why your browser matters€¦ · © 2012 online trust alliance +1 425-455-7400 page 1 why your...

© 2012 Online Trust Alliance https://otalliance.org +1 425-455-7400

Why Your Browser Matters

promoting teachable moments

Craig Spiezle

Executive Director & President

Online Trust Alliance

[email protected]


• Role of the Browser

• Factors Impacting Adoption

• Benefits

• Innovation Overview

• Teachable Moments

• Case Studies

© 2012. All rights reserved. Online Trust Alliance Page 2

mailto:[email protected]


Role of the Browser

Web Sites – The Internet

Your ISP

Your Network

Your Browser


Status

• ~ 40% use of non-current browsers. – Lack integrated security protection and privacy

controls.

– Lead to stolen passwords, account takeover's, identity theft and loss of PII & business data.

– Lost productivity.

– Impact to their browsing experience.

• OTA best practice since 12/09 https://otalliance.org/resources/principles.html


https://otalliance.org/resources/principles.html


Impacting Adoption

• Awareness of benefits & risks

–Security

–Privacy

–Online Experience

• Corporate IT policies

• Legacy operating systems

• Compatibility with auto updating

© 2012. All rights reserved. Online Trust Alliance (OTA) Slide 5

Why Care - Sites & Brands

• Help protect site visitors & customers.

• Reduce risk of account takeovers.

• Development resources & testing.

• Plug-in & extensions dependency.

• Brand & domain protection.

• Reduce risk of employee data from being compromised.



Why Care - Performance

• Experience

–Performance & Capabilities

–Captivating graphics & animation

–3D graphics, HTML5, EV SSL, domain highlighting…


Windows Browser Review


• Chrome 17.0.963.66 m

• Internet Explorer 9

• Mozilla Firefox 10.0.2

• Opera 11.61

• Safari 5.1.2


Privacy Enhancing Chrome FF IE Opera Safari

Pop Up Blocker ● ● ● ● ●

Private Browsing ● ● ● ● ●

Do Not Track Header Extension ● ● ● ●

Tracking Lists Extension Extension ● Extension

Clear History ● ● ● ● ●

Preserve Opt-Out Cookies Extension

2

Clear Recent History ● ● 3

Preserve Favorites History ● ●


2 If the site of the cookies you are opting out of is added to your “favorites” and you select preserve favorites when deleting your history.

3 Does not offer the granularity (last hour), as offered in Chrome or FF

Privacy Innovation

DNT - Design Considerations

• Persistent, giving greater assurance to privacy-conscious users.

• Will apply to whatever underlying tracking technology is used: cookies, flash stored objects, browser fingerprinting, or future techniques.

• Will apply universally, so users are not required to take additional action for each new tracking service they might encounter

© 2012 All rights reserved. Online Trust Alliance (OTA) Slide 10


Do Not Track Header

• Why is it needed? (is it needed?) – Limitations of opt-out cookie, added controls

• Open issues – yet progress – 1st party vs third party

– Mixed content / mashups / analytics

– Do not track or do not collect

– Exception to allow list or favorites

– W3C discussions – next meeting April10/12 DC

http://www.computerworld.com/s/article/9224583/FAQ_What_Google_s_Do_Not_Track_move_means © 2012 All rights reserved. Online Trust Alliance (OTA) Slide 11

Do Not Track Header

• A simple HTTP header that will allow users to express a preference regarding being tracked online, and what is necessary to comply with the user's preference.

–1 - User prefers not to be tracked

–0 - User prefers to allow tracking

–null (no header sent) user has no preference.

