either
in the home, or as a kiosk in a public place. In such
scenarios, the activity of one user must not be accessible
to another. Providing this functionality may be best done
by the operating system, or other software, and is out of
scope for this Working Group.</p>
</div>
<div class="div2">
<h3><a href="#XSS" id="XSS" name="XSS" class="anchor">5.9
Content production exploits</a></h3>
<p>Programs that produce HTML, or other web content,
commonly suffer from quoting errors that enable Cross-site
scripting (<a href=
"http://en.wikipedia.org/wiki/Cross-site_scripting">XSS</a>)
attacks. The web user agent is in a poor position to detect
these attacks, since it sees only the output. Web content
formats are not currently designed such that the receiver
can readily distinguish content that was produced on
purpose versus content that was produced by accident.
Consequently, this kind of attack is out of scope for this
Working Group.</p>
</div>
<div class="div2">
<h3><a href="#out-of-scope-other" id="out-of-scope-other"
name="out-of-scope-other" class="anchor">5.10 Other
security challenges</a></h3>
<p>As stated in the <a href=
"http://www.w3.org/2005/Security/wsc-charter">charter</a>,
the mission of the Web Security Context Working Group is to
specify a baseline set of security context information that
should be accessible to Web users, and practices for the
secure and usable presentation of this information, to
enable users to come to a better understanding of the
context that they are operating in when making trust
decisions on the Web. While the work this group does may
have a positive and beneficial effect on other security
challenges on the web, directly addressing such challenges
is out of scope. This section lists several specific
challenges, but the list may not be exhaustive.</p>
</div>
</div>
<div class="div1">
<h2><a href="#use-cases" id="use-cases" name="use-cases"
class="anchor">6 Use cases</a></h2>
<p>This Working Group is concerned with: the trust decisions
users must make when using the Web; what information may
inform these decisions; and usable ways of communicating
needed information to the user. Our use-cases are first
structured by the kind of decision facing the user, where
each kind of decision brings different risks. The information
available to inform a decision is primarily determined by how
the user navigated to the web page where the decision arose.
Our use-cases are further categorized by the different means
of navigating the Web. Finally, the feasible user
interactions for communicating relevant information are
limited by the I/O features of the web user agent. Our
use-cases are finally tailored to the kind of web user
agent.</p>
<div class="div2">
<h3><a href="#decisions" id="decisions" name="decisions"
class="anchor">6.1 User decisions</a></h3>
<div class="div3">
<h4><a href="#secret-sharing" id="secret-sharing" name=
"secret-sharing" class="anchor">6.1.1 Providing sensitive
information to a web site</a></h4>
<p>Many activities on the Web, such as logging into an
account or completing a purchase, require providing
sensitive information to a web site. If the user is
interacting with the intended site, and they are not
reassured of this case, they may not complete a desired
transaction. If the site is not the intended one, and the
user is not warned of this case, a thief may receive
sensitive information.</p>
</div>
<div class="div3">
<h4><a href="#attribution" id="attribution" name=
"attribution" class="anchor">6.1.2 Believing information
to come from a known author</a></h4>
<p>The Web is most often used for viewing information
produced by others. Sometimes, the user may form an
opinion, or make a decision, based on this information.
This act may be greatly influenced by who the user
believes to be the information's author. If the user is
misled about authorship, a thief may convince the user to
take an unwarranted action. If the user is unsure about
authorship, they may not act on needed advice.</p>
</div>
<div class="div3">
<h4><a href="#authorization" id="authorization" name=
"authorization" class="anchor">6.1.3 Installing software
downloaded from a web site</a></h4>
<p>Not all content available on the Web remains confined
to the web browser. Some content can be installed as an
executable application on the user's computer, or as an
extension to an existing application, or extend the web
browser itself. On today's popular operating systems, an
installed application has much greater access to the
user's computer than does a web page. An application may
abuse this additional authority by stealing the user's
files, rendering the computer unusable, or using it to
attack yet other computers. Choosing to not install an
application may also be detrimental, as a needed security
patch is not applied, or desired functionality is not
acquired.</p>
</div>
</div>
<div class="div2">
<h3><a href="#navigation" id="navigation" name="navigation"
class="anchor">6.2 Navigation</a></h3>
<p>A hyperlink is navigated from a source to a destination.
Information about each may be relevant to a trust decision
the user makes on the destination web page, but this
information is not always available. Even when available,
this information may not be meaningful to the user. The
identification provided by either source or destination may
not correspond to any entity known to the user. A source or
destination is considered identified when the presented
information can be attributed to an authenticated entity,
such as via an SSL server certificate.</p>
<div class="div3">
<h4><a href="#unidentified-destination" id=
"unidentified-destination" name=
"unidentified-destination" class="anchor">6.2.1
Unidentified destination</a></h4>
<p>Information about the destination of a hyperlink may
be unavailable because:</p>
<ul>
<li>
<p>the web page does not support authentication, such
as provided by SSL</p>
<p>(In the absence of SSL, communication with the
destination host may be intercepted by a compromised
DNS lookup, or an illegitimate wifi access
point.)</p>
</li>
<li>
<p>the provided authentication certificate is
unrecognized, or expired</p>
</li>
</ul>
</div>
<div class="div3">
<h4><a href="#unidentified-source" id=
"unidentified-source" name="unidentified-source" class=
"anchor">6.2.2 Unidentified source</a></h4>
<p>In addition to the ways destination information may be
unavailable, source information may be unavailable
because:</p>
<ul>
<li>
<p>navigation was initiated from another application,
such as an email or chat client</p>
</li>
<li>
<p>the user typed in the destination URL</p>
</li>
<li>
<p>the source web page makes no warranty as to the
purpose of the hyperlink, such as is common for a
search engine or open discussion forum</p>
</li>
</ul>
</div>
</div>
<div class="div2">
<h3><a href="#user-agent-type" id="user-agent-type" name=
"user-agent-type" class="anchor">6.3 User agent
type</a></h3>
<p>The use-cases address two different kinds of user agent,
each distinguished by characteristic I/O features.</p>
<div class="div3">
<h4><a href="#desktop-browser" id="desktop-browser" name=
"desktop-browser" class="anchor">6.3.1 Desktop
browser</a></h4>
<p>A desktop browser typically has:</p>
<ul>
<li>
<p>a large, full color viewing area</p>
</li>
<li>
<p>a pointing device</p>
</li>
<li>
<p>a full-size keyboard</p>
</li>
<li>
<p>speakers</p>
</li>
</ul>
</div>
<div class="div3">
<h4><a href="#smartphone" id="smartphone" name=
"smartphone" class="anchor">6.3.2 Smartphone</a></h4>
<p>The user agent in a mobile browser typically differs
from its desktop counterpart in several ways:</p>
<ul>
<li>
<p>Screen: a small, limited color viewing area</p>
</li>
<li>
<p>Navigation input: small keyboard, stylus or
pointing device</p>
</li>
<li>
<p>Small keyboard pad: on-screen keyboard and
predictive text technology, such as T9</p>
</li>
<li>
<p>Tactile feedback: vibration</p>
</li>
<li>
<p>A/V interfaces</p>
</li>
</ul>
<p>Traffic cost awareness, slow connection speed and
trust in the mobile network infrastructure may also
affect how users interact with their smartphone's user
agent. These factors influence how security indicators
are presented by different smartphone user agents.</p>
<p>In mobile browsers, the chrome has fewer options and
overlaps with the phone's menus. Obtaining secondary
information is cumbersome, requiring several clicks. Due
to a lack of screen space, the padlock is shown but the
URL is only partially shown, if at all. Password
management is not supported in all phones. In some cases,
an accessed web page has a modified look and feel,
different from simply viewing the page on a small screen.
These changes may create suspicion among security-aware
users. User agents rarely check for certificate
revocation, since doing so generates network traffic.
Some certificate authorities commonly found in desktop
browsers are not included in smartphone user agents.
Consequently, the user may be presented with warnings
that do not appear when the same site is visited using a
desktop user agent. Large pages that do not fit in the
phone's RAM can cause unexpected behavior in the user
agent's security indicators.</p>
</div>
</div>
<div class="div2">
<h3><a href="#accessibility" id="accessibility" name=
"accessibility" class="anchor">6.4 Accessibility</a></h3>
<p>The use cases in this document make no particular
assumptions about the capabilities and cultural background
of the user in question. <a href="#wcag">[WCAG]</a></p>
<ul>
<li>
<p>They may not be able to see, hear, move, or may not
be able to process some types of information easily or
at all.</p>
</li>
<li>
<p>They may have difficulty reading or comprehending
text.</p>
</li>
<li>
<p>They may not have or be able to use a keyboard or
mouse.</p>
</li>
<li>
<p>They may have a text-only screen, a small screen, or
a slow Internet connection.</p>
</li>
<li>
<p>They may not speak or understand fluently the
language in which the document is written.</p>
</li>
<li>
<p>They may be in a situation where their eyes, ears,
or hands are busy or interfered with (e.g., driving to
work, working in a loud environment, etc.)</p>
</li>
<li>
<p>They may have an early version of a browser, a
different browser entirely, a voice browser, or a
different operating system.</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#scenarios" id="scenarios" name="scenarios"
class="anchor">6.5 Scenarios</a></h3>
<p>In the table below, each cell contains links to
use-cases that fall into the category determined by the
cell's placement in the table. The hypertext of each link
names the type of user-agent being used; where "any" means
the use-case is not specific to a type of user agent.</p>
<table border="1">
<tbody>
<tr>
<th></th>
<th><a href="#secret-sharing">Providing</a></th>
<th><a href="#attribution">Believing</a></th>
<th><a href="#authorization">Installing</a></th>
</tr>
<tr>
<th>Identified source, Identified destination</th>
<td id="iip"><a href="#any-iip-1">case1</a>, <a href=
"#any-iip-2">case2</a></td>
<td id="iib"><a href="#any-iib-1">case8</a>, <a href=
"#any-iib-2">case9</a></td>
<td id="iii"><a href="#any-iii-1">case15</a></td>
</tr>
<tr>
<th>Identified source, Unidentified destination</th>
<td id="iup"><a href="#any-iup-1">case3</a></td>
<td id="iub"><a href="#any-iub-1">case10</a></td>
<td id="iui"><a href="#any-iui-1">case16</a>,
<a href="#any-iui-2">case17</a></td>
</tr>
<tr>
<th>Unidentified source, Identified destination</th>
<td id="uip"><a href="#any-uip-1">case4</a>, <a href=
"#any-uip-2">case5</a>, <a href=
"#smartphone-uip-1">case6</a></td>
<td id="uib"></td>
<td id="uii"><a href="#any-uii-1">case18</a>,
<a href="#any-uii-2">case19</a></td>
</tr>
<tr>
<th>Unidentified source, Unidentified
destination</th>
<td id="uup"><a href="#any-uup-1">case7</a></td>
<td id="uub"><a href="#any-uub-1">case11</a>,
<a href="#any-uub-2">case12</a>, <a href=
"#any-uub-3">case13</a>, <a href=
"#any-uub-4">case14</a></td>
<td id="uui"><a href="#any-uui-1">case20</a></td>
</tr>
</tbody>
</table>
<ol class="enumar">
<li id="any-iip-1">
<p><a href="#iip">Identified source, Identified
destination, Providing</a></p>
<p>Once a week, Alice pays her bills. She opens her web
browser, follows the habitual bookmark to her bank's
site, logs in by entering her credentials, and follows
the routine course through the online banking
system.</p>
</li>
<li id="any-iip-2">
<p><a href="#iip">Identified source, Identified
destination, Providing</a></p>
<p>Betty's home wireless router has a web interface for
making configuration changes. When the router is
installed, it generates a self-signed SSL server
certificate. Sometime later, Betty attempts to make a
configuration change. How does Betty know she's
connected to the router she setup earlier, and not her
neighbor's?</p>
</li>
<li id="any-iup-1">
<p><a href="#iup">Identified source, Unidentified
destination, Providing</a></p>
<p>Once a week, Alice pays her bills. She opens her web
browser, follows the habitual bookmark to her bank's
site, and is directed to an unfamiliar site at a new
domain, announcing that her bank has recently acquired
another one and changed names a bit. She is asked to
enter her usual credentials, succeeds, and quickly
adapts to the new online banking system.</p>
</li>
<li id="any-uip-1">
<p><a href="#uip">Unidentified source, Identified
destination, Providing</a></p>
<p>In the advertising leading up to a re-run of the
1970s movie classic "The Sting," Doyle sees an offer
for a new-fashioned investment that he can't refuse,
offered by a brand that he has heard of before. He
memorizes the URL that is given toward the end of the
advertising. Coming back home, he mis-types the URI at
first, corrects a spelling error, and then reaches a
web site that matches the investment firm's branding
and name. He's asked for identifying information that
he provides.</p>
</li>
<li id="any-uip-2">
<p><a href="#uip">Unidentified source, Identified
destination, Providing</a></p>
<p>Example Inc. has use of example.com, example.net and
example.org. Each is used to manage a different part of
the company's online operations. Betty initially found
Example at example.com and created her online account
through a page hosted at that domain. She has yet to
interact with any of Example's other hosts. Sometime
later, Betty receives an email claiming to be from
Example and alerting her to a pending task that she
must attend to. The email provides a hyperlink to a
page that will help Betty complete the task. After
clicking on the hyperlink, Betty's user agent displays
a page from the example.net host. The page asks Betty
to enter her username and passphrase before being
allowed to access her account. How is Betty to know
that her Example credentials can be safely entered into
the page?</p>
</li>
<li id="smartphone-uip-1">
<p><a href="#uip">Unidentified source, Identified
destination, Providing, smartphone</a></p>
<p>While on the move, Alice suddenly remembers she has
to make an urgent banking transaction. She has used her
mobile browser previously for retrieving information
from the web, but this time she decides to use her
phone due to the urgency. She starts her mobile phone
browser and enters a URL that she recalls having seen
on her home desktop browser. After some delay, longer
than usual, the phone starts showing a page. Due to
screen size, Alice notices that the layout is somewhat
familiar, but still not the same as the one in her
dekstop. She can't see the full URL either. Alice
scrolls and spots the link that takes her to the
transaction page and clicks on it. After some delay,
the phone displays a page asking her to enter her usual
bank credentials. How is Alice to know that her bank
credentials can be safely entered into the page?</p>
</li>
<li id="any-uup-1">
<p><a href="#uup">Unidentified source, Unidentified
destination, Providing</a></p>
<p>Example Inc. has a popular online service that
processes many credit card transactions a day. Betty
occasionally uses the service and trusts it with her
credit card information. Malcolm is a thief with an
idea. He creates an imitation of the Example web site
and begins directing users to it. Malcolm contacts
victims through email, or even the phone, and links to
his imposter site from popular blogs and chat forums.
He's also given his imposter site a domain name that is
just a typo away from Example's authentic web site, so
some victims will arrive by accident. Betty is about to
enter her credit card information into a site that
looks just like Example's. How is she to know if it's
the authentic site, or the imposter?</p>
</li>
<li id="any-iib-1">
<p><a href="#iib">Identified source, Identified
destination, Believing</a></p>
<p>Betty occasionally visits the example.com web site.
On each connection, Betty's user agent receives an SSL
server certificate issued by the same certificate
authority. On the current connection, the received
certificate was issued by a different certificate
authority. What should the user agent display? Can
Example Inc. affect this display through the content of
the new certificate?</p>
</li>
<li id="any-iib-2">
<p><a href="#iib">Identified source, Identified
destination, Believing</a></p>
<p>Betty clicks on a hyperlink to the web page at
<code><https://www.example.com/></code>. The
received HTML page includes content received from
<code><https://www.example.net/></code>. Betty's
user agent is unaware of any relationship between the
www.example.com and www.example.net web sites.</p>
</li>
<li id="any-iub-1">
<p><a href="#iub">Identified source, Unidentified
destination, Believing</a></p>
<p>Betty visits the web page at
<code><https://www.example.com/></code>. The
received HTML page includes content received from
<code><http://www.example.com/></code>, i.e.,
content received using a different security
context.</p>
</li>
<li id="any-uub-1">
<p><a href="#uub">Unidentified source, Unidentified
destination, Believing</a></p>
<p>Betty tries to connect to a web site at
<code><https://www.example.com/></code>. Her user
agent's SSL implementation detects that the domain name
specified in the certificate differs from
www.example.com. What should the user agent
display?</p>
</li>
<li id="any-uub-2">
<p><a href="#uub">Unidentified source, Unidentified
destination, Believing</a></p>
<p>Betty is planning a trip to a foreign country.
Searching the web, she finds a widely recommended local
travel agency. When she connects to their web site, her
user agent does not recognize the certificate authority
that issued the travel agency's SSL server certificate.
