![Page 1: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/1.jpg)
Beyond the Padlock
New Ideas inBrowser Security UI
Johnathan NightingaleHuman Shield
Mozilla [email protected]
![Page 2: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/2.jpg)
why are you here?
![Page 3: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/3.jpg)
maybe you’re a security geek
![Page 4: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/4.jpg)
or a visual designer
![Page 5: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/5.jpg)
maybe you just like Firefoxes(Who doesn’t?)
![Page 6: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/6.jpg)
you’re someone who cares about security UI
![Page 7: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/7.jpg)
you’re someone who cares about security UIand how we can make it
better
![Page 8: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/8.jpg)
why am I here?
![Page 9: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/9.jpg)
who am ihuman shield?
![Page 10: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/10.jpg)
usability security
coding
![Page 11: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/11.jpg)
usability security
coding
![Page 12: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/12.jpg)
why do we care?
![Page 13: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/13.jpg)
because the internet is not a safe place
![Page 14: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/14.jpg)
because the internet is not a safe place
![Page 15: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/15.jpg)
because the internet is not a safe place
![Page 16: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/16.jpg)
because the threats are changing
“Technology such as cloned part-robot humans used by organised
crime gangs pose the greatest future challenge to police, along
with online scamming.”
Australian Federal Police (AFP) Commissioner Mick Keelty
![Page 17: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/17.jpg)
because most existing UI is sparse...
(A padlock. We’ll come back to this.)
![Page 18: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/18.jpg)
...incomprehensible...
![Page 19: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/19.jpg)
...and maybe not too carefully designed.
"Over the kitchen table, she said she could only remember four figures, so because of
her, four figures became the world standard," he laughs.
John Shepherd-Barron, Inventor of the ATM, on PIN length
![Page 20: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/20.jpg)
because we can do better
![Page 21: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/21.jpg)
the plan
• Security UI in 5 Easy Steps
• The Padlock: A Cautionary Tale
• Larry: More better?
• Thinking About the Future
• Your turn
![Page 22: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/22.jpg)
five rules for security UI
![Page 23: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/23.jpg)
Be MeaningfulUse clear language and concepts.
Avoid ambiguity.
![Page 24: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/24.jpg)
Be RelevantFocus on what matters to your
users, not your compiler.
![Page 25: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/25.jpg)
Be RobustDon’t build user trust around indicators
that can be easily subverted.
![Page 26: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/26.jpg)
Be AvailableDon’t disappear when your users need you most.
![Page 27: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/27.jpg)
Be BraveSometimes you have to make the call on
your users’ behalf.
![Page 28: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/28.jpg)
Meaningful
Relevant
Robust
Available
Brave
Handy Mnemonic... MRRAB?
![Page 29: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/29.jpg)
applying the rules
![Page 30: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/30.jpg)
the padlock
![Page 31: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/31.jpg)
it’s ubiquitouswe’ve got one
so does microsoft
opera has 3 kinds
safari too
![Page 32: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/32.jpg)
it’s ubiquitouswe’ve got one
so does microsoft
opera has 3 kinds
safari too
![Page 33: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/33.jpg)
it’s really ubiquitous
![Page 34: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/34.jpg)
it’s really ubiquitous
![Page 35: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/35.jpg)
but is it good UI?
![Page 36: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/36.jpg)
Remember MRRAB
Meaningful - ?
![Page 37: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/37.jpg)
Remember MRRAB
Meaningful - Not really.
Relevant - ?
![Page 38: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/38.jpg)
Remember MRRAB
Meaningful - Not really.
Relevant - Fairly.
Robust - ?
![Page 39: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/39.jpg)
Remember MRRAB
Meaningful - Not really.
Relevant - Fairly.
Robust - Barely.
Available - ?
![Page 40: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/40.jpg)
Remember MRRABMeaningful - Not really.
Relevant - Fairly.
Robust - Barely.
Available - Only when you don’t need it.
Brave - ?
![Page 41: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/41.jpg)
Remember MRRAB
C-
Meaningful - Not really.
Relevant - Fairly.
Robust - Barely.
Available - Only when you don’t need it.
Brave - Sure.
![Page 42: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/42.jpg)
doing betteran identity indicator in primary chrome
![Page 43: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/43.jpg)
identityLet’s stop talking about safety, since we were never any good at that anyhow.
Let’s talk about what we can know.
It’s valuable, in and of itself, to knowwho you’re dealing with online.
