Uploaded on

 

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
409
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Beyond the Padlock Security UI for the Distracted Johnathan Nightingale Human Shield Mozilla Corporation
  • 2. why are you here?
  • 3. maybe you’re a security geek
  • 4. or a visual designer
  • 5. maybe you just like Firefoxen (Who doesn’t?)
  • 6. you’re someone who cares about security UI
  • 7. you’re someone who cares about security UI and how we can make it better
  • 8. why am I here?
  • 9. human who am i shield?
  • 10. usability security coding
  • 11. usability security coding
  • 12. why do we care?
  • 13. because the internet is not a safe place
  • 14. because the internet is not a safe place
  • 15. because the internet is not a safe place
  • 16. because the threats are changing Technology such as cloned part- robot humans used by organised crime gangs pose the greatest future challenge to police, along with online scamming. Australian Federal Police (AFP) Commissioner Mick Keelty
  • 17. because most existing UI is sparse... (A padlock. We’ll come back to this.)
  • 18. ...incomprehensible...
  • 19. ...and maybe not too carefully designed. quot;Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,quot; he laughs. John Shepherd-Barron, Inventor of the ATM, on PIN length
  • 20. because we can do better
  • 21. the plan • Security UI in 5 Easy Steps • The Padlock: A Cautionary Tale • Larry: More better • Thinking About the Future • Your turn
  • 22. five rules for security UI
  • 23. Be Meaningful Use clear language and concepts. Avoid ambiguity.
  • 24. Be Relevant Focus on what matters to your users, not your compiler.
  • 25. Be Robust Don’t build user trust around indicators that can be easily subverted.
  • 26. Be Available Do not expect your users to notice the absence of an indicator.
  • 27. Be Brave Sometimes you have to make the call on your users’ behalf.
  • 28. Meaningful Relevant Robust Available Brave Handy Mnemonic... MRRAB?
  • 29. applying the rules
  • 30. the padlock
  • 31. it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
  • 32. it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
  • 33. it’s really ubiquitous
  • 34. it’s really ubiquitous
  • 35. but is it good UI?
  • 36. Remember MRRAB Meaningful - ?
  • 37. Remember MRRAB Meaningful - Not really. Relevant - ?
  • 38. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - ?
  • 39. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - ?
  • 40. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - ?
  • 41. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - Sure. C-
  • 42. doing better an identity indicator in primary chrome
  • 43. identity Let’s stop talking about safety, since we were never any good at that anyhow. Let’s talk about what we can know.
  • 44. EV There is a new breed of SSL Certificate now called “Extended Validation.” The identity information in these certificates is vetted in a standardized, robust way. Hooray. http://www.cabforum.org/
  • 45. meet larry
  • 46. in Firefox 3, Larry will indicate identity (* Mockups change. Don’t over-report.)
  • 47. even on non-EV sites, Larry will be around (* Mockups change. Don’t over-report.)
  • 48. MRRAB?
  • 49. Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
  • 50. A+++! Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
  • 51. B? Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
  • 52. more to think about Larry vs. padlock is hardly the only security UI that matters
  • 53. malware protection
  • 54. secondary information
  • 55. security warnings
  • 56. private browsing
  • 57. even the humble location bar
  • 58. W3C WSC Web Security Context Working Group http://www.w3.org/2006/WSC/ Software Companies Standards Bodies Professional Organizations Certificate Authorities Academics
  • 59. recommendations being considered Safe Browsing Whitelist Browser Lock Down Personally Identifiable Information Bar Page Security Scoring Identity Indicator in Primary Chrome ☺
  • 60. we also throw some crazier ideas around
  • 61. can we make better use of past actions? “You’ve been to this site before” “Nothing’s changed since the last time you were here” “You’re sending a password to a site you’ve never visited”
  • 62. how about social networks? “7 of your Facebook friends have purchased things from this site” “Your grandchild who knows computers says this site is fine.” “This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2”
  • 63. can we stop phishing with tech smarts? Secure Remote Password Protocol Let the browser handle password generation Watch for credit card numbers going out on the wire
  • 64. and don’t forget... It has to work for internationalization. It has to work for accessibility. It has to work for mobile.
  • 65. bedtime reading Peter Gutmann Phishing Tips and Techniques http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf Rachna Dhamija Why Phishing Works http://people.deas.harvard.edu/~rachna/papers/ why_phishing_works.pdf W3C WSC’s Shared Bookmarks http://www.w3.org/2006/WSC/wiki/SharedBookmarks
  • 66. your turn
  • 67. credits • Security Geek - http://flickr.com/photos/oblivion/351874401/ • Mountain Lion - http://flickr.com/photos/ekai/457004988/ • Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf • Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts- robot-crimewave/2007/07/06/1183351416078.html • Robot - http://www.sxc.hu/photo/502945 • Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm • Traffic Tree - http://flickr.com/photos/oobrien/7597395/ • Freddy the Fox - http://flickr.com/photos/roblee/207435086/ • Squity the Goose - http://flickr.com/photos/59547396@N00/63778062 • No Road Markings - http://flickr.com/photos/lwr/498246175/ • Brave Kitten - http://flickr.com/photos/malingering/69853302/ • Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs • Footprints - http://www.sxc.hu/photo/573584 • Paper Men - http://www.sxc.hu/photo/431214 • No Fishing - http://www.sxc.hu/photo/791573 • Cell Phone - http://www.sxc.hu/photo/175602 • Microphone - http://www.sxc.hu/photo/793650
  • 68. credits • Security Geek - http://flickr.com/photos/oblivion/351874401/ • Mountain Lion - http://flickr.com/photos/ekai/457004988/ • Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf • Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts- robot-crimewave/2007/07/06/1183351416078.html • Robot - http://www.sxc.hu/photo/502945 • Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm • Traffic Tree - http://flickr.com/photos/oobrien/7597395/ • Freddy the Fox - http://flickr.com/photos/roblee/207435086/ • Squity the Goose - http://flickr.com/photos/59547396@N00/63778062 • No Road Markings - http://flickr.com/photos/lwr/498246175/ • Brave Kitten - http://flickr.com/photos/malingering/69853302/ • Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs • Footprints - http://www.sxc.hu/photo/573584 • Paper Men - http://www.sxc.hu/photo/431214 • No Fishing - http://www.sxc.hu/photo/791573 • Cell Phone - http://www.sxc.hu/photo/175602 • Microphone - http://www.sxc.hu/photo/793650