What should the user agent display?</p>
</li>
<li id="any-uub-3">
<p><a href="#uub">Unidentified source, Unidentified
destination, Believing</a></p>
<p>Like many users, Betty has grown accustomed to
quickly clicking through any warning dialogs presented
by her user agent. Out of habit, Betty dismisses
another one, then quickly becomes suspicious about some
of the web page's content.</p>
</li>
<li id="any-uub-4">
<p><a href="#uub">Unidentified source, Unidentified
destination, Believing</a></p>
<p>Betty has travelled to a foreign country. In a
coffee shop, she is reading a political web site from
her home country. She wonders whether the information
that is displayed to her is authentic, and whether
there will be eavesdropping on her interactions.</p>
</li>
<li id="any-iii-1">
<p><a href="#iii">Identified source, Identified
destination, Installing</a></p>
<p>Once a week, Alice pays her bills. She opens her web
browser, follows the habitual bookmark to her bank's
site. Her bank's web site informs her that, as a
countermeasure to recent attacks against online banking
customers, she needs to install a piece of proprietary
software on her computer that will be the conduit for
her future interactions with the bank.</p>
</li>
<li id="any-iui-1">
<p><a href="#iui">Identified source, Unidentified
destination, Installing</a></p>
<p>Frank regularly reads a frequent flyer forum while
sipping his first cup of coffee in the morning. He
clicks on a link and walks off to the coffee-maker for
a refill. Returning, he notes that his computer screen
now includes pop-up advertising for a new
cheque-management program which is purportedly offered
by his bank. A free demonstration version is available
for download. The advertising is served from an
advertising agency's web site, not from the bank's.</p>
</li>
<li id="any-iui-2">
<p><a href="#iui">Identified source, Unidentified
destination, Installing</a></p>
<p>Vicki is interested in finding out more about art
auctions in the greater Boston area. She engages a
search engine and tries to follow a link there. Her web
browser consults a reputation service which has
recorded that the link target will attempt to subvert
the browser and install malicious software.</p>
</li>
<li id="any-uii-1">
<p><a href="#uii">Unidentified source, Identified
destination, Installing</a></p>
<p>Watching more cinema advertising, Doyle sees a
somewhat irritating, but intriguing movie teaser that
ends with a dark screen that has a URL fading away
quickly. He mis-memorizes the URL. Coming back home, he
types in what he remembers, and gets directed to a web
site that immediately causes a software download. A
pop-up window informs him (in graphical layout that
matches the teaser's last screen) that software will be
installed on his system in order to enable him to fully
benefit from the web site's multimedial offerings.</p>
</li>
<li id="any-uii-2">
<p><a href="#uii">Unidentified source, Identified
destination, Installing</a></p>
<p>Steve runs a suite of security software on his
machine that regularly upgrades certain components. The
typical workflow is that a specific browser window is
opened automatically. Steve will then control the
selection of software upgrades, will download them from
the web, and they will then be installed.</p>
</li>
<li id="any-uui-1">
<p><a href="#uui">Unidentified source, Unidentified
destination, Installing</a></p>
<p>Once a week, Alice pays her bills. She opens her web
browser, follows the habitual bookmark to her bank's
site. A download process starts, and a pop-up window
informs Alice that she needs to install a piece of
software locally that will henceforth be her conduit
for her future online interactions with her bank.</p>
</li>
<li id="any-iio-1">
<p>Identified source, Identified destination, No
interaction</p>
<p>Betty tries to connect to a web site at
<code><http://www.example.com/></code>. She
visits this site frequently to read various news and
articles. Since her last visit, the site example.com
has been compromised by some method, and visitors are
now being infected with malware. At the time of the
current request, Betty's user agent now has information
saying that example.com is a known bad site. What
interaction, if any, should occur?</p>
</li>
<li id="any-uuo-1">
<p>Unidentified source, Unidentified destination, No
interaction</p>
<p>Frank regularly reads his email in the morning. This
morning he receives an email that purports to be from
his bank and asks him to verify a recent transaction by
clicking on the link embedded in the email. The link
does not display the usual URL that he types to get to
his bank's website, but it does have his bank's name in
it. He clicks on the link and is directed to a phishing
site. The phishing site has been shut down as a known
fraudulent site, so when Frank clicks on the link he
receives the generic Error 404: File Not Found page.
Frank is not sure what has occurred.</p>
</li>
</ol>
</div>
<div class="div2">
<h3><a href="#threats" id="threats" name="threats" class=
"anchor">6.6 Threats</a></h3>
<p>The scenarios provided above are vulnerable to a wide
range of threats. Threats which are in scope for this
Working Group are further discussed in <a href=
"#in-scope"><b>4 In scope</b></a>. Section <a href=
"#out-of-scope"><b>5 Out of scope</b></a> covers threats
which, though dangerous and important, will not be directly
addressed by this Working Group. A comprehensive threat
tree, for both in scope and out of scope threats, is work
in progress; see <a href=
"http://www.w3.org/TR/wsc-threats/"><cite>Web User
Interaction: Threat Trees</cite></a> <a href=
"#ref-wsc-threats">[WSC-THREATS]</a>.</p>
<div class="div3">
<h4><a href="#subverted-navigation" id=
"subverted-navigation" name="subverted-navigation" class=
"anchor">6.6.1 Subverted navigation</a></h4>
<p>When following a hyperlink, the user may have an
expectation, based on how they found the hyperlink, for
what the destination page should be. These expectations
will be misplaced if an attacker can replace the expected
hyperlink with one that leads to a different destination
page.</p>
<div class="div4">
<h5><a href="#URL-typo" id="URL-typo" name="URL-typo"
class="anchor">6.6.1.1 URL typo</a></h5>
<p>In scenarios where the user types a URL into their
browser, there is a risk of mistyping. An attacker can
acquire the rights to common typo variants of a
hostname and so cause the navigation to lead to an
attack page, instead of the expected page.</p>
</div>
<div class="div4">
<h5><a href="#misleading-bookmark" id=
"misleading-bookmark" name="misleading-bookmark" class=
"anchor">6.6.1.2 Misleading bookmark</a></h5>
<p>In scenarios where the user navigates to a page via
a bookmark, there is a risk of selecting the wrong
bookmark. Browsers commonly identify bookmarks by the
corresponding page title, the value of which is chosen
by the page author. If an attacker can convince the
user to bookmark a page, using another pretense, the
user will have a bookmark identified by a name of the
attacker's choosing and leading to a page of the
attacker's choosing.</p>
</div>
<div class="div4">
<h5><a href="#misleading-introduction" id=
"misleading-introduction" name=
"misleading-introduction" class="anchor">6.6.1.3
Misleading introduction</a></h5>
<p>Discussion forums and search engines serve content
produced by others, or derived from content produced by
others. A user may apply the trust they have for these
sites to the hyperlinks they serve. Most often, this
trust is well placed, since the sites aim to serve
useful hyperlinks. An attacker, posing as a normal site
contributor, may cause the site to serve a hyperlink to
an attack page. In this case, a user may follow the
hyperlink, and apply their trust for the site to the
attacker's page.</p>
</div>
<div class="div4">
<h5><a href="#unprotected-navigation" id=
"unprotected-navigation" name="unprotected-navigation"
class="anchor">6.6.1.4 Unprotected navigation</a></h5>
<p>Most of the URLs currently in use do not use SSL, or
similar protection. An attacker with access to the
network layer can replace a requested URL with one of
their own choosing. Consequently, even a hyperlink that
refers to the expected destination page can be made to
refer to a page of the attacker's choosing.</p>
</div>
</div>
<div class="div3">
<h4><a href="#impersonation" id="impersonation" name=
"impersonation" class="anchor">6.6.2 Web site
impersonation</a></h4>
<p>If an attacker is unable to subvert the navigation
step, it still may be possible to convince the user that
the attack page is the expected page. Techniques for
doing this are described in <a href="#problems"><b>9
Problems with the status quo</b></a>. That section
discusses deficiencies in the browser user interface.</p>
</div>
</div>
</div>
<div class="div1">
<h2><a href="#available" id="available" name="available"
class="anchor">7 Security information available to the user
agent</a></h2>
<p>This section provides an enumeration of the security
information this Working Group has determined to be in scope
and so available for use in recommendations. The Working
Group's scope is detailed in sections <a href=
"#in-scope"><b>4 In scope</b></a> and <a href=
"#out-of-scope"><b>5 Out of scope</b></a>. Information is
grouped into sub-sections according to the references that
should be consulted to determine its semantics.</p>
<div class="div2">
<h3><a href="#web-content-source" id="web-content-source"
name="web-content-source" class="anchor">7.1 Defined by web
content specifications</a></h3>
<ul>
<li>
<p>MIME type</p>
<p>The reported MIME type, along with other information
the user agent may collect, such as filename extension,
affect what user agent features are triggered by the
receipt of web content.</p>
</li>
<li>
<p>target URI</p>
<p>The target URI for an HTTP request is constructed
according to the instructions provided by the web
content from which the request was produced. The target
URI determines the recipient of the request.</p>
</li>
<li id="dynamic-content">
<p>presence of client-side dynamic content</p>
<p>The rendering of a web page composed of only static
content has a completion point, after which the
rendered view remains constant until the user chooses
to navigate to another web page. Dynamic content is
anything that changes this interaction or is given
additional access to user agent functions. Java and
Javascript are two current examples, as is an HTML META
tag specifying a page refresh.</p>
</li>
<li>
<p>Is the rendered view composed from multiple
resources, such as referenced images or
stylesheets?</p>
<p>The message communicated by a web page may be
significantly affected by partial rendering. The web
content specifies what resources the web page's author
considered part of the rendered view.</p>
</li>
<li>
<p>Is the rendered view composed from resources from
distinct hosts?</p>
<p>When a web page includes by reference a resource
from another host, the rendered view may be
significantly different than the page author expected.
