An important concept in Usable Security is whether a given UI represents a “security surface.” Formally, a security surface is a User Interface component in which the user is presented with information they rely upon to make a security decision. For example, in the browser, the URL in the address bar is a security surface.Continue reading “Security Surfaces”
Tag Archives: UX
Browser Features: Find in Page
For busy web users, the humble Find-in-Page feature in the browser is one of the most important features available. While Google or Bing can get you to the page you’re looking for faster than ever before, once you get to that page, you’ve got to find the information you’re looking for1, and that’s where Find-in-PageContinue reading “Browser Features: Find in Page”
Microsoft Edge Tips and Tricks
Last Updated: June 3, 2022. The intent of this post is to capture a list of non-obvious features of the browser that might be useful to you. Q: How do I find the tab playing audio? It’s cool that Microsoft Edge shows the volume icon in the tab playing music and I can click toContinue reading “Microsoft Edge Tips and Tricks”
Trim Your Whitespace
Leading and trailing whitespace are generally invisible. Humans are bad at dealing with things they can’t see. If your system accepts textual codes, or any other human-generated or human-mediated input, you should trim whitespace, whether it’s leading, trailing, or inline (if not meaningful). // Trim leading and trailing whitespace $(‘inputCode’).value = $(‘inputCode’).value.trim(); It’s downright sillyContinue reading “Trim Your Whitespace”
Inspecting Certificates in Edge
Curious about how to see a website’s HTTPS certificate in Microsoft Edge? You’ve got two options: A companion post to 2017’s post Inspecting Certificates in Chrome.
Per-Site Permissions in Edge
Last year, I wrote about how the new Microsoft Edge browser mostly ignores Security Zones (except in very rare circumstances) to configure security and permissions decisions. Instead, in Chromium per-site permissions are controlled by settings and policies expressed using a simple syntax with limited wildcarding support. Settings Page’s Site Permissions and Group Policy Internet ExplorerContinue reading “Per-Site Permissions in Edge”
Securely Displaying URLs
One of my final projects on the Chrome team was writing an internal document outlining Best Practices for Secure URL Display. Yesterday, it got checked into the public Chromium repro, so if this is a topic that interests you, please have a look! Additionally, at Enigma 2019, the Chrome team released Trickuri (pronounced “trickery”) a tool forContinue reading “Securely Displaying URLs”
Inspecting Certificates in Chrome
Chrome 60 introduces a new option to quickly show Certificate information for the current page.
The Trouble with Magic
“Magic” is great… except when it isn’t. Software Design is largely about tradeoffs, and one of the more interesting tradeoffs is between user experience and predictability. This has come up repeatedly throughout my career and in two independent contexts yesterday that I’ll describe in this post. Developer Magic I’m working on a tiny UX changeContinue reading “The Trouble with Magic”
Certified Malice
One unfortunate (albeit entirely predictable) consequence of making HTTPS certificates “fast, open, automated, and free” is that both good guys and bad guys alike will take advantage of the offer and obtain HTTPS certificates for their websites. Today’s bad guys can easily turn a run-of-the-mill phishing spoof: …into a somewhat more convincing version, by obtainingContinue reading “Certified Malice”
text/plain 