![Page 44: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/44.jpg)
EVThere is a new breed of SSL Certificate now
called “Extended Validation.”
The identity information in these certificates is vetted in a standardized, robust way.
Hooray.
http://www.cabforum.org/
![Page 45: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/45.jpg)
meet larry
![Page 46: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/46.jpg)
in Firefox 3, Larry will indicate identity
(* Mockups change. Don’t over-report.)
![Page 47: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/47.jpg)
even on non-EV sites, Larry will be around
(* Mockups change. Don’t over-report.)
![Page 48: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/48.jpg)
MRRAB?
![Page 49: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/49.jpg)
Meaningful - Identity, period.
Relevant - Knowing identity matters.
Robust - EV Certificates are hard to fake.
Available - Larry is always around.
Brave - Killing the padlock is scary stuff.
![Page 50: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/50.jpg)
Meaningful - Identity, period.
Relevant - Knowing identity matters.
Robust - EV Certificates are hard to fake.
Available - Larry is always around.
Brave - Killing the padlock is scary stuff.
A+++!
![Page 51: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/51.jpg)
Meaningful - Identity, period.
Relevant - Knowing identity matters.
Robust - EV Certificates are hard to fake.
Available - Larry is always around.
Brave - Killing the padlock is scary stuff.
B?
![Page 52: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/52.jpg)
more to think aboutLarry vs. padlock is hardly the only security UI that matters
![Page 53: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/53.jpg)
malware protection
![Page 54: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/54.jpg)
secondary information
![Page 55: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/55.jpg)
security warnings
![Page 56: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/56.jpg)
private browsing
![Page 57: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/57.jpg)
password manager
![Page 58: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/58.jpg)
W3C WSC
Web Security Context Working Grouphttp://www.w3.org/2006/WSC/
Software CompaniesStandards Bodies
Professional OrganizationsCertificate Authorities
Academics
![Page 59: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/59.jpg)
recommendations being considered
Safe Browsing Whitelist
Browser Lock Down
Personally Identifiable Information Bar
Page Security Scoring
Identity Indicator in Primary Chrome ☺
![Page 60: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/60.jpg)
we also
throw some
crazier ideas
around
![Page 61: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/61.jpg)
can we make better use of past actions?
“You’ve been to this site before”
“Nothing’s changed since the last time you were here”
“You’re sending a password to a site you’ve never visited”
![Page 62: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/62.jpg)
how about social networks?
“7 of your Facebook friends have purchased things from this site”
“Your grandchild who knows computers says this site is fine.”
“This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2”
![Page 63: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/63.jpg)
can we stop phishing with tech smarts?
Secure Remote Password Protocol
Let the browser handle password generation
Watch for credit card numbers going out on the wire
![Page 64: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/64.jpg)
and don’t forget...
It has to work for internationalization.
It has to work for accessibility.
It has to work for mobile.
![Page 65: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/65.jpg)
bedtime readingPeter GutmannPhishing Tips and Techniqueshttp://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf
Rachna Dhamija Why Phishing Workshttp://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf
W3C WSC’s Shared Bookmarkshttp://www.w3.org/2006/WSC/wiki/SharedBookmarks
![Page 66: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/66.jpg)
your turn
![Page 67: Beyond The Padlock: New Ideas in Browser Security UI](https://reader034.vdocuments.us/reader034/viewer/2022051412/5482b1bab47959f60c8b4877/html5/thumbnails/67.jpg)
credits• Security Geek - http://flickr.com/photos/oblivion/351874401/• Mountain Lion - http://flickr.com/photos/ekai/457004988/• Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf• Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts-
robot-crimewave/2007/07/06/1183351416078.html• Robot - http://www.sxc.hu/photo/502945• Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm• Traffic Tree - http://flickr.com/photos/oobrien/7597395/• Freddy the Fox - http://flickr.com/photos/roblee/207435086/• Squity the Goose - http://flickr.com/photos/59547396@N00/63778062• No Road Markings - http://flickr.com/photos/lwr/498246175/• Brave Kitten - http://flickr.com/photos/malingering/69853302/• Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs• Footprints - http://www.sxc.hu/photo/573584• Paper Men - http://www.sxc.hu/photo/431214• No Fishing - http://www.sxc.hu/photo/791573• Cell Phone - http://www.sxc.hu/photo/175602• Microphone - http://www.sxc.hu/photo/793650