Secure User Interfaces
An Introduction
Prof. David Bernstein
James Madison University
Computer Science Department
bernstdh@jmu.edu
Review
User Interface:
A system that allows for interaction between a human and a device
Devices:
Input (keyboard, microphone, pointing devices)
Output (display, printer, speaker, haptic devices)
Using the Science
What Science?
Physics (e.g., sound and light wave transmission)
Biology (e.g., the ear and the eye)
Psychology (e.g., perception and cognition)
Getting the Science to the Designer/Programmer:
Guidelines and/or rules of thumb
Use Secure Defaults (Path of Least Resistance)
Rationale:
Users assume an application is secure
Users are unlikely to take (multiple) actions to ensure security (i.e., they take the path of least resistance)
Users know less about security than designers/programmers
Examples:
Use minimal priveleges
Use the secure alternative (e.g., SSL, HTTPS)
Make Security Implications Clear (Explicit Authority, Clarity)
Rationale:
Users do not understand the technical details of security
Implications:
Present the user with consequences not technical details
Examples of Bad Practice:
Informing the user that a certificate is signed by an unknown authority
Asking the user to choose an encryption method
The Absence of a Cue is not a Cue
Rationale:
Users are far more likely to notice the existence of a cue than the absence of a cue
Example:
WWW browsers often add an icon when HTTPS is used, they should instead display a prominent icon when it isn't
Save Files in Secure Locations
Rationale:
Users are unlikely to encrypt/decrypt files manually
Implications:
Save files only in folders/directories with appropriate persmissions
Make the security implications of using other folders/directories apparent
Use a Trusted Path for Communications
Rationale:
Communications channels are complex and users often trust complex systems
Example:
Use HTTPS
Allow for Review (Visibility) and Revocation
Rationale:
Users may forget the security decisions they have made and/or may change their minds about them
Note:
Revocation may not always be possible