For example, the HTML IMG tag can lead to such
surprises.</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#SSL-source" id="SSL-source" name="SSL-source"
class="anchor">7.2 Defined by SSL related
specifications</a></h3>
<ul>
<li id="SSL-certificate-chain">
<p>SSL server certificate chain <a href=
"#pkix">[PKIX]</a></p>
<ul>
<li>
<p>certificate authority</p>
</li>
<li>
<p>distinguished name</p>
</li>
<li>
<p>public key</p>
</li>
<li>
<p>validity timeframe</p>
</li>
<li>
<p>extended validation <a href="#ev-cert">[EV
Cert]</a></p>
</li>
</ul>
</li>
<li>
<p>Ciphersuite</p>
<ul>
<li>
<p>public key algorithm and key length</p>
</li>
<li>
<p>symmetric key algorithm and key length</p>
</li>
<li>
<p>message digest algorithm</p>
</li>
</ul>
</li>
<li>
<p>revocation status</p>
<p>Both CRLs <a href="#pkix">[PKIX]</a> and OCSP
<a href="#ocsp">[OCSP]</a> provide information about
the revocation status of a certificate.</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#HTTP-source" id="HTTP-source" name=
"HTTP-source" class="anchor">7.3 Defined by HTTP related
specifications</a></h3>
<ul>
<li id="HTTP-redirect">
<p>HTTP redirect <a href="#http">[HTTP]</a></p>
</li>
<li>
<p>HTTP-Auth handshake <a href="#http-auth">[HTTP
Auth]</a></p>
</li>
<li>
<p>cookie handling <a href="#http-cookie">[HTTP
Cookie]</a></p>
</li>
<li>
<p>Must requests be transmitted using SSL? <a href=
"#https">[HTTPS]</a></p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#IP-source" id="IP-source" name="IP-source"
class="anchor">7.4 Defined by IP related
specifications</a></h3>
<ul>
<li>
<p>server IP address</p>
</li>
<li>
<p>localhost versus intranet versus internet</p>
</li>
<li>
<p>network diagnostic information, such as provided by
ping or traceroute</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#DNS-source" id="DNS-source" name="DNS-source"
class="anchor">7.5 Defined by DNS related
specifications</a></h3>
<ul>
<li>
<p>server hostname</p>
</li>
<li>
<p>DNSSEC protection of hostname lookup <a href=
"#dnssec">[DNSSEC]</a></p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#UA-source" id="UA-source" name="UA-source"
class="anchor">7.6 Defined by user agent</a></h3>
<ul>
<li id="UA-CAs">
<p>installed certificate authorities</p>
</li>
<li>
<p>installed search engines</p>
</li>
<li>
<p>default window layout</p>
</li>
<li>
<p>default bookmarks</p>
</li>
<li>
<p>default configuration</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#collected-state-source" id=
"collected-state-source" name="collected-state-source"
class="anchor">7.7 State that may be collected by a user
agent</a></h3>
<ul>
<li id="UA-done-rendering">
<p>Has rendering of a page completed?</p>
</li>
<li id="HTTP-Referer">
<p>referring page</p>
</li>
<li>
<p>SSL session <a href="#tls">[TLS]</a>, if any, that
protected content transmission</p>
</li>
<li id="user-password">
<p>submitted passwords</p>
</li>
<li id="user-input">
<p>submitted form values</p>
</li>
<li>
<p>bookmarks</p>
</li>
<li>
<p>browsing history</p>
</li>
<li>
<p>installed client certificates</p>
</li>
<li>
<p>installed server certificates</p>
</li>
<li>
<p>How was the URL entered?</p>
<ul>
<li>
<p>typed into address bar</p>
</li>
<li>
<p>pasted into address bar</p>
</li>
<li>
<p>clicked hyperlink</p>
</li>
<li>
<p>command from another application</p>
</li>
</ul>
</li>
<li id="user-customization">
<p>user agent customization</p>
</li>
<li id="user-understanding">
<p>user response to prompts</p>
</li>
</ul>
</div>
<div class="div2">
<h3><a href="#third-party-source" id="third-party-source"
name="third-party-source" class="anchor">7.8 Defined by a
third-party</a></h3>
<ul>
<li>
<p>reputation service</p>
</li>
<li>
<p>other visited web pages that link to the current
page</p>
</li>
<li>
<p>search engine results</p>
</li>
</ul>
</div>
</div>
<div class="div1">
<h2><a href="#merits" id="merits" name="merits" class=
"anchor">8 Merits of the status quo</a></h2>
<p>Successive generations of web user agents have improved
upon past implementations and achieved greater deployment of
security relevant infrastructure. This work provides a base
upon which this Working Group will build its recommendations.
This section calls out the aspects of the currently deployed
web infrastructure that have already narrowed the problem
space we need to address, or that we intend to learn from or
build on.</p>
<div class="div2">
<h3><a href="#strong-crypto" id="strong-crypto" name=
"strong-crypto" class="anchor">8.1 Widely deployed, strong
cryptography</a></h3>
<p>Since its first deployment, the SSL protocol has
undergone multiple revisions, culminating in the current
TLS/1.1 protocol. Both client and server implementations
are widely deployed, enabling applications to communicate
in a way that is designed to prevent eavesdropping,
tampering, and message forgery.</p>
</div>
<div class="div2">
<h3><a href="#spoof-prevention" id="spoof-prevention" name=
"spoof-prevention" class="anchor">8.2 Many deceptive
imitation techniques prevented</a></h3>
<p>The most current generation of desktop web browsers
contain several changes aimed at protecting users from the
types of spoofing attacks seen in the past. Some of these
changes are invisible to users, such as preventing a web
site from opening a window which is larger than the visible
desktop. Other changes are more noticeable, such as warning
dialogs which alert users when they arrive at a website
that matches an entry on a list of suspected phishing
sites.</p>
</div>
<div class="div2">
<h3><a href="#fixed-bugs" id="fixed-bugs" name="fixed-bugs"
class="anchor">8.3 Corrected implementation errors</a></h3>
<p>Recent web browsers correct many of the security
relevant implementation errors in past browsers. Many
errors in the implementation and application of the SSL
protocol are now corrected.</p>
</div>
<div class="div2">
<h3><a href="#password-manager" id="password-manager" name=
"password-manager" class="anchor">8.4 Password
management</a></h3>
<p>Modern browsers include a password manager that can
autofill the corresponding user login credentials for a web
site. This feature provides several usability benefits that
can help users notice and avoid web based attempts to steal
their passwords. Autofilling provides a presentation cue
indicating the credentials have been previously submitted
to the web site. The user may then infer that the current
operation is simply a repeat of a past trust decision,
rather than a new trust decision: the decision to give the
web site the corresponding password has already been made.
