SlideShare uma empresa Scribd logo

Os Nightingale

oscon2007
oscon2007
NegóciosTecnologia
1 de 68
Beyond the Padlock Security UI for the Distracted Johnathan Nightingale Human Shield Mozilla Corporation
why are you here?
maybe you’re a security geek
or a visual designer
maybe you just like Firefoxen (Who doesn’t?)
you’re someone who cares about security UI
you’re someone who cares about security UI and how we can make it better
why am I here?
human who am i shield?
usability security coding
usability security coding
why do we care?
because the internet is not a safe place
because the internet is not a safe place
because the internet is not a safe place
because the threats are changing Technology such as cloned part- robot humans used by organised crime gangs pose the greatest future challenge to police, along with online scamming. Australian Federal Police (AFP) Commissioner Mick Keelty
because most existing UI is sparse... (A padlock. We’ll come back to this.)
...incomprehensible...
...and maybe not too carefully designed. quot;Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,quot; he laughs. John Shepherd-Barron, Inventor of the ATM, on PIN length
because we can do better
the plan • Security UI in 5 Easy Steps • The Padlock: A Cautionary Tale • Larry: More better • Thinking About the Future • Your turn
five rules for security UI
Be Meaningful Use clear language and concepts. Avoid ambiguity.
Be Relevant Focus on what matters to your users, not your compiler.
Be Robust Don’t build user trust around indicators that can be easily subverted.
Be Available Do not expect your users to notice the absence of an indicator.
Be Brave Sometimes you have to make the call on your users’ behalf.
Meaningful Relevant Robust Available Brave Handy Mnemonic... MRRAB?
applying the rules
the padlock
it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
it’s really ubiquitous
it’s really ubiquitous
but is it good UI?
Remember MRRAB Meaningful - ?
Remember MRRAB Meaningful - Not really. Relevant - ?
Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - ?
Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - ?
Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - ?
Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - Sure. C-
doing better an identity indicator in primary chrome
identity Let’s stop talking about safety, since we were never any good at that anyhow. Let’s talk about what we can know.
EV There is a new breed of SSL Certificate now called “Extended Validation.” The identity information in these certificates is vetted in a standardized, robust way. Hooray. http://www.cabforum.org/
meet larry
in Firefox 3, Larry will indicate identity (* Mockups change. Don’t over-report.)
even on non-EV sites, Larry will be around (* Mockups change. Don’t over-report.)
MRRAB?
Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
A+++! Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
B? Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
more to think about Larry vs. padlock is hardly the only security UI that matters
malware protection
secondary information
security warnings
private browsing
even the humble location bar
W3C WSC Web Security Context Working Group http://www.w3.org/2006/WSC/ Software Companies Standards Bodies Professional Organizations Certificate Authorities Academics
recommendations being considered Safe Browsing Whitelist Browser Lock Down Personally Identifiable Information Bar Page Security Scoring Identity Indicator in Primary Chrome ☺
we also throw some crazier ideas around
can we make better use of past actions? “You’ve been to this site before” “Nothing’s changed since the last time you were here” “You’re sending a password to a site you’ve never visited”
how about social networks? “7 of your Facebook friends have purchased things from this site” “Your grandchild who knows computers says this site is fine.” “This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2”
can we stop phishing with tech smarts? Secure Remote Password Protocol Let the browser handle password generation Watch for credit card numbers going out on the wire
and don’t forget... It has to work for internationalization. It has to work for accessibility. It has to work for mobile.
bedtime reading Peter Gutmann Phishing Tips and Techniques http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf Rachna Dhamija Why Phishing Works http://people.deas.harvard.edu/~rachna/papers/ why_phishing_works.pdf W3C WSC’s Shared Bookmarks http://www.w3.org/2006/WSC/wiki/SharedBookmarks
your turn
credits • Security Geek - http://flickr.com/photos/oblivion/351874401/ • Mountain Lion - http://flickr.com/photos/ekai/457004988/ • Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf • Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts- robot-crimewave/2007/07/06/1183351416078.html • Robot - http://www.sxc.hu/photo/502945 • Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm • Traffic Tree - http://flickr.com/photos/oobrien/7597395/ • Freddy the Fox - http://flickr.com/photos/roblee/207435086/ • Squity the Goose - http://flickr.com/photos/59547396@N00/63778062 • No Road Markings - http://flickr.com/photos/lwr/498246175/ • Brave Kitten - http://flickr.com/photos/malingering/69853302/ • Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs • Footprints - http://www.sxc.hu/photo/573584 • Paper Men - http://www.sxc.hu/photo/431214 • No Fishing - http://www.sxc.hu/photo/791573 • Cell Phone - http://www.sxc.hu/photo/175602 • Microphone - http://www.sxc.hu/photo/793650
credits • Security Geek - http://flickr.com/photos/oblivion/351874401/ • Mountain Lion - http://flickr.com/photos/ekai/457004988/ • Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf • Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts- robot-crimewave/2007/07/06/1183351416078.html • Robot - http://www.sxc.hu/photo/502945 • Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm • Traffic Tree - http://flickr.com/photos/oobrien/7597395/ • Freddy the Fox - http://flickr.com/photos/roblee/207435086/ • Squity the Goose - http://flickr.com/photos/59547396@N00/63778062 • No Road Markings - http://flickr.com/photos/lwr/498246175/ • Brave Kitten - http://flickr.com/photos/malingering/69853302/ • Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs • Footprints - http://www.sxc.hu/photo/573584 • Paper Men - http://www.sxc.hu/photo/431214 • No Fishing - http://www.sxc.hu/photo/791573 • Cell Phone - http://www.sxc.hu/photo/175602 • Microphone - http://www.sxc.hu/photo/793650

