SlideShare a Scribd company logo

Beyond The Padlock: New Ideas in Browser Security UI

M
mozilla.presentations

Johnathan Nightingale of Mozilla Corporation presents ideas for improving browser security user interfaces (UI). He argues that existing security UIs like padlocks are sparse, incomprehensible, and not carefully designed. He proposes five rules for good security UI: be meaningful, relevant, robust, available, and brave. As an example, he suggests replacing padlocks with "Larry", an identity indicator that clearly shows website identity and is based on standardized Extended Validation certificates. The presentation concludes by discussing additional aspects of security UI and soliciting further ideas and discussion.

Technology
1 of 67
Download to read offline
Beyond the Padlock New Ideas in Browser Security UI Johnathan Nightingale Human Shield Mozilla Corporation johnath@mozilla.com
why are you here?
maybe you’re a security geek
or a visual designer
maybe you just like Firefoxes (Who doesn’t?)
you’re someone who cares about security UI
you’re someone who cares about security UI and how we can make it better
why am I here?
human who am i shield?
usability security coding
usability security coding
why do we care?
because the internet is not a safe place
because the internet is not a safe place
because the internet is not a safe place
because the threats are changing “Technology such as cloned part- robot humans used by organised crime gangs pose the greatest future challenge to police, along with online scamming.” Australian Federal Police (AFP) Commissioner Mick Keelty
because most existing UI is sparse... (A padlock. We’ll come back to this.)
...incomprehensible...
...and maybe not too carefully designed. quot;Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,quot; he laughs. John Shepherd-Barron, Inventor of the ATM, on PIN length
because we can do better
the plan • Security UI in 5 Easy Steps • The Padlock: A Cautionary Tale • Larry: More better? • Thinking About the Future • Your turn
five rules for security UI
Be Meaningful Use clear language and concepts. Avoid ambiguity.
Be Relevant Focus on what matters to your users, not your compiler.
Be Robust Don’t build user trust around indicators that can be easily subverted.
Be Available Don’t disappear when your users need you most.
Be Brave Sometimes you have to make the call on your users’ behalf.
Meaningful Relevant Robust Available Brave Handy Mnemonic... MRRAB?
applying the rules
the padlock
it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
it’s really ubiquitous
it’s really ubiquitous
but is it good UI?
Remember MRRAB Meaningful - ?
Remember MRRAB Meaningful - Not really. Relevant - ?
Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - ?
Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - ?
Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - ?
Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - Sure. C-
doing better an identity indicator in primary chrome
identity Let’s stop talking about safety, since we were never any good at that anyhow. Let’s talk about what we can know. It’s valuable, in and of itself, to know who you’re dealing with online.
EV There is a new breed of SSL Certificate now called “Extended Validation.” The identity information in these certificates is vetted in a standardized, robust way. Hooray. http://www.cabforum.org/
meet larry
in Firefox 3, Larry will indicate identity (* Mockups change. Don’t over-report.)
even on non-EV sites, Larry will be around (* Mockups change. Don’t over-report.)
MRRAB?
Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
A+++! Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
B? Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
more to think about Larry vs. padlock is hardly the only security UI that matters
malware protection
secondary information
security warnings
private browsing
password manager
W3C WSC Web Security Context Working Group http://www.w3.org/2006/WSC/ Software Companies Standards Bodies Professional Organizations Certificate Authorities Academics
recommendations being considered Safe Browsing Whitelist Browser Lock Down Personally Identifiable Information Bar Page Security Scoring Identity Indicator in Primary Chrome ☺
we also throw some crazier ideas around
can we make better use of past actions? “You’ve been to this site before” “Nothing’s changed since the last time you were here” “You’re sending a password to a site you’ve never visited”
how about social networks? “7 of your Facebook friends have purchased things from this site” “Your grandchild who knows computers says this site is fine.” “This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2”
can we stop phishing with tech smarts? Secure Remote Password Protocol Let the browser handle password generation Watch for credit card numbers going out on the wire
and don’t forget... It has to work for internationalization. It has to work for accessibility. It has to work for mobile.
bedtime reading Peter Gutmann Phishing Tips and Techniques http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf Rachna Dhamija Why Phishing Works http://people.deas.harvard.edu/~rachna/papers/ why_phishing_works.pdf W3C WSC’s Shared Bookmarks http://www.w3.org/2006/WSC/wiki/SharedBookmarks
your turn
credits • Security Geek - http://flickr.com/photos/oblivion/351874401/ • Mountain Lion - http://flickr.com/photos/ekai/457004988/ • Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf • Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts- robot-crimewave/2007/07/06/1183351416078.html • Robot - http://www.sxc.hu/photo/502945 • Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm • Traffic Tree - http://flickr.com/photos/oobrien/7597395/ • Freddy the Fox - http://flickr.com/photos/roblee/207435086/ • Squity the Goose - http://flickr.com/photos/59547396@N00/63778062 • No Road Markings - http://flickr.com/photos/lwr/498246175/ • Brave Kitten - http://flickr.com/photos/malingering/69853302/ • Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs • Footprints - http://www.sxc.hu/photo/573584 • Paper Men - http://www.sxc.hu/photo/431214 • No Fishing - http://www.sxc.hu/photo/791573 • Cell Phone - http://www.sxc.hu/photo/175602 • Microphone - http://www.sxc.hu/photo/793650