A password manager can also eliminate the step of typing a
password into a web page, a step highly vulnerable to
phishing.</p>
</div>
</div>
<div class="div1">
<h2><a href="#problems" id="problems" name="problems" class=
"anchor">9 Problems with the status quo</a></h2>
<p>Though much implementation progress has been made, there
remain problems with the basic design for communicating
security information to the user, which is the core of the
mission of this Working Group. In current user agents,
security information is primarily presented through modal
dialog boxes and indicators in the browser's chrome. Chrome
is the representation through which the user interacts with
the user agent itself, as distinct from the web content
accessed. In graphical layout terms, chrome is the part of
the user agent window outside of the area displaying the
current web page. This user interface has a number of
inherent problems, as well as problems created by the current
realization.</p>
<div class="div2">
<h3><a href="#where-is-chrome" id="where-is-chrome" name=
"where-is-chrome" class="anchor">9.1 Poorly defined area
for chrome</a></h3>
<p>The above definition of chrome reveals a major
shortcoming in the concept. Chrome is primarily defined by
where it is not, rather than where it is. As a result,
there are a number of tricks for confusing the user about
which parts of their screen contain browser chrome.</p>
<div class="div3">
<h4><a href="#picture-in-picture" id="picture-in-picture"
name="picture-in-picture" class="anchor">9.1.1 Picture in
picture</a></h4>
<p>Modern desktop operating systems support overlapping
windows of varying sizes. A smaller browser window
overlaying a larger browser window can be visually
indistinguishable from a larger browser window displaying
a picture of a smaller browser window in the web page
area. Using dynamic content technology, this picture of a
window can be given functionality that closely mimicks
that of a real browser window. In this case, the user may
treat the web page content as a real browser window and
believe the imitation chrome is real chrome.</p>
<p>This level of visual deception may be unnecessary to
fool many users. Studies have demonstrated that many
users still do not fully grasp the flexibility of the
desktop metaphor and wrongly believe the security
indicators of one browser window also pertain to another
located on top of, or next to it. <a href=
"#why-phishing-works">[Why Phishing Works]</a></p>
</div>
<div class="div3">
<h4><a href="#extended-chrome" id="extended-chrome" name=
"extended-chrome" class="anchor">9.1.2 Visually extending
the chrome</a></h4>
<p>The strongest visual cue the user is given for the
boundary between the chrome area and the web page area is
a change in background color. The chrome uses the
background color for application menus, typically a light
grey, and the web page area uses whatever background
color it wishes, but typically white. There is nothing
preventing the web page from using the same background
color as the chrome area for part of the web page area
near the chrome. In this case, the chrome area may appear
to be extended with additional security indicators
specified by the web page. In addition, color only cues
often do not work for users who are color blind.</p>
<p>Curiously, recent releases of prominent browsers now
use a similar technique to present security information
to the user from the web page area. Typically the chrome
extension uses a light yellow background and appears near
the top of the web page area. A web page could provide an
identical presentation with a message like: "This web
page is guaranteed by Example Inc. to be safe for
e-commerce."; where the name Example Inc. would instead
be a brand name widely trusted by users. Since users have
been conditioned by the browser to expect relevant
security information to be presented in this way, they
may trust the message.</p>
</div>
<div class="div3">
<h4><a href="#missing-chrome" id="missing-chrome" name=
"missing-chrome" class="anchor">9.1.3 Removing the
chrome</a></h4>
<p>Employing the above visual tricks may be unnecessary
for a successful attack, since the browser may support
removing the chrome from a browser window, at the
discretion of the visited web site. In this event, the
vacated area of the browser window becomes additional web
page area. Simply depriving the user of the chrome's
security indicators may be sufficient, or the attacker
could display imitation chrome in the same area the user
expects to find real chrome.</p>
</div>
</div>
<div class="div2">
<h3><a href="#what-is-chrome" id="what-is-chrome" name=
"what-is-chrome" class="anchor">9.2 Poorly defined role for
chrome</a></h3>
<p>Replacing the real chrome with imitation chrome may be
unnecessary for a successful attack, since currently all of
the indicators in the chrome display information chosen by
the attacker. By choosing values for these indicators which
are likely to deceive the user, the attacker can produce an
imitation of the victim web site using the real chrome,
rather than imitation chrome. It is unclear in what way the
user should rely on the chrome, when the chrome displays
only information chosen by the attacker. Following is an
exhaustive list of the indicators found in the chrome of
common web browsers, and the corresponding source of the
displayed information.</p>
<div class="div3">
<h4><a href="#window-title" id="window-title" name=
"window-title" class="anchor">9.2.1 Browser window
title</a></h4>
<p>The browser's window title is constructed using the
content of the HTML <code>TITLE</code> element from the
displayed web page. The attacker has full control over
the content of the displayed web page.</p>
<p>In a browser with multiple tabs for viewing multiple
web pages, the tab title also uses the content of the
<code>TITLE</code> element.</p>
</div>
<div class="div3">
<h4><a href="#back-button" id="back-button" name=
"back-button" class="anchor">9.2.2 Back and forward
buttons</a></h4>
<p>Both the back and forward navigation buttons provide a
drop down list of previously viewed pages. Each page is
identified by the content of the corresponding HTML
<code>TITLE</code> element.</p>
</div>
<div class="div3">
<h4><a href="#URL-bar" id="URL-bar" name="URL-bar" class=
"anchor">9.2.3 URL bar</a></h4>
<p>The current web page's URL is chosen in tandem by the
creator of the referring hyperlink and the web site
operator. When an attacker is directing victims to an
imposter web site, the attacker is both the creator of
the referring hyperlink and the web site operator.</p>
<p>Some browsers provide an additional display of the
hostname of the visited web site. The displayed hostname
is taken from the current web page's URL. An attacker can
choose any hostname that is not already in use, including
ones that may deceive users. See section <a href=
"#hostname-semantics"><b>9.3.2 Hostname</b></a> for
additional discussion.</p>
</div>
<div class="div3">
<h4><a href="#padlock-icon" id="padlock-icon" name=
"padlock-icon" class="anchor">9.2.4 Padlock icon</a></h4>
<p>The padlock icon indicates the use of SSL. The
decision to use SSL, or not, is again at the discretion
of the creator of the referring hyperlink and the web
site operator. In a phishing scenario, the attacker still
plays both these roles. When the web site operator is an
independent party it may redirect a URL chosen by the
attacker to an SSL protected URL; however, this redirect
is delivered over the original unprotected
connection.</p>
</div>
<div class="div3">
<h4><a href="#favicon" id="favicon" name="favicon" class=
"anchor">9.2.5 Favicon</a></h4>
<p>Websites can specify a small graphic to act as an icon
that appears in the URL bar in most desktop web browsers
and on the tabs in some browsers <a href=
"#favicon-howto">[Favicon]</a>. While the desktop web
browsers control this chrome, none place any restrictions
on the type of websites or the content of the images that
will be displayed. Consequently, an imposter web site can
display the icon of an impersonated web site in the web
browser's chrome.</p>
<p>A website may also choose to display a favicon that
looks exactly like the padlock icon that is displayed in
the URL bar by many browsers to indicate an SSL
connection. In this case, the user may believe that SSL
is being used, when it is not.</p>
</div>
<div class="div3">
<h4><a href="#status-bar" id="status-bar" name=
"status-bar" class="anchor">9.2.6 Status bar</a></h4>
<p>By default, the status bar displays messages from the
browser, such as the target of the hyperlink under the
mouse cursor. The displayed web page can also display any
message of its choosing in this area.</p>
</div>
<div class="div3">
<h4><a href="#information-bar" id="information-bar" name=
"information-bar" class="anchor">9.2.7 Information bar
(aka: notification bar)</a></h4>
<p>Some desktop web browsers use a colored bar called an
information bar (or notification bar) across the top of
the web content window to communicate with users. These
messages are specific to the content of the web content
window, and usually alert the user to the fact that a
potentially undesirable action has been suspended, such
as the automatic installation of software or the opening
of a new web content window.</p>
<p>While the content of the information bar is controlled
by the web browser, a convincing replica of this
interface can easily be created by a malicious web site
and placed at the top of their content.</p>
</div>
</div>
<div class="div2">
<h3><a href="#why-is-chrome" id="why-is-chrome" name=
"why-is-chrome" class="anchor">9.3 Poor user understanding
of chrome</a></h3>
<p>Employing a great deal of deception might also be
unnecessary for a successful attack, since studies have
shown many users have a poor understanding of the chrome.
The current chrome indicators provide a thin summary of raw
technical artifacts drawn from the network protocol's
current exchange. The full meaning of these protocol
artifacts is not necessarily understood by users.</p>
<div class="div3">
<h4><a href="#padlock-icon-semantics" id=
"padlock-icon-semantics" name="padlock-icon-semantics"
class="anchor">9.3.1 Padlock icon</a></h4>
<p>The presence of the padlock icon in the chrome only
indicates the current web page was transmitted using the
SSL protocol. The icon does not denote a guarantee of
trustworthiness, nor is it an indication of legitimacy;
an imposter site can be accessed using the SSL protocol.
On its own, the fact that SSL was used is not actionable.
The fact must first be paired with many others before a
warranted decision can be made. Nevertheless, some
studies have shown the presence of a padlock icon, when
it is noticed, contributes to a user's vague sense of
security <a href="#users-conceptions">[Users'
conceptions]</a>. Relying on the padlock icon in this way
is not supported by the mere use of SSL by a web
page.</p>
</div>
<div class="div3">
<h4><a href="#hostname-semantics" id="hostname-semantics"
name="hostname-semantics" class="anchor">9.3.2
Hostname</a></h4>
<p>DNS is a hierarchical name space. Name assignments on
upper layers of this name space are controlled by various
policy and business processes and often thought of as
identifiers for real-world entities; name assignments on
the lower layers are typically choosen freely and often
thought of as identifiers for individual hosts or
services. However, these intricacies are not widely
understood. Studies show that users will interpret brand
names that occur on any level of a domain name as a
signal that allows them to assume some kind of reliable
association between the brand and the domain name
<a href="#security-toolbars">[Security Toolbars]</a>.</p>
</div>
<div class="div3">
<h4><a href="#chrome-vs-page" id="chrome-vs-page" name=
"chrome-vs-page" class="anchor">9.3.3 Chrome versus
page</a></h4>
<p>Perhaps the most surprising result of user studies is
that the distinction between chrome and page area does
not exist in the minds of many users. Professional
looking content is deemed a more reliable indicator of
legitimacy. A padlock icon appearing in the page area has
the same significance as one in the chrome <a href=
"#security-toolbars">[Security Toolbars]</a>. Whether an
indicator in the chrome is a security indicator, or a
decoration set by the web page is unclear <a href=
"#why-phishing-works">[Why Phishing Works]</a>. Given the
reality of the current functionality of the chrome, these
user perceptions are quite reasonable. Current chrome is
just a decoration whose content is largely, or entirely,
determined by the visited web site.</p>
</div>
<div class="div3">
<h4><a href="#learning-by-doing" id="learning-by-doing"
name="learning-by-doing" class="anchor">9.3.4
Explanations versus understanding</a></h4>
<p>Users come to an understanding of security indicators
predominantly through use and direct experience, and
somewhat through general awareness (discussions with
others, news and other information they might receive).
