Securing user inputs for the web

The goal of this paper is to study secure and usable methods for providing user input to a website. Three principles define security for us: certification, awareness, and privacy. Four principles define usability: contextual awareness, semantic awareness, prodigious use of screen space, and the availability of recommended choices.We first describe how current approaches to the solicitation of user input on the web fail on both fronts: they either can not handle certified data, do not respect user privacy, or have various usability problems which frustrate and perhaps even mislead the user.To address security, we suggest the use of more sophisticated private certificate systems. To address usability, we propose a new contextual, browser-integrated interface for using private certificate systems. Our system incorporates many recent design principles discussed in the security and usability space. It works in the main content area of a webpage; it focuses on making the user aware of the who, what, where, when and why of a data request, and it does not use valuable screen space when it is not relevant.

[1]  Jan Camenisch,et al.  A General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures , 2006, SEC.

[2]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[3]  Stefan Köpsell,et al.  Modelling Unlinkability , 2003, Privacy Enhancing Technologies.

[4]  조영섭,et al.  OASIS SAML(Security Assertion Markup Language) v2.0 고찰 및 활용 , 2006 .

[5]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[6]  James A. Landay,et al.  Personal privacy through understanding and action: five pitfalls for designers , 2004, Personal and Ubiquitous Computing.

[7]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[8]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[9]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[10]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[11]  Ka-Ping Yee,et al.  Guidelines and Strategies for Secure Interaction Design , 2005 .

[12]  Min Wu Fighting phishing at the user interface , 2006 .

[13]  Graham Greenleaf,et al.  Privacy Implications of Digital Signatures , 1997 .

[14]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[15]  John Sören Pettersson,et al.  Making PRIME usable , 2005, SOUPS '05.

[16]  Carl Gutwin,et al.  Improving understanding of website privacy policies with fine-grained policy anchors , 2005, WWW '05.

[17]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[18]  Cédric Tabin,et al.  Liberty Alliance Project , 2007 .

[19]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[20]  Greg Goth Identity theft solutions disagree on problem , 2005, IEEE Distributed Systems Online.

[21]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[22]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .