WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: Relationship Between Accessibility, Screen Readers and Security Clarified

for

From: Terrill Bennett
Date: Jan 27, 2011 5:24AM

AWK,

On it's own, Ms. Shubina's statement has little (or nothing) to do
with online accessibility. As I read her statement, she is warning
that if your site isn't accessible it may be a potential security
threat. I can think of numerous examples where something can be
accessible, and still be a security risk. Links made of malformed
URL's come immediately to mind, where the URL and link text are
easily read but causes a server crash. SQL injection is another - the
page and form used for submission are 100% accessible, but the code
that processes the submitted data fails to properly untaint the data.

There are lots of file types which can be distributed via the
Internet and from which text can't be extracted directly. A review of
MIME types (Multipurpose Internet Mail Extensions) reveal numerous
extensions, some of which are potential threats (e.g. .exe):
http://www.w3schools.com/media/media_mimeref.asp

While it would be beneficial (even profitable) if accessibility and
security went hand-in-hand, inclusion of Ms. Shubina's statement
without elaboration is misleading to the uniformed. Of course, Ms.
Shubina may have been horribly misquoted by the author.

-- terrill --

PS: AWK? Aho, Weinberger and Kernighan? <grin>

At 03:39 PM 1/26/2011, you wrote:
>I didn't want to chime in on this but I just can't help
>myself. This statement strikes me as the sort of quote that sounds
>really good and people naturally want to assume helps justify work
>on accessibility, but I don't think holds up under scrutiny.
>
>Anna Shubina says "..if a screen reader can't extract text out of a
>file then it's an indicator that there's a lot in that format and
>there's a lot of stuff in that file that could do bad things...".
>
>She may be thinking about PDF or Flash, but since screen readers can
>read both she must not be.
>
>Perhaps she's thinking about image files? Screen readers can't get
>text out of an image file. Many images even have metadata that a
>screen reader could read, but the screen reader and common image
>rendering tools don't present that information to be read. So are
>image files necessarily more of a security risk? Probably not.
>
>Perhaps she's thinking about SVG? SVG can have text and has poor
>support by screen readers, due to user agent and AT support, but
>this doesn't translate into a greater security risk either.
>
>Bottom line, I wish that there was some evidence to support this
>statement, but I can't think of what that could possibly be.
>
>Thanks,
>AWK
>
>Andrew Kirkpatrick
>Group Product Manager, Accessibility
>Adobe Systems
>
> <EMAIL REMOVED>
>http://twitter.com/awkawk
>http://blogs.adobe.com/accessibility
>
>
>-----Original Message-----
>From: <EMAIL REMOVED>
>[mailto: <EMAIL REMOVED> ] On Behalf Of Terrill Bennett
>Sent: Wednesday, January 26, 2011 11:49 AM
>To: WebAIM Discussion List
>Subject: [WebAIM] Relationship Between Accessibility, Screen Readers
>and Security Clarified
>
>For your enlightenment:
>
>"Lack of accessibility usually indicates that there are potential
>security problems. If a screen reader can't extract text out of a
>file, then it's an indicator that there's a lot in that format and
>there's a lot of stuff in that file that could do bad things to your
>computer."
>
>That statement came from a post-doctorate associate at the Department
>of Computer Science at Dartmouth College named Anna Shubina, Ph.D.
>You can read her remark in a story concerning online access at
>Dartmoth University, here:
>
>http://thedartmouth.com/2011/01/26/news/online
>
>Don't shoot me, I'm just the messenger.
>
>Enjoy!
>
>-- terrill --
>
>