Recommended

Os Nightingale
Os NightingaleOs Nightingale
Os Nightingaleoscon2007
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
Christian Heilmann
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
Pietro Polsinelli
 
Google Hacking
Google HackingGoogle Hacking
Google Hacking
Pim Piepers
 
"The Web Is Broken" by Bipin Upadhyay
"The Web Is Broken" by Bipin Upadhyay"The Web Is Broken" by Bipin Upadhyay
"The Web Is Broken" by Bipin Upadhyay
Bipin Upadhyay
 
Social Media For Communication Strategy, Part 3 of 4
Social Media For Communication Strategy, Part 3 of 4Social Media For Communication Strategy, Part 3 of 4
Social Media For Communication Strategy, Part 3 of 4
Copywrite, Ink.
 
Looping hpv power point
Looping hpv power pointLooping hpv power point
Looping hpv power point
kaimakani
 
Idea Expo Looping Show (2)
Idea Expo Looping Show (2)Idea Expo Looping Show (2)
Idea Expo Looping Show (2)bhousholder
 

Recommended

Os Nightingale
Os NightingaleOs Nightingale
Os Nightingaleoscon2007
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
Christian Heilmann
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
Pietro Polsinelli
 
Google Hacking
Google HackingGoogle Hacking
Google Hacking
Pim Piepers
 
"The Web Is Broken" by Bipin Upadhyay
"The Web Is Broken" by Bipin Upadhyay"The Web Is Broken" by Bipin Upadhyay
"The Web Is Broken" by Bipin Upadhyay
Bipin Upadhyay
 
Social Media For Communication Strategy, Part 3 of 4
Social Media For Communication Strategy, Part 3 of 4Social Media For Communication Strategy, Part 3 of 4
Social Media For Communication Strategy, Part 3 of 4
Copywrite, Ink.
 
Looping hpv power point
Looping hpv power pointLooping hpv power point
Looping hpv power point
kaimakani
 
Idea Expo Looping Show (2)
Idea Expo Looping Show (2)Idea Expo Looping Show (2)
Idea Expo Looping Show (2)bhousholder
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
Jarrod Overson
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
IT-oLogy
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
Alex Payne
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
ThreatReel Podcast
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
Steve Poole
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Greg Stromire
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
Steve Poole
 
'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...
'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...
'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...
Ѕ. Νavpreet Jatana
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
David Perkins
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Steve Poole
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
Jim Piechocki
 
Advanced googling
Advanced googlingAdvanced googling
Advanced googling
sonuagain
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
vicenteDiaz_KL
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
Yury Chemerkin
 
Internet security lessons for IoT
Internet security lessons for IoTInternet security lessons for IoT
Internet security lessons for IoT
Dirk Zittersteyn
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
Blake Carver
 
The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
Jarrod Overson
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
Jarrod Overson
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Eric Kolb
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 

More Related Content

Similar to Beyond The Padlock: New Ideas in Browser Security UI

The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
Jarrod Overson
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
IT-oLogy
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
Alex Payne
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
ThreatReel Podcast
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
Steve Poole
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Greg Stromire
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
Steve Poole
 
'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...
'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...
'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...
Ѕ. Νavpreet Jatana
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
David Perkins
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Steve Poole
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
Jim Piechocki
 
Advanced googling
Advanced googlingAdvanced googling
Advanced googling
sonuagain
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
vicenteDiaz_KL
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
Yury Chemerkin
 
Internet security lessons for IoT
Internet security lessons for IoTInternet security lessons for IoT
Internet security lessons for IoT
Dirk Zittersteyn
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
Blake Carver
 
The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
Jarrod Overson
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
Jarrod Overson
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Eric Kolb
 

Similar to Beyond The Padlock: New Ideas in Browser Security UI (20)

The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...
'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...
'Interaction Assurance': Options for Strong Authentication in World 2.0? Bar...
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
 
Advanced googling
Advanced googlingAdvanced googling
Advanced googling
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Internet security lessons for IoT
Internet security lessons for IoTInternet security lessons for IoT
Internet security lessons for IoT
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 
The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 

Recently uploaded

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

Recently uploaded (20)

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 

Beyond The Padlock: New Ideas in Browser Security UI

  • 1. Beyond the Padlock New Ideas in Browser Security UI Johnathan Nightingale Human Shield Mozilla Corporation johnath@mozilla.com
  • 2. why are you here?
  • 4. or a visual designer
  • 5. maybe you just like Firefoxes (Who doesn’t?)
  • 6. you’re someone who cares about security UI
  • 7. you’re someone who cares about security UI and how we can make it better
  • 8. why am I here?
  • 9. human who am i shield?
  • 10. usability security coding
  • 11. usability security coding
  • 12. why do we care?
  • 13. because the internet is not a safe place
  • 14. because the internet is not a safe place
  • 15. because the internet is not a safe place
  • 16. because the threats are changing “Technology such as cloned part- robot humans used by organised crime gangs pose the greatest future challenge to police, along with online scamming.” Australian Federal Police (AFP) Commissioner Mick Keelty
  • 17. because most existing UI is sparse... (A padlock. We’ll come back to this.)
  • 19. ...and maybe not too carefully designed. quot;Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,quot; he laughs. John Shepherd-Barron, Inventor of the ATM, on PIN length
  • 20. because we can do better
  • 21. the plan • Security UI in 5 Easy Steps • The Padlock: A Cautionary Tale • Larry: More better? • Thinking About the Future • Your turn
  • 22. five rules for security UI
  • 23. Be Meaningful Use clear language and concepts. Avoid ambiguity.
  • 24. Be Relevant Focus on what matters to your users, not your compiler.
  • 25. Be Robust Don’t build user trust around indicators that can be easily subverted.
  • 26. Be Available Don’t disappear when your users need you most.
  • 27. Be Brave Sometimes you have to make the call on your users’ behalf.
  • 28. Meaningful Relevant Robust Available Brave Handy Mnemonic... MRRAB?
  • 31. it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
  • 32. it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
  • 35. but is it good UI?
  • 37. Remember MRRAB Meaningful - Not really. Relevant - ?
  • 38. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - ?
  • 39. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - ?
  • 40. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - ?
  • 41. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - Sure. C-
  • 42. doing better an identity indicator in primary chrome
  • 43. identity Let’s stop talking about safety, since we were never any good at that anyhow. Let’s talk about what we can know. It’s valuable, in and of itself, to know who you’re dealing with online.
  • 44. EV There is a new breed of SSL Certificate now called “Extended Validation.” The identity information in these certificates is vetted in a standardized, robust way. Hooray. http://www.cabforum.org/
  • 46. in Firefox 3, Larry will indicate identity (* Mockups change. Don’t over-report.)
  • 47. even on non-EV sites, Larry will be around (* Mockups change. Don’t over-report.)
  • 49. Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
  • 50. A+++! Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
  • 51. B? Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
  • 52. more to think about Larry vs. padlock is hardly the only security UI that matters
  • 58. W3C WSC Web Security Context Working Group http://www.w3.org/2006/WSC/ Software Companies Standards Bodies Professional Organizations Certificate Authorities Academics
  • 59. recommendations being considered Safe Browsing Whitelist Browser Lock Down Personally Identifiable Information Bar Page Security Scoring Identity Indicator in Primary Chrome ☺
  • 60. we also throw some crazier ideas around
  • 61. can we make better use of past actions? “You’ve been to this site before” “Nothing’s changed since the last time you were here” “You’re sending a password to a site you’ve never visited”
  • 62. how about social networks? “7 of your Facebook friends have purchased things from this site” “Your grandchild who knows computers says this site is fine.” “This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2”
  • 63. can we stop phishing with tech smarts? Secure Remote Password Protocol Let the browser handle password generation Watch for credit card numbers going out on the wire
  • 64. and don’t forget... It has to work for internationalization. It has to work for accessibility. It has to work for mobile.
  • 65. bedtime reading Peter Gutmann Phishing Tips and Techniques http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf Rachna Dhamija Why Phishing Works http://people.deas.harvard.edu/~rachna/papers/ why_phishing_works.pdf W3C WSC’s Shared Bookmarks http://www.w3.org/2006/WSC/wiki/SharedBookmarks
  • 67. credits • Security Geek - http://flickr.com/photos/oblivion/351874401/ • Mountain Lion - http://flickr.com/photos/ekai/457004988/ • Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf • Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts- robot-crimewave/2007/07/06/1183351416078.html • Robot - http://www.sxc.hu/photo/502945 • Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm • Traffic Tree - http://flickr.com/photos/oobrien/7597395/ • Freddy the Fox - http://flickr.com/photos/roblee/207435086/ • Squity the Goose - http://flickr.com/photos/59547396@N00/63778062 • No Road Markings - http://flickr.com/photos/lwr/498246175/ • Brave Kitten - http://flickr.com/photos/malingering/69853302/ • Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs • Footprints - http://www.sxc.hu/photo/573584 • Paper Men - http://www.sxc.hu/photo/431214 • No Fishing - http://www.sxc.hu/photo/791573 • Cell Phone - http://www.sxc.hu/photo/175602 • Microphone - http://www.sxc.hu/photo/793650