Users knowing about the padlock icon at all, for example,
shows that user education does happen over time.
Experience and history with education on using computer
software indicates that users do not learn and act
exactly on what is explicitly taught them (for an example
of that in user security, see <a href=
"#make-up-your-mind">[Make Up Your Mind]</a>). Explicit
user education does not override other problems and does
not consistently alter user behavior.</p>
</div>
</div>
<div class="div2">
<h3><a href="#when-is-chrome" id="when-is-chrome" name=
"when-is-chrome" class="anchor">9.4 Poor usability of
chrome</a></h3>
<p>Even if the chrome was perfectly implemented and fully
understood by users, it still might not, as currently
designed, provide effective protection.</p>
<div class="div3">
<h4><a href="#ignored-chrome" id="ignored-chrome" name=
"ignored-chrome" class="anchor">9.4.1 Out of sight, out
of mind</a></h4>
<p>Browsing the web involves reading text, clicking
hyperlinks and filling out forms; all activities which
take place entirely within the web page area of the
browser window. Consequently, studies have shown that
users rarely consult the chrome, instead focusing on the
task at hand. Even when the chrome has not been tampered
with and is providing the intended presentation, it goes
unnoticed by users <a href="#security-toolbars">[Security
Toolbars]</a>, <a href="#why-phishing-works">[Why
Phishing Works]</a>.</p>
</div>
<div class="div3">
<h4><a href="#assumed-safety" id="assumed-safety" name=
"assumed-safety" class="anchor">9.4.2 Assumed
safety</a></h4>
<p>Current chrome decorates web pages that provide
security information, and remains silent about those that
provide none. This design creates multiple problems.</p>
<p>It is difficult for humans to react to the absence of
something. Studies have shown that users do not reliably
notice the absence of security indicators <a href=
"#why-phishing-works">[Why Phishing Works]</a>.</p>
<p>Users, and even experts, commonly attribute more
security than is warranted to a web page that is not
protected by SSL. A login form on such a page can be
readily modified in transit such that it will send the
user's login credentials to an attacker before logging
the user into the authentic web site.</p>
</div>
<div class="div3">
<h4><a href="#dialog-box" id="dialog-box" name=
"dialog-box" class="anchor">9.4.3 Poor usability of
dialog boxes</a></h4>
<p>Desktop software commonly reports problems through
modal pop-up dialog boxes. Such dialog boxes frequently
appear during normal software use. Also, the user is
frequently given no reasonable course of action other
than clicking the OK button. Consequently, users have
been conditioned to automatically dismiss such dialog
boxes, often without even glancing at their content. User
studies confirm this phenomena also holds for security
warnings from web browsers <a href=
"#why-phishing-works">[Why Phishing Works]</a>.</p>
</div>
</div>
</div>
<div class="div1">
<h2><a href="#process" id="process" name="process" class=
"anchor">10 Process</a></h2>
<p>Though research incorporating usable security goes back to
the principle of "psychological acceptability" from
<cite>Saltzer and Schroeder</cite> <a href=
"#saltzer-schroeder">[Saltzer and Schroeder]</a>, making
security usable is still a nascent area for research <a href=
"#security-and-usability">[Security and Usability]</a>. There
are no worked examples of formal standards from standards
making bodies on usable security to emulate. There are a
limited number of worked examples in deployed products to
learn from. There are a larger number of attempts with
unclear results to learn from. We have yet to get
widely-applicable, satisfactory answers to basic questions on
usable security. Consequently, this Working Group's
recommendations will necessarily contain more innovation than
might a traditional standards effort. This section details
the process the Working Group will employ to mitigate the
significant perils of innovation in a standards effort.</p>
<div class="div2">
<h3><a href="#feedback" id="feedback" name="feedback"
class="anchor">10.1 Expertise and experience</a></h3>
<p>By its very nature, the public reviews of the
deliverables of this Working Group via the W3C standards
process will provide pertinent and timely input from
researchers and practitioners in a variety of disciplines,
including usability and design, security, and
accessibility. That feedback may be based on experience
with other standards efforts, experience prototyping or
developing software or devices, experience with deployment
or use of software or devices, or other forms of anecdotal
evidence. This data represents experience and knowledge
that has not been or cannot be captured via document
principles, previous studies, or the working group's
testing. The Working Group will use such feedback to inform
our recommendations.</p>
</div>
<div class="div2">
<h3><a href="#usability-principles" id=
"usability-principles" name="usability-principles" class=
"anchor">10.2 Reliance on general usability
expertise</a></h3>
<p>Though principles and examples of usable security are
scarce, expertise on the general usability of software is
more plentiful. Principles of usability aim to help the
user understand presented information, discover the actions
that can be taken, predict the implications of those
actions and so learn how the tool can be made to serve the
user's needs. These aims are also a prerequisite for usable
security. Listed below are design principles, drawn from
the research literature, recognized by the Working Group as
relevant to usable security.</p>
<div class="div3">
<h4><a href="#affordance" id="affordance" name=
"affordance" class="anchor">10.2.1 Affordance</a></h4>
<p>An element of a user interface should include cues
that help the user discover its features <a href=
"#design-of-everyday">[Design of Everyday
Things]</a>.</p>
</div>
<div class="div3">
<h4><a href="#users-model" id="users-model" name=
"users-model" class="anchor">10.2.2 Conceptual
model</a></h4>
<p>A user will develop a personal model of what something
does and how it works. The user interface should present
cues that assist the formation of this model and ensure
that the actual and perceived state of the system are
consistent <a href="#design-of-everyday">[Design of
Everyday Things]</a>.</p>
</div>
<div class="div3">
<h4><a href="#users-language" id="users-language" name=
"users-language" class="anchor">10.2.3 Match between
system and the real world</a></h4>
<p>The system should speak the users' language, with
words, phrases and concepts familiar to the user, rather
than system-oriented terms. Follow real-world
conventions, making information appear in a natural and
logical order <a href="#ten-usability-heuristics">[Ten
Usability Heuristics]</a>.</p>
</div>
<div class="div3">
<h4><a href="#habit-formation" id="habit-formation" name=
"habit-formation" class="anchor">10.2.4 Habit
formation</a></h4>
<p>Persistent use of any interface will cause the user to
develop habits. A user interface should leverage habit
formation to shape the user's workflow <a href=
"#humane-interface">[Humane Interface]</a>.</p>
</div>
<div class="div3">
<h4><a href="#locus-of-attention" id="locus-of-attention"
name="locus-of-attention" class="anchor">10.2.5 Single
locus of attention</a></h4>
<p>A user has only a single locus of attention, a feature
or an object in the physical world, or an idea, about
which they are intently and actively thinking. Humans
ignore things that aren't their current locus of
attention. The user's locus of attention is only held in
short term memory and so will be quickly forgotten once
their attention shifts. <a href=
"#humane-interface">[Humane Interface]</a>.</p>
</div>
<div class="div3">
<h4><a href="#minimalist" id="minimalist" name=
"minimalist" class="anchor">10.2.6 Aesthetic and
minimalist design</a></h4>
<p>Dialogues should not contain information which is
irrelevant or rarely needed. Every extra unit of
information in a dialogue competes with the relevant
units of information and diminishes their relative
visibility <a href="#ten-usability-heuristics">[Ten
Usability Heuristics]</a>.</p>
</div>
<div class="div3">
<h4><a href="#lpt1-on-fire" id="lpt1-on-fire" name=
"lpt1-on-fire" class="anchor">10.2.7 Help users
recognize, diagnose, and recover from errors</a></h4>
<p>Error messages should be expressed in plain language
(no codes), precisely indicate the problem, and
constructively suggest a solution <a href=
"#ten-usability-heuristics">[Ten Usability
Heuristics]</a>.</p>
</div>
<div class="div3">
<h4><a href="#justify" id="justify" name="justify" class=
"anchor">10.2.8 Provide explanations, justifying the
advice or information given</a></h4>
<p>If the user is expected to carry out a task or an
action to achieve the desired level of security, they
should have access to an explanation that justifies why
it is necessary.</p>
</div>
<div class="div3">
<h4><a href="#know-your-user" id="know-your-user" name=
"know-your-user" class="anchor">10.2.9 Understand the
