the cups blog

07-23-08

SOAPS: Standards, Usable Security, and Accessibility: Can we constrain the problem any further?

Mary Ellen Zurko

  • Mary is chair of the W3C’s Web Security Context Working Group – first standards effort in usable security
    • Recommendation for display security context information, server identity, security error handling, TLS user trust, robustness of channel for security information
  • * Bringing in accessibility:
    • W3C has an explicit commitment to accessibility in all work.
    • Many of best practices for presenting usable security context presume visual display
    • Current assistive technologies don’t even make the browser security cues available (ie, screenreaders don’t announce the presence of the “padlock”)
    • Some user agents don’t even display the URL for https: cues
    • Have a single place to collect all the security context information that users can go to.

Logotypes in X.509 certificates

  • Visual and/or audio branding information to help with trust decisions
    • recommendations: have assistive technology speak text out loud when the user requests it
    • do _not_ automatically play the logotype or speak text
    • allow configuration of specific voices for security context information

Issues and questions:

  • Is there an accessibility analog to a consistent visual position for easy user reference?
  • What form does or should a non-intrusive notifcation take in the case where the risk level is not determined?
  • When attention must be paid to security information, do varying voice parameters ( pitch, voice choice, rate of speech) work?
  • Is there an audio equivalent of the information flooding attack?
  • Does allowing a configuration that speaks a password open a hole for a vulnerability that is otherwise unacceptable?