–The default is to not send the header

© 2012 All rights reserved. Online Trust Alliance (OTA) Slide 12

http://www.computerworld.com/s/article/9224583/FAQ_What_Google_s_Do_Not_Track_move_means




Do Not Track Header

• DNT header field is hereby defined as the means for expressing a user's tracking preference via HTTP

DNT-field-name = "DNT" ; case-insensitive

DNT-field-value = ( "0" / "1" ) *DNT-extension ; case-sensitive

DNT-extension = %x21 / %x23-2B / %x2D-5B / %x5D-7E ; excludes CTL, SP, DQUOTE, comma, backslash

© 2012. All rights reserved. Online Trust Alliance (OTA) Slide 13

Security & Stability Chrome FF IE Opera Safari

Anti-Phishing ● ● ● ● ●

Outdated Plugins ● ● ActiveX

Auto-Updating ● ● ●

EV SSL Certificates ● ● ● ● ●

Cross Site Scripting ● ● ● ● ●

Domain Highlighting ● ● ● ● ●

Phishing / Malicious Sites URLs ● ● ● ● ●

Malware Downloads ● ● ● ● ●

Session / Tab Recovery ● ● ● ● ●

Sandboxing ● ● ●

Mixed Content (http vs https) ●

Application Reputation ● ●


= limited

Security Innovation




Consumer Education

• Impact and effectiveness of broad based campaigns.

• Limitations.

• Credibility.

• Awareness & Impressions ≠ Action


Solution

• Educate & enable at “point of browsing”

• Vendor neutral; no competitive migration

– Communicate the value proposition of security and privacy enhancements

• Customized referral re-direct pages

• Provide alternative in-page notification, directing users to click to re-direct page

– Point of interaction determined by site


Option In Page Notification

User visits a

site / page

Dynamic banner

in DOM presented

Current Yes Code / script on page completes a version check No

Upgrade

No

Yes

Opens new

page to

download @

Vendors Site

Page

rendered

Why Upgrade

Browsers 1 -4

No Action banner disappears User clicks and

is taken to why upgrade page



Concepts


https://otalliance.org/Browser/index-old%20browser.html


https://otalliance.org/Browser/index-old browser.html




https://otalliance.org/Browser/whyupgrade2.html


Case Studies

• PayPal

• PrivacyChoice

• Publishers Clearing House

• TicketMaster


Considerations

• Site abandonment if you do not support legacy browsers

• Failing to protect consumers by allowing the use of legacy browsers

• Friction vs fraud discussion

• Overhead and dev resources required by supporting legacy browsers

• Requirement of internal polices for employees and partner access to portals / intranets


PayPal




PayPal



PayPal – Why We Care

• Reduce risk of account take over via a compromised machine.

• Communicate to users PayPal care's about their security & privacy.

• Reduce support for legacy browsers.

• Take advantage of leading technologies.

• Lead industry to invest in security and privacy innovation.


Privacy Choice



Publishers Clearing House


PCH - 120 Day Results

• 34% of IE 6 & 25% of FF users upgraded.

• Huge impact on dev and QA.

• Allows us to grow as developers and not write (as much) browser specific code.

• More quickly roll out updates of our browser rules to our entire network.

• Focus testing against the latest browsers.

• Users are better protected and provided a better browsing experience.



Ticketmaster


Ticketmaster



Next Steps

• Audit usage on your site.

–OS & Browser

–Map to engagement

• Make Security & Privacy part of your value proposition.

• Validate internal usage.

• Consider point of notice.

–Pre or Post transaction


Summary

• Upgrading Users (& employees) is good for your brand the ecosystem and your business.

• Need to support Privacy and security innovation.

• Embrace, supports user choice, controls and self-regulation.



We Need Your Support

• Requires a Multi-Stakeholder Review

• Silo Mentality = Failure

Security Privacy Marketing

Advertising & Ops


More Information

• Why Your Browser Matters

–https://otalliance.org/browser

• Related Efforts https://otalliance.org

–Data Protection & Breach Readiness

–Always On SSL

–Anti-Malvertising

–Email Authentication & DMARC

–Botnet Remediation


https://otalliance.org/browser

https://otalliance.org/

why your browser matters€¦ · © 2012 online trust alliance +1 425-455-7400 page 1 why your...

Documents