user</a></h4>
<p>Design should begin with an understanding of the
intended users. This includes population profiles that
reflect training, motivation, and goals <a href=
"#designing-the-UI">[Designing the User
Interface]</a>.</p>
</div>
<div class="div3">
<h4><a href="#task-profiles" id="task-profiles" name=
"task-profiles" class="anchor">10.2.10 Create task
profiles</a></h4>
<p>With the intended user in mind, designers should
formally write down user tasks <a href=
"#designing-the-UI">[Designing the User
Interface]</a>.</p>
</div>
<div class="div3">
<h4><a href="#consistency" id="consistency" name=
"consistency" class="anchor">10.2.11 Consistency</a></h4>
<p>The cues should be displayed consistently in location
and across sites and web user agents in an attempt to
prevent spoofing and user confusion. <a href=
"#designing-the-UI">[Designing the User
Interface]</a>.</p>
</div>
</div>
<div class="div2">
<h3><a href="#usability-wisdom" id="usability-wisdom" name=
"usability-wisdom" class="anchor">10.3 Learning from past
efforts</a></h3>
<p>A growing body of research documents presentation
techniques that have not proved effective in providing
usable security. The results of these studies will be used
to judge the expected effectiveness of presentation
techniques. The Working Group will keep abreast of ongoing
studies and subject potential recommendations to review by
usability experts from both inside the Working Group, and
from outside.</p>
<p>Section <a href="#problems"><b>9 Problems with the
status quo</b></a> contains a summary of much of what has
been learned about phishing. Additional results are listed
below.</p>
<div class="div3">
<h4><a href="#uniformity" id="uniformity" name=
"uniformity" class="anchor">10.3.1 No user categories in
phishing vulnerability</a></h4>
<p>In Why Phishing Works <a href=
"#why-phishing-works">[Why Phishing Works]</a>, neither
education, age, sex, previous experience, nor hours of
computer use showed a statistically significant
correlation with vulnerability to phishing.</p>
</div>
<div class="div3">
<h4><a href="#awareness" id="awareness" name="awareness"
class="anchor">10.3.2 The user must be aware of the task
they are to perform</a></h4>
<p>The user must be aware that a decision is to be made,
what information should be used to make the decision, and
where to look for the information <a href=
"#johnny">[Johnny]</a>.</p>
</div>
</div>
<div class="div2">
<h3><a href="#usability-testing" id="usability-testing"
name="usability-testing" class="anchor">10.4 Implementation
and testing</a></h3>
<p>Part of a Working Group's activities is developing code
and test suites <a href="#w3c-process">[W3C
Process]</a>.</p>
<p>The Working Group aims to demonstrate and test the WG's
recommendations on usable and robust communication of
security context information through implementations within
the framework of one or more web user agents. The most
likely web user agents to serve as platforms for such
implementations are web browsers. To demonstrate that
recommendations are sufficiently general and interoperable,
we expect implementation in the context of at least two web
user agents.</p>
<p>We are targetting three types of testing of our
recommendations: functional testing, robustness testing,
and usability testing <a href="#w3c-testing">[W3C
Testing]</a>.</p>
<p>All test development and testing is iterative. The
recommendations may need to be modified on the basis of all
three types of testing. Test development starts when work
on the specification starts. Test planning will include
guidelines for developing tests. Test suites are typically
developed when the specifications are in a reasonably
stable state, such as the first full public working draft.
Test development will include test execution instructions.
Automation of the tests will be considered but is unlikely,
as the tests will require human visual confirmation. Clear
descriptions of what to expect and how to judge outcome
will be part of each test.</p>
<p>Functional testing against the sample code and
appropriate deployment configurations will verify that the
recommendations can be translated to web user agent code,
with no functional ill effects on the rest of the web user
agent. It will show that implementations can conform to the
recommendations, and that the specifications clearly define
behaviors. This is also called conformance testing.</p>
<p>Robustness testing will verify that the recommendations
are robust against spoofing attacks. Existing spoofing
attacks will be documented, and new spoofing attacks aimed
directly at the recommendations (both required and
recommended) will be developed. All of these attacks will
take the form of web site content returned to the user
agent (most typically DHTML or XML that a web browser
GETs).</p>
<p>Usability testing will verify that the recommendations
provide usable display of security context information. The
type of usability testing we do will depend on both the
direction of our recommendations and the resources the
Working Group is able to tap into. The Working Group aims
to perform lo fidelity prototyping and testing with a
modest number of test subjects (10 - 20) for each proposed
practice that involves user feedback <a href=
"#tiny-fingers">[Tiny Fingers]</a>. This will be reflected
in Candidate Recommendation exit criteria. Prototyping at
this level will provide feedback in early design phases at
a point where needed changes can be made easily. It will
also create a more user-centered design process and will
help in the realization of our goals that address
usability.</p>
<p>More extensive user testing will be desirable, and is
expected to contribute to higher-quality outcomes. More
extensive tests may include:</p>
<ul>
<li>
<p>Incremental testing incorporating feedback from
previous iterations</p>
</li>
<li>
<p>Recruiting participants from broader groups which
better represent target user groups, either in size or
relevant characteristics</p>
</li>
<li>
<p>Lab testing of sample code, for example <a href=
"#johnny-2">[Johnny 2]</a></p>
</li>
<li>
<p>Contextual or "in the wild" testing of sample code
<a href="#social-phishing">[Social Phishing]</a></p>
</li>
<li>
<p>More iterative combinations of the above, throughout
the specification lifecycle</p>
</li>
</ul>
</div>
</div>
<div class="div1">
<h2><a href="#acknowledgments" id="acknowledgments" name=
"acknowledgments" class="anchor">11 Acknowledgments</a></h2>
<p>This note is based on input from Tyler Close, Thomas
Roessler, Mary Ellen Zurko, Bill Doyle, Maritza Johnson,
Phill Hallam-Baker, Hal Lockhart, Brad Porter, Dan Schutzer,
Stephen Farrell, Stuart Schechter, Tim Hahn, Luis Barriga,
Mike Beltzner, Al Gilman, Rich Salz, Ian Fette, and the
members of the Web Security Context Working Group. It has
also benefitted from general public and working group
commentary on earlier drafts.</p>
</div>
<div class="div1">
<h2><a href="#references" id="references" name="references"
class="anchor">12 References</a></h2>
<dl>
<dt class="label"><a name="dnssec" id=
"dnssec"></a>DNSSEC</dt>
<dd><a href="http://www.ietf.org/rfc/rfc4033.txt"><cite>DNS
Security Introduction and Requirements</cite></a>; R.
Arends, R. Austein, M. Larson, D. Massey, S. Rose; IETF RFC
4033; 2005.</dd>
<dt class="label"><a name="design-of-everyday" id=
"design-of-everyday"></a>Design of Everyday Things</dt>
<dd><cite>The Design of Everyday Things</cite>; Donald
Norman; Doubleday; 1988.</dd>
<dt class="label"><a name="designing-trust" id=
"designing-trust"></a>Designing Trust</dt>
<dd><a href=
"http://www.oreilly.com/catalog/securityusability/"><cite>Designing
Systems That People Will Trust</cite></a>; Andrew S.
Patrick, Pamela Briggs, and Stephen Marsh; Security and
Usability: Designing Secure Systems that People Can Use,
ed. Lorrie Faith Cranor and Simson Garfinkel; 2005.</dd>
<dt class="label"><a name="designing-the-UI" id=
"designing-the-UI"></a>Designing the User Interface</dt>
<dd><a href=
"http://www.cs.umd.edu/hcil/pubs/books/dtui.shtml"><cite>Designing
the User Interface</cite></a>; Ben Shneiderman; Addison
Wesley; 2005.</dd>
<dt class="label"><a name="ev-cert" id="ev-cert"></a>EV
Cert</dt>
<dd><a href="http://www.cabforum.org/"><cite>Extended
Validation SSL Certificates - A New, Higher Standard for
Internet Security</cite></a>; CA/Browser Forum; 2006.</dd>
<dt class="label"><a name="favicon-howto" id=
"favicon-howto"></a>Favicon</dt>
<dd><a href=
"http://www.w3.org/2005/10/howto-favicon"><cite>How to Add
a Favicon to your Site</cite></a>; Karl Dubost; W3C Quality
Assurance; 2006.</dd>
<dt class="label"><a name="http" id="http"></a>HTTP</dt>
<dd><a href=
"http://www.w3.org/Protocols/rfc2616/rfc2616.html"><cite>Hypertext
Transfer Protocol -- HTTP/1.1</cite></a>; R. Fielding, J.
Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T.
Berners-Lee; IETF RFC 2616; June 1999.</dd>
<dt class="label"><a name="http-auth" id=
"http-auth"></a>HTTP Auth</dt>
<dd><a href=
"http://www.ietf.org/rfc/rfc2617.txt"><cite>HTTP
Authentication: Basic and Digest Access
Authentication</cite></a>; J. Franks, P. Hallam-Backer, J.
Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart;
IETF RFC 2617; 1999.</dd>
<dt class="label"><a name="http-cookie" id=
"http-cookie"></a>HTTP Cookie</dt>
<dd><a href=
"http://www.faqs.org/rfcs/rfc2965.html"><cite>HTTP State
Management Mechanism</cite></a>; D. Kristol, L. Montulli;
IETF RFC 2965; 2000.</dd>
<dt class="label"><a name="https" id="https"></a>HTTPS</dt>
<dd><a href=
"http://www.ietf.org/rfc/rfc2818.txt"><cite>HTTP Over
TLS</cite></a>; E. Rescorla; IETF RFC 2818; 2000.</dd>
<dt class="label"><a name="humane-interface" id=
"humane-interface"></a>Humane Interface</dt>
<dd><a href=
"http://rchi.raskincenter.org/index.php?title=Home#Jef_Raskin.27s_The_Humane_Interface">
<cite>The Humane Interface: New Directions for Designing
Interactive Systems</cite></a>; Jef Raskin; 2000.</dd>
<dt class="label"><a name="johnny" id=
"johnny"></a>Johnny</dt>
<dd><a href=
"http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf">
<cite>Why Johnny Can't Encrypt: A Usability Evaluation of
PGP 5.0</cite></a>; Alma Whitten and John D Tygar; Usenix;
1999.</dd>
<dt class="label"><a name="johnny-2" id=
"johnny-2"></a>Johnny 2</dt>
<dd><a href=
"http://cups.cs.cmu.edu/soups/2005/2005proceedings/p13-garfinkel.pdf">
<cite>Johnny 2: A User Test of Key Continuity Management
with S/MIME and Outlook Express</cite></a>; Simson L.
Garfinkel, Robert C. Miller; Symposium On Usable Privacy
and Security; 2005.</dd>
<dt class="label"><a name="make-up-your-mind" id=
"make-up-your-mind"></a>Make Up Your Mind</dt>
<dd><a href=
"http://www.acsa-admin.org/2002/papers/7.pdf"><cite>Did You
Ever Have To Make Up Your Mind? What Notes Users Do When
Faced With A Security Decision</cite></a>; Mary Ellen
Zurko, Charlie Kaufman, Katherine Spanbauer, Chuck Bassett;
Proceedings of the 18th Annual Computer Security
Applications Conference; 2002.</dd>
<dt class="label"><a name="ocsp" id="ocsp"></a>OCSP</dt>
<dd><a href=
"http://www.ietf.org/rfc/rfc2560.txt"><cite>X.509 Internet
Public Key Infrastructure Online Certificate Status
Protocol - OCSP</cite></a>; M. Myers, R. Ankney, A.
Malpani, S. Galperin, C. Adams; IETF RFC 2560; 1999.</dd>
<dt class="label"><a name="pkix" id="pkix"></a>PKIX</dt>
<dd><a href=
"http://www.ietf.org/rfc/rfc3280.txt"><cite>Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile</cite></a>; R. Housley, W.
Polk, W. Ford, D.Solo; IETF RFC 3280; 2002.</dd>
<dt class="label"><a name="saltzer-schroeder" id=
"saltzer-schroeder"></a>Saltzer and Schroeder</dt>
<dd><a href=
"http://web.mit.edu/Saltzer/www/publications/protection/"><cite>
The Protection of Information in Computer
Systems</cite></a>; Jerome Saltzer and Michael Schroeder;
Proceedings of the 4th Symposium on Operating System
Principles; ACM Press; 1973.</dd>
<dt class="label"><a name="security-toolbars" id=
"security-toolbars"></a>Security Toolbars</dt>
<dd><a href=
"http://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar.pdf">
<cite>Do Security Toolbars Actually Prevent Phishing
Attacks?</cite></a>; Min Wu, Robert C. Miller and Simson L.
Garfinkel; Conference on Human Factors in Computing Systems
(CHI 2006); 2006.</dd>
<dt class="label"><a name="security-and-usability" id=
"security-and-usability"></a>Security and Usability</dt>
<dd><a href=
"http://www.oreilly.com/catalog/securityusability/index.html">
<cite>Security and Usability: Designing Secure Systems that
People Can Use</cite></a>; Lorrie Faith Cranor, Simson
Garfinkel; O'Reilly; 2005.</dd>
<dt class="label"><a name="social-phishing" id=
"social-phishing"></a>Social Phishing</dt>
<dd><a href=
"http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf">
<cite>Social Phishing</cite></a>; Tom Jagatic, Nathaniel
Johnson, Markus Jakobsson, and Filippo Menczer; School of
Informatics Indiana University, Bloomington; 2005.</dd>
<dt class="label"><a name="tls" id="tls"></a>TLS</dt>
<dd><a href="http://www.ietf.org/rfc/rfc2246.txt"><cite>The
TLS Protocol Version 1.0</cite></a>; T. Dierks, C. Allen;
IETF RFC 2246; 1999.</dd>
<dt class="label"><a name="ten-usability-heuristics" id=
"ten-usability-heuristics"></a>Ten Usability
Heuristics</dt>
<dd><a href=
"http://www.useit.com/papers/heuristic/heuristic_list.html">
<cite>Ten Usability Heuristics</cite></a>; Jakob Nielsen;
<a href="http://www.useit.com">useit.com</a>; 1994.</dd>
<dt class="label"><a name="tiny-fingers" id=
"tiny-fingers"></a>Tiny Fingers</dt>
<dd><cite>Prototyping for tiny fingers</cite>; M. Rettig;
Communications of the ACM, April, Vol.37, No.4.; 1994.</dd>
<dt class="label"><a name="users-conceptions" id=
"users-conceptions"></a>Users' conceptions</dt>
<dd><a href=
"http://projects.ischool.washington.edu/vsd/files/friedman02websecurity.pdf">
<cite>Users' Conceptions of Web Security: A Comparative
Study</cite></a>; B. Friedman, D. Hurley, D.C. Howe, E.
Felten, H. Nissenbaum; Conference on Human Factors in
Computing Systems (CHI 2002); 2002.</dd>
<dt class="label"><a name="w3c-process" id=
"w3c-process"></a>W3C Process</dt>
<dd><a href=
"http://www.w3.org/2005/10/Process-20051014/process.html"><cite>
World Wide Web Consortium Process Document</cite></a>; Ian
Jacobs; W3C; 2005.</dd>
<dt class="label"><a name="w3c-testing" id=
"w3c-testing"></a>W3C Testing</dt>
<dd><a href=
"http://www.w3.org/QA/WG/2005/01/test-faq"><cite>Test
Development FAQ</cite></a>; W3C Quality Assurance;
2005.</dd>
<dt class="label"><a name="wcag" id="wcag"></a>WCAG</dt>
<dd><a href="http://www.w3.org/TR/WAI-WEBCONTENT"><cite>Web
Content Accessibility Guidelines 1.0</cite></a>; Wendy
Chisholm, Gregg Vanderheiden, Ian Jacobs; W3C
Recommendation; 1999.</dd>
<dt class="label"><a name="web-arch" id=
"web-arch"></a>WEBARCH</dt>
<dd><a href=
"http://www.w3.org/TR/webarch/"><cite>Architecture of the
World Wide Web, Volume One</cite></a>; Ian Jacobs, Norman
Walsh; W3C Recommendation; 2004.</dd>
<dt class="label"><a name="wsc-charter" id=
"wsc-charter"></a>WSC-CHARTER</dt>
<dd><a href=
"http://www.w3.org/2005/Security/wsc-charter"><cite>Web
Security Context Working Group Charter</cite></a>. World
Wide Web Consortium, last modified 17 October 2007. This
version is http://www.w3.org/2005/Security/wsc-charter
.</dd>
<dt class="label"><a name="ref-wsc-threats" id=
"ref-wsc-threats"></a>WSC-THREATS</dt>
<dd><a href=
"http://www.w3.org/TR/2007/NOTE-wsc-threats-20071101/"><cite>
Web User Interaction: Threat Trees</cite></a>, T. Roessler,
Editor, Working Group Note (work in progress), 1 November 2007.
This version is
http://www.w3.org/TR/2007/NOTE-wsc-threats-20071101/. The
<a href="http://www.w3.org/TR/wsc-threats/">latest
version</a> is available at
http://www.w3.org/TR/wsc-threats/ .</dd>
<dt class="label"><a name="why-phishing-works" id=
"why-phishing-works"></a>Why Phishing Works</dt>
<dd><a href=
"http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf">
<cite>Why Phishing Works</cite></a>; Rachna Dhamija, J.D.
Tygar and Marti Hearst; Conference on Human Factors in
Computing Systems (CHI 2006); 2006.</dd>
</dl>
</div>
</div>
</body>
</html>