Article

Securing user inputs for the web

Authors:

Roger ZimmermannAuthors Info & Claims

DIM '06: Proceedings of the second ACM workshop on Digital identity management

Pages 33 - 44

https://doi.org/10.1145/1179529.1179536

Published: 03 November 2006 Publication History

Abstract

The goal of this paper is to study secure and usable methods for providing user input to a website. Three principles define security for us: certification, awareness, and privacy. Four principles define usability: contextual awareness, semantic awareness, prodigious use of screen space, and the availability of recommended choices.We first describe how current approaches to the solicitation of user input on the web fail on both fronts: they either can not handle certified data, do not respect user privacy, or have various usability problems which frustrate and perhaps even mislead the user.To address security, we suggest the use of more sophisticated private certificate systems. To address usability, we propose a new contextual, browser-integrated interface for using private certificate systems. Our system incorporates many recent design principles discussed in the security and usability space. It works in the main content area of a webpage; it focuses on making the user aware of the who, what, where, when and why of a data request, and it does not use valuable screen space when it is not relevant.

References

[1]

Apache project. http://www.securiteam.com/securityreviews/5OP0B2KGAC.html.]]

[2]

S. Brands. Rethinking Public Key Infrastructure and Digital Certificates--- Building in Privacy. PhD thesis, Eindhoven Institute of Technology, 1999.]]

Digital Library

[3]

E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In CCS '04, pages 132--145, 2004.]]

Digital Library

[4]

J. Camenisch and A. Lysyanskaya. Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation. In 2001, volume 2045, pages 93--118, 2001.]]

Digital Library

[5]

J. Camenisch, D. Sommer, and R. Zimmermann. A general certification framework with applications to privacy-enhancing certificate infrastructures. In IFIP SEC 2006, to appear, 2006.]]

[6]

D. Chaum. Security without identification: Transaction systems to make big brother obsolete. CACM, 28(10):1030--1044, Oct. 1985.]]

Digital Library

[7]

L. Cranor, M. Langheinrich, M. Marchiori, M. Presler-Marshall, and J. Reagle. The Platform for Privacy Preferences 1.0 (P3P1.0) specification. Recommendation, World Wide Web Consortium, April 2002. http://www.w3.org/TR/2002/REC-P3P-20020416.]]

[8]

L. F. Cranor. Privacy policies and privacy preferences. In S. Garfinkel and L. Cranor, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 14. O'Reilly, 2005.]]

[9]

L. F. Cranor and S. Garfinkel, editors. Security and Usability -- Designing Secure Systems That People Can Use. O'Reilly, 2005.]]

Digital Library

[10]

R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS), 2005.]]

Digital Library

[11]

Direct Anonymous Attestation - Project website of IBM Research. http://www.zurich.ibm.com/security/daa/.]]

[12]

Directive 2002/58/EC of the European Parliament and of the council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, Official Journal of the European Communities, L 201, Juli 31rd, 2002.]]

[13]

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities, L 281, November 23rd, 1995.]]

[14]

S. Farrell and R. Housley. An Internet Attribute Certificate Profile for Authorization. RFC 3281 (Proposed Standard), Apr. 2002.]]

Digital Library

[15]

Federal Trade Commission. The integrity and accuracy of the "whois" database. Statement Before the Subcommittee on Courts, the Internet, and Intellectual Property of the Committee on the Judiciary United States House of Representatives, May 22 2002. http://www.ftc.gov/os/2002/05/whois.htm.]]

[16]

G. Goth. Identity theft solutions disagree on problem. IEEE Distributed Systems Online, 6, 2005.]]

Digital Library

[17]

G. Greenleaf and R. Clarke. Privacy implications of digital signatures. In IBC Conference on Digital Signatures, March 1997.]]

[18]

Higgins Trust Framework. www.eclipse.org/higgins.]]

[19]

A Technical Reference for InfoCard v1.0 in Windows, Microsoft, 2005.]]

[20]

Internic website. Who is data problem report system. http://wdprs.internic.net/, March 2006.]]

[21]

S. Lederer, J. I. Hong, A. K. Dey, and J. A. Landay. Personal privacy through understanding and action: Five pitfalls for designers. In S. Garfinkel and L. Cranor, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 21. O'Reilly, 2005.]]

[22]

S. Levy and C. Gutwin. Improving understanding of website privacy policies with fine-grained policy anchors.In WWW2005, pages 480--489, 2005.]]

Digital Library

[23]

Liberty alliance project. www.projectliberty.org.]]

[24]

R. C. Miller and M. Wu. Fighting phishing at the user interface. In S. Garfinkel and L. Cranor, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 14. O'Reilly, 2005.]]

[25]

T. Moses, ed. eXtensible access control markup language (XACML). OASIS Standard.]]

[26]

J. S. Pettersson, S. Fischer-Hübner, J. N. Ninni Danielsson, M. Bergmann, T. Kriegelstein, S. Clauss, and H. Krasemann. Making prime usable. In SOUPS. ACM Digital Library, July 2005.]]

Digital Library

[27]

PRIME project. www.prime-project.eu.org.]]

[28]

Roboform. http://www.roboform.com.]]

[29]

Security Assertion Markup Language v2.0. www.oasis-open.org/specs.]]

[30]

S. Steinbrecher and S. Köpsell. Modelling unlinkability. In R. Dingledine, editor, Proceedings of Privacy Enhancing Technologies workshop (PET 2003). LNCS 2760, March 2003.]]

[31]

Trusted Computing Group, Trusted Platform Module (TPM) specification v1.2. https://www.trustedcomputinggroup.org/specs/TPM/.]]

