WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: How does someone with a visual impairment know if they're viewing a secure URL?

for

From: Mallory
Date: Apr 28, 2019 1:31PM


Here's a page that only says "not secure" in the browser chrome but doesn't have on-page warnings: http://www.picat-lang.org/. Manually navigating with F6 seems to be the only place where the this-is-not-https is to be found.

I recall seeing a talk by someone on the Chrome team who thought they'd rather show who was secure than who wasn't, as far as which to focus on. They feared emphasising a site wasn't secure while that was still the majority (this was before LetsEncrypt and the number of https sites rose) would teach people to ignore the warning since they'd get it on most sites.

cheers,
Mallory

On Sun, Apr 28, 2019, at 3:59 PM, Jonathan Cohn wrote:
> Well, Safari with VoiceOver will announce that a page is not secure. I
> believe I have heard this on other browsers as well. Try going to a URL
> with http instead of https and see what happens.
> I remember warnings from Firefox when a specific firewall was acting
> like a man in the middle.
> Best wishes,
>
> Jonathan Cohn
>
>
>
> > On Apr 28, 2019, at 7:22 AM, Léonie Watson via WebAIM-Forum < <EMAIL REMOVED> > wrote:
> >
> > The short answer is that they don't, unless they go looking (as you describe).
> >
> > I think that any solution has to come from the browser, without needing web authors to do anything. If the browser's exposed the security state of the page, as the page loaded, then a screen reader could announce that information in combination with the page title.
> >
> > It may be that either in the browser or in the screen reader, it would be possible to configure those statements to some extent though, or to be able to query additional information. For example, the initial announcement might be "Page is secure", but on request additional information about the certificate could be found.
> >
> > Léonie.
> > On 28/04/2019 04:43, Jody H wrote:
> >> Hi all, new to the list and I have a question!
> >> I have been trying to identify a consistent pattern that allows me to, via
> >> keyboard and screen reading software, easily and quickly determine if a
> >> page is "secured"; that is, has an active and valid SSL certificate. I know
> >> browsers put a lot of effort into visually informing users in the address
> >> bar if a page is not secure, and I'd love to see the same affordance given
> >> to the visibly diverse.
> >> How do screen readers do?
> >> – Let's use the Google home page as an example. With VoiceOver on macOS
> >> activated, Safari appears to announce "www google dot com" on first load.
> >> Subsequent navigations do yield the full "https" version of the URL being
> >> read aloud; ChromeVOX (browser extension) does something similar.
> >> – You can drill down in the toolbar in most cases to get to the padlock
> >> icon in the URL, but that's not easy to get to using the keyboard without
> >> vision.
> >> Even if the web page address is read aloud how does one know if the page is
> >> truly secure via this method? SSL certificates can expire (thus leaving the
> >> "https" in the address string while not being valid), and by adding the
> >> string "https" to the address manually (e.g.
> >> http://https.example.com/blog/https) one could possibly be fooled.
> >> – Ultimately I was hoping for some sort of "quick indication", much like
> >> the address bar padlock, that the details I wanted to submit on the page
> >> would be transmitted securely. It also appears there isn't a standard
> >> keyboard shortcut to toggle page certificate information.
> >> Ideal scenario
> >> I don't think the page's certificate information needs to be stated on each
> >> page load. But I imagine a scenario where, when you focus in on a form
> >> (e.g. credit card, password, anything really), on perhaps any field or the
> >> submit button, or by some other condition being met, the screen reader
> >> would inform you via some mechanism that the content you are submitting is
> >> safe and secure.
> >> Approach
> >> I'm not seeing an approach to allow a website to accomplish this on its
> >> own, since they could just spoof it. It requires some sort of independent
> >> evaluator. With that in mind I'm envisioning a couple routes to possibly
> >> take:
> >> 1. Page security details (likely brief) could be auto-announced when the
> >> appropriate conditions are met (e.i. form element is focussed)
> >> 2. A keyboard shortcut could be implemented to toggle an announcement of
> >> page security/certificate details (since it's user-triggered it could be
> >> longer in detail).
> >> 3. A website could then within its own code, add a screen-reader accessible
> >> label at the start of its form that can be tabbed onto (or auto-announce
> >> when the form is focussed), that informs the visitor that they can press a
> >> key command to view certificate information (handled by browser or
> >> software). It's possible this could be spoofed, though, if the website is
> >> allowed to override the key command and just announce fake certificate info.
> >> Either screen-reading tools could independently support this functionality,
> >> or the browser vendors could implement it. If it were to be implemented at
> >> a browser level I believe the browser would have to augment an element on
> >> the web page that is auto-focussed or somehow supply a
> >> universally-acceptable injection to the screen reading tool to make the
> >> announcement.
> >> I think, most importantly, this should be standardized to some level, so
> >> one can be confident about the security of data being submitted.
> >> Interested in hearing your thoughts!
> >
> > --
> > @TetraLogical TetraLogical.com
> > > > > > > > >
> > > > >