Friday, November 25th, 2005

Web Browser Developers Work Together on Security

Category: Security

It was great to see browser developers getting together to take on security:

Core KDE developer George Staikos recently hosted a meeting of the security developers from the leading web browsers. The aim was to come up with future plans to combat the security risks posed by phishing, ageing encryption ciphers and inconsistent SSL Certificate practise.

Addressing PKI in the browser

The first topic and the easiest to agree upon is the weakening state of current crypto standards. With the availability of bot nets and massively distributed computing, current encryption standards are showing their age. Prompted by Opera, we are moving towards the removal of SSLv2 from our browsers. IE will disable SSLv2 in version 7 and it has been completely removed in the KDE 4 source tree already.

KDE will furthermore look to remove 40 and 56 bit ciphers, and we will continually work toward preferring and enforcing stronger ciphers as testing shows that site compatibility is not adversely affected. In addition, we will encourage CAs to move toward 2048-bit or stronger keys for all new roots.

Colour Indication

As soon as I saw different colours as backgrounds to the URL in the browser, I knew it was a good idea. That little lock at the bottom of the browser goes totally ignored, and anything to increase awareness is a good thing.

George wasn’t sure at first, but changed his mind:

I was initially resistant to the idea of using colour to indicate security – especially the colour yellow! However the idea we have discussed have been implemented by Microsoft in their IE7 address bar, when I saw it in action I was sold. I think we should implement Konqueror the same way for KDE4. It involves the following steps:

  1. The location toolbar becomes a permanent UI fixture along with the status bar
  2. The padlock goes into the location combo-box permanently, is the only place it appears, and the location bar stays white by default
  3. When verification on a site fails, the location bar is filled in red
  4. When a high-assurance certificate is verified, the location bar is filled in green, the organisation name is displayed beside the padlock, and it rotates displaying the name of the CA

I am afraid that the missing yellow will confuse our users, but at the same time I think it was misguided to add the yellow when it was added, and I think this is the price we must pay.

Posted by Dion Almaer at 10:39 am
1 Comment

3.6 rating from 14 votes

1 Comment »

Comments feed

What? I love the yellow highlighting done by non-IE browsers to indicate an SSL site. I don’t have to look for any icon, it is obvious. If anything, leave the bar yellow and show some sort of icon for the “high assurance” ssl certs.

When browsing, I don’t care what ‘trusted authority’ issued a cert, I don’t care if it is self-signed. I just want it encrypted point-to-point.

Comment by null — March 14, 2007

Leave a comment

You must be logged in to post a comment.