Shane and I were having a quick chat about privacy and security UX and we ended up chatting about an interesting concept to improve the user experience when a 'bad' certificate is in use (expired, self-issued, etc)
Firefox already maintains a database of auto-complete fields, and over time a user will have a set of data that could potentially be used to warn the user when they are sending 'sensitive' fields over insecure channels. By performing a survey of large usage payment sites we could identify common parameter names that are saved on major sites, then flag fields such as name, address, credit card number,etc, related fields as being "personal" data. If we did this, would it be feasible to analyze user input into DOM elements and raise warnings if personal data is entered into documents loaded from "bad" sites? I haven't spent too much time thinking about it, but fields identified as personal data from the survey could be fed into a bloom filter, and then user input on "bad" sites could be checked against this filter to determine if there is sensitive data in it. This could help users to better understand the context of our somewhat unfriendly bad certificate error messages. Thoughts? _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