Recomendados

Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UImozilla.presentations
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityChristian Heilmann
 
How you can become an Accessibility Superhero
How you can become an Accessibility SuperheroHow you can become an Accessibility Superhero
How you can become an Accessibility Superherorobzonenet
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Webconf 2013 - Media Query 123
Webconf 2013 - Media Query 123Webconf 2013 - Media Query 123
Webconf 2013 - Media Query 123Hina Chen
 
Semantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksSemantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksDavid Peterson
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Fabrizio Cilli
 

Recomendados

Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UImozilla.presentations
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityChristian Heilmann
 
How you can become an Accessibility Superhero
How you can become an Accessibility SuperheroHow you can become an Accessibility Superhero
How you can become an Accessibility Superherorobzonenet
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Webconf 2013 - Media Query 123
Webconf 2013 - Media Query 123Webconf 2013 - Media Query 123
Webconf 2013 - Media Query 123Hina Chen
 
Semantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksSemantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksDavid Peterson
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Fabrizio Cilli
 
Os Fetterupdated
Os FetterupdatedOs Fetterupdated
Os Fetterupdatedoscon2007
 
Os Lonergan
Os LonerganOs Lonergan
Os Lonerganoscon2007
 
Os Leonard
Os LeonardOs Leonard
Os Leonardoscon2007
 
Os Nolen Gebhart
Os Nolen GebhartOs Nolen Gebhart
Os Nolen Gebhartoscon2007
 
Os Pittaro
Os PittaroOs Pittaro
Os Pittarooscon2007
 
Os Schlossnagle Theo
Os Schlossnagle TheoOs Schlossnagle Theo
Os Schlossnagle Theooscon2007
 
Os Vandeven
Os VandevenOs Vandeven
Os Vandevenoscon2007
 
J Ruby Whirlwind Tour
J Ruby Whirlwind TourJ Ruby Whirlwind Tour
J Ruby Whirlwind Touroscon2007
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterIT-oLogy
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouE Hacking
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course StoryboardJim Piechocki
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareCyphort
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Erlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaErlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaHakka Labs
 
Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Andre Alpar
 

Mais conteúdo relacionado

Destaque

Os Fetterupdated
Os FetterupdatedOs Fetterupdated
Os Fetterupdatedoscon2007
 
Os Nolen Gebhart
Os Nolen GebhartOs Nolen Gebhart
Os Nolen Gebhartoscon2007
 
Os Schlossnagle Theo
Os Schlossnagle TheoOs Schlossnagle Theo
Os Schlossnagle Theooscon2007
 
J Ruby Whirlwind Tour
J Ruby Whirlwind TourJ Ruby Whirlwind Tour
J Ruby Whirlwind Touroscon2007
 

Destaque (8)

Os Fetterupdated
Os FetterupdatedOs Fetterupdated
Os Fetterupdated
 
Os Lonergan
Os LonerganOs Lonergan
Os Lonergan
 
Os Leonard
Os LeonardOs Leonard
Os Leonard
 
Os Nolen Gebhart
Os Nolen GebhartOs Nolen Gebhart
Os Nolen Gebhart
 
Os Pittaro
Os PittaroOs Pittaro
Os Pittaro
 
Os Schlossnagle Theo
Os Schlossnagle TheoOs Schlossnagle Theo
Os Schlossnagle Theo
 
Os Vandeven
Os VandevenOs Vandeven
Os Vandeven
 
J Ruby Whirlwind Tour
J Ruby Whirlwind TourJ Ruby Whirlwind Tour
J Ruby Whirlwind Tour
 

Semelhante a Os Nightingale

Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterIT-oLogy
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouE Hacking
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course StoryboardJim Piechocki
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareCyphort
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Erlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaErlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaHakka Labs
 
Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Andre Alpar
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developerSteve Poole
 
The Good The Bad The Virtual
The Good The Bad The VirtualThe Good The Bad The Virtual
The Good The Bad The VirtualClaudio Criscione
 
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsWSO2
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
 

Semelhante a Os Nightingale (20)

Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Erlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaErlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-Subramanya
 
Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
E-safety
E-safetyE-safety
E-safety
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
 
The Good The Bad The Virtual
The Good The Bad The VirtualThe Good The Bad The Virtual
The Good The Bad The Virtual
 
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 

Mais de oscon2007

Solr Presentation5
Solr Presentation5Solr Presentation5
Solr Presentation5oscon2007
 
Os Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman WiifmOs Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman Wiifmoscon2007
 
Performance Whack A Mole
Performance Whack A MolePerformance Whack A Mole
Performance Whack A Moleoscon2007
 
Os Lanphier Brashears
Os Lanphier BrashearsOs Lanphier Brashears
Os Lanphier Brashearsoscon2007
 
Os Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman SwpOs Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman Swposcon2007
 
Os Berlin Dispelling Myths
Os Berlin Dispelling MythsOs Berlin Dispelling Myths
Os Berlin Dispelling Mythsoscon2007
 
Os Keysholistic
Os KeysholisticOs Keysholistic
Os Keysholisticoscon2007
 
Os Jonphillips
Os JonphillipsOs Jonphillips
Os Jonphillipsoscon2007
 
Os Urnerupdated
Os UrnerupdatedOs Urnerupdated
Os Urnerupdatedoscon2007
 
Adventures In Copyright Reform
Adventures In Copyright ReformAdventures In Copyright Reform
Adventures In Copyright Reformoscon2007
 

Mais de oscon2007 (20)

Solr Presentation5
Solr Presentation5Solr Presentation5
Solr Presentation5
 
Os Borger
Os BorgerOs Borger
Os Borger
 
Os Harkins
Os HarkinsOs Harkins
Os Harkins
 
Os Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman WiifmOs Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman Wiifm
 
Os Bunce
Os BunceOs Bunce
Os Bunce
 
Yuicss R7
Yuicss R7Yuicss R7
Yuicss R7
 
Performance Whack A Mole
Performance Whack A MolePerformance Whack A Mole
Performance Whack A Mole
 
Os Fogel
Os FogelOs Fogel
Os Fogel
 
Os Lanphier Brashears
Os Lanphier BrashearsOs Lanphier Brashears
Os Lanphier Brashears
 
Os Tucker
Os TuckerOs Tucker
Os Tucker
 
Os Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman SwpOs Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman Swp
 
Os Furlong
Os FurlongOs Furlong
Os Furlong
 
Os Berlin Dispelling Myths
Os Berlin Dispelling MythsOs Berlin Dispelling Myths
Os Berlin Dispelling Myths
 
Os Kimsal
Os KimsalOs Kimsal
Os Kimsal
 
Os Pruett
Os PruettOs Pruett
Os Pruett
 
Os Alrubaie
Os AlrubaieOs Alrubaie
Os Alrubaie
 
Os Keysholistic
Os KeysholisticOs Keysholistic
Os Keysholistic
 
Os Jonphillips
Os JonphillipsOs Jonphillips
Os Jonphillips
 
Os Urnerupdated
Os UrnerupdatedOs Urnerupdated
Os Urnerupdated
 
Adventures In Copyright Reform
Adventures In Copyright ReformAdventures In Copyright Reform
Adventures In Copyright Reform
 

Último

Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyEthan lee
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfCatalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfOrient Homes
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...Paul Menig
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurSuhani Kapoor
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 

Último (20)

Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfCatalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 

Os Nightingale

  • 1. Beyond the Padlock Security UI for the Distracted Johnathan Nightingale Human Shield Mozilla Corporation
  • 2. why are you here?
  • 4. or a visual designer
  • 5. maybe you just like Firefoxen (Who doesn’t?)
  • 6. you’re someone who cares about security UI
  • 7. you’re someone who cares about security UI and how we can make it better
  • 8. why am I here?
  • 9. human who am i shield?
  • 10. usability security coding
  • 11. usability security coding
  • 12. why do we care?
  • 13. because the internet is not a safe place
  • 14. because the internet is not a safe place
  • 15. because the internet is not a safe place
  • 16. because the threats are changing Technology such as cloned part- robot humans used by organised crime gangs pose the greatest future challenge to police, along with online scamming. Australian Federal Police (AFP) Commissioner Mick Keelty
  • 17. because most existing UI is sparse... (A padlock. We’ll come back to this.)
  • 19. ...and maybe not too carefully designed. quot;Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,quot; he laughs. John Shepherd-Barron, Inventor of the ATM, on PIN length
  • 20. because we can do better
  • 21. the plan • Security UI in 5 Easy Steps • The Padlock: A Cautionary Tale • Larry: More better • Thinking About the Future • Your turn
  • 22. five rules for security UI
  • 23. Be Meaningful Use clear language and concepts. Avoid ambiguity.
  • 24. Be Relevant Focus on what matters to your users, not your compiler.
  • 25. Be Robust Don’t build user trust around indicators that can be easily subverted.
  • 26. Be Available Do not expect your users to notice the absence of an indicator.
  • 27. Be Brave Sometimes you have to make the call on your users’ behalf.
  • 28. Meaningful Relevant Robust Available Brave Handy Mnemonic... MRRAB?
  • 31. it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
  • 32. it’s ubiquitous we’ve got one so does microsoft safari too opera has 3 kinds
  • 35. but is it good UI?
  • 37. Remember MRRAB Meaningful - Not really. Relevant - ?
  • 38. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - ?
  • 39. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - ?
  • 40. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - ?
  • 41. Remember MRRAB Meaningful - Not really. Relevant - Fairly. Robust - Barely. Available - Only when you don’t need it. Brave - Sure. C-
  • 42. doing better an identity indicator in primary chrome
  • 43. identity Let’s stop talking about safety, since we were never any good at that anyhow. Let’s talk about what we can know.
  • 44. EV There is a new breed of SSL Certificate now called “Extended Validation.” The identity information in these certificates is vetted in a standardized, robust way. Hooray. http://www.cabforum.org/
  • 46. in Firefox 3, Larry will indicate identity (* Mockups change. Don’t over-report.)
  • 47. even on non-EV sites, Larry will be around (* Mockups change. Don’t over-report.)
  • 49. Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
  • 50. A+++! Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
  • 51. B? Meaningful - Identity, period. Relevant - Knowing identity matters. Robust - EV Certificates are hard to fake. Available - Larry is always around. Brave - Killing the padlock is scary stuff.
  • 52. more to think about Larry vs. padlock is hardly the only security UI that matters
  • 57. even the humble location bar
  • 58. W3C WSC Web Security Context Working Group http://www.w3.org/2006/WSC/ Software Companies Standards Bodies Professional Organizations Certificate Authorities Academics
  • 59. recommendations being considered Safe Browsing Whitelist Browser Lock Down Personally Identifiable Information Bar Page Security Scoring Identity Indicator in Primary Chrome ☺
  • 60. we also throw some crazier ideas around
  • 61. can we make better use of past actions? “You’ve been to this site before” “Nothing’s changed since the last time you were here” “You’re sending a password to a site you’ve never visited”
  • 62. how about social networks? “7 of your Facebook friends have purchased things from this site” “Your grandchild who knows computers says this site is fine.” “This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2”
  • 63. can we stop phishing with tech smarts? Secure Remote Password Protocol Let the browser handle password generation Watch for credit card numbers going out on the wire
  • 64. and don’t forget... It has to work for internationalization. It has to work for accessibility. It has to work for mobile.
  • 65. bedtime reading Peter Gutmann Phishing Tips and Techniques http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf Rachna Dhamija Why Phishing Works http://people.deas.harvard.edu/~rachna/papers/ why_phishing_works.pdf W3C WSC’s Shared Bookmarks http://www.w3.org/2006/WSC/wiki/SharedBookmarks
  • 67. credits • Security Geek - http://flickr.com/photos/oblivion/351874401/ • Mountain Lion - http://flickr.com/photos/ekai/457004988/ • Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf • Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts- robot-crimewave/2007/07/06/1183351416078.html • Robot - http://www.sxc.hu/photo/502945 • Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm • Traffic Tree - http://flickr.com/photos/oobrien/7597395/ • Freddy the Fox - http://flickr.com/photos/roblee/207435086/ • Squity the Goose - http://flickr.com/photos/59547396@N00/63778062 • No Road Markings - http://flickr.com/photos/lwr/498246175/ • Brave Kitten - http://flickr.com/photos/malingering/69853302/ • Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs • Footprints - http://www.sxc.hu/photo/573584 • Paper Men - http://www.sxc.hu/photo/431214 • No Fishing - http://www.sxc.hu/photo/791573 • Cell Phone - http://www.sxc.hu/photo/175602 • Microphone - http://www.sxc.hu/photo/793650
  • 68. credits • Security Geek - http://flickr.com/photos/oblivion/351874401/ • Mountain Lion - http://flickr.com/photos/ekai/457004988/ • Red Panda - http://flickr.com/photos/takenzen/184693555 • Phishing/Malware stats - http://apwg.com/reports/apwg_report_may_2007.pdf • Robot Clones Quote - http://www.theage.com.au/news/national/top-cop-predicts- robot-crimewave/2007/07/06/1183351416078.html • Robot - http://www.sxc.hu/photo/502945 • Shepherd-Barron on ATM Pins - http://news.bbc.co.uk/2/hi/business/6230194.stm • Traffic Tree - http://flickr.com/photos/oobrien/7597395/ • Freddy the Fox - http://flickr.com/photos/roblee/207435086/ • Squity the Goose - http://flickr.com/photos/59547396@N00/63778062 • No Road Markings - http://flickr.com/photos/lwr/498246175/ • Brave Kitten - http://flickr.com/photos/malingering/69853302/ • Passport Agent (Larry) - http://www.aiga.org/content.cfm/symbol-signs • Footprints - http://www.sxc.hu/photo/573584 • Paper Men - http://www.sxc.hu/photo/431214 • No Fishing - http://www.sxc.hu/photo/791573 • Cell Phone - http://www.sxc.hu/photo/175602 • Microphone - http://www.sxc.hu/photo/793650