[32]

BEA, IBM, Microsoft, RSA Security, VeriSign: Web services federation language note=www-128.ibm.com/developerworks/library/specification/ws-fed.]]

[33]

K.-P. Yee. Guidelines and strategies for secure interaction design. In S. Garfinkel and L. Cranor, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 13. O'Reilly, 2005.]]

Cited By

Pötzsch SBorcea-Pfitzmann KHansen MLiesebach KPfitzmann ASteinbrecher S(2011)Requirements for identity management from the perspective of multilateral interactionsDigital privacy10.5555/1996594.1996619(609-649)Online publication date: 1-Jan-2011
https://dl.acm.org/doi/10.5555/1996594.1996619
Fischer-Hübner SPettersson J(2011)Usable Privacy-Enhancing Identity ManagementInformation and Communication Technologies, Society and Human Beings10.4018/978-1-60960-057-0.ch015(172-189)Online publication date: 2011
https://doi.org/10.4018/978-1-60960-057-0.ch015
Winckler MGaits VVo DSergio FRossi GProtopsaltis ASpyratos NCosta CMeghini C(2011)An approach and tool support for assisting users to fill-in web forms with personal informationProceedings of the 29th ACM international conference on Design of communication10.1145/2038476.2038515(195-202)Online publication date: 3-Oct-2011
https://dl.acm.org/doi/10.1145/2038476.2038515
Show More Cited By

Index Terms

Securing user inputs for the web
1. Human-centered computing

Recommendations

User interface toolkit mechanisms for securing interface elements
UIST '12: Proceedings of the 25th annual ACM symposium on User interface software and technology

User interface toolkit research has traditionally assumed that developers have full control of an interface. This assumption is challenged by the mashup nature of many modern interfaces, in which different portions of a single interface are implemented ...
Securing embedded user interfaces: Android and beyond
SEC'13: Proceedings of the 22nd USENIX conference on Security

Web and smartphone applications commonly embed third-party user interfaces like advertisements and social media widgets. However, this capability comes with security implications, both for the embedded interfaces and the host page or application. While ...
Towards determinants of user-intuitive web interface signs
DUXU'13: Proceedings of the Second international conference on Design, User Experience, and Usability: design philosophy, methods, and tools - Volume Part I

User interfaces of web applications encompass a number of objects like navigation links, buttons, icons, labels, thumbnails, symbols, etc. which are defined in this paper as interface signs. Designing interface signs to be intuitive to the users is ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

DIM '06: Proceedings of the second ACM workshop on Digital identity management

November 2006

88 pages

ISBN:1595935479

DOI:10.1145/1179529

General Chair:
Ari Juels
RSA Laboratories
,
Program Chairs:
Marianne Winslett
UIUC
,
Atsuhiro Goto
NTT, Japan

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

user interface designs

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

November 3, 2006

Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 16 of 34 submissions, 47%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
1,279
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)2

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pötzsch SBorcea-Pfitzmann KHansen MLiesebach KPfitzmann ASteinbrecher S(2011)Requirements for identity management from the perspective of multilateral interactionsDigital privacy10.5555/1996594.1996619(609-649)Online publication date: 1-Jan-2011
https://dl.acm.org/doi/10.5555/1996594.1996619
Fischer-Hübner SPettersson J(2011)Usable Privacy-Enhancing Identity ManagementInformation and Communication Technologies, Society and Human Beings10.4018/978-1-60960-057-0.ch015(172-189)Online publication date: 2011
https://doi.org/10.4018/978-1-60960-057-0.ch015
Winckler MGaits VVo DSergio FRossi GProtopsaltis ASpyratos NCosta CMeghini C(2011)An approach and tool support for assisting users to fill-in web forms with personal informationProceedings of the 29th ACM international conference on Design of communication10.1145/2038476.2038515(195-202)Online publication date: 3-Oct-2011
https://dl.acm.org/doi/10.1145/2038476.2038515
Bargas-Avila JOrsini SPiosczyk HUrwyler DOpwis K(2011)Enhancing online formsInteracting with Computers10.1016/j.intcom.2010.08.00123:1(33-39)Online publication date: 1-Jan-2011
https://dl.acm.org/doi/10.1016/j.intcom.2010.08.001
Wästlund EAngulo JFischer-Hübner S(2011)Evoking comprehensive mental models of anonymous credentialsProceedings of the 2011 IFIP WG 11.4 international conference on Open Problems in Network Security10.1007/978-3-642-27585-2_1(1-14)Online publication date: 9-Jun-2011
https://dl.acm.org/doi/10.1007/978-3-642-27585-2_1
Recabarren MNussbaum M(2010)Exploring the feasibility of web form adaptation to users' cultural dimension scoresUser Modeling and User-Adapted Interaction10.1007/s11257-010-9071-720:1(87-108)Online publication date: 1-Feb-2010
https://dl.acm.org/doi/10.1007/s11257-010-9071-7
Vo DWinckler MCoutaz JPalanque PVanderdonckt J(2009)PIAFFProceedings of the 21st International Conference on Association Francophone d'Interaction Homme-Machine10.1145/1629826.1629886(355-358)Online publication date: 13-Oct-2009
https://dl.acm.org/doi/10.1145/1629826.1629886
Ok MLee YHong S(2007)Consolidating Web Application Server Farms with Redundant WebinterfacesProceedings of the 18th International Conference on Database and Expert Systems Applications10.1109/DEXA.2007.53(580-584)Online publication date: 3-Sep-2007
https://dl.acm.org/doi/10.1109/DEXA.2007.53

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents