WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: How does someone with a visual impairment know if they're viewing a secure URL?

for

From: Brandon Keith Biggs
Date: Apr 28, 2019 2:12PM

Hello,
I always use F6 and look at the https. There are multiple types of https
though and I don't know how to view the different types.
Thanks,

Brandon Keith Biggs <http://brandonkeithbiggs.com/>;


On Sun, Apr 28, 2019 at 12:31 PM Mallory < <EMAIL REMOVED> > wrote:

> Here's a page that only says "not secure" in the browser chrome but
> doesn't have on-page warnings: http://www.picat-lang.org/. Manually
> navigating with F6 seems to be the only place where the this-is-not-https
> is to be found.
>
> I recall seeing a talk by someone on the Chrome team who thought they'd
> rather show who was secure than who wasn't, as far as which to focus on.
> They feared emphasising a site wasn't secure while that was still the
> majority (this was before LetsEncrypt and the number of https sites rose)
> would teach people to ignore the warning since they'd get it on most sites.
>
> cheers,
> Mallory
>
> On Sun, Apr 28, 2019, at 3:59 PM, Jonathan Cohn wrote:
> > Well, Safari with VoiceOver will announce that a page is not secure. I
> > believe I have heard this on other browsers as well. Try going to a URL
> > with http instead of https and see what happens.
> > I remember warnings from Firefox when a specific firewall was acting
> > like a man in the middle.
> > Best wishes,
> >
> > Jonathan Cohn
> >
> >
> >
> > > On Apr 28, 2019, at 7:22 AM, Léonie Watson via WebAIM-Forum <
> <EMAIL REMOVED> > wrote:
> > >
> > > The short answer is that they don't, unless they go looking (as you
> describe).
> > >
> > > I think that any solution has to come from the browser, without
> needing web authors to do anything. If the browser's exposed the security
> state of the page, as the page loaded, then a screen reader could announce
> that information in combination with the page title.
> > >
> > > It may be that either in the browser or in the screen reader, it would
> be possible to configure those statements to some extent though, or to be
> able to query additional information. For example, the initial announcement
> might be "Page is secure", but on request additional information about the
> certificate could be found.
> > >
> > > Léonie.
> > > On 28/04/2019 04:43, Jody H wrote:
> > >> Hi all, new to the list and I have a question!
> > >> I have been trying to identify a consistent pattern that allows me
> to, via
> > >> keyboard and screen reading software, easily and quickly determine if
> a
> > >> page is "secured"; that is, has an active and valid SSL certificate.
> I know
> > >> browsers put a lot of effort into visually informing users in the
> address
> > >> bar if a page is not secure, and I'd love to see the same affordance
> given
> > >> to the visibly diverse.
> > >> How do screen readers do?
> > >> – Let's use the Google home page as an example. With VoiceOver on
> macOS
> > >> activated, Safari appears to announce "www google dot com" on first
> load.
> > >> Subsequent navigations do yield the full "https" version of the URL
> being
> > >> read aloud; ChromeVOX (browser extension) does something similar.
> > >> – You can drill down in the toolbar in most cases to get to the
> padlock
> > >> icon in the URL, but that's not easy to get to using the keyboard
> without
> > >> vision.
> > >> Even if the web page address is read aloud how does one know if the
> page is
> > >> truly secure via this method? SSL certificates can expire (thus
> leaving the
> > >> "https" in the address string while not being valid), and by adding
> the
> > >> string "https" to the address manually (e.g.
> > >> http://https.example.com/blog/https) one could possibly be fooled.
> > >> – Ultimately I was hoping for some sort of "quick indication", much
> like
> > >> the address bar padlock, that the details I wanted to submit on the
> page
> > >> would be transmitted securely. It also appears there isn't a standard
> > >> keyboard shortcut to toggle page certificate information.
> > >> Ideal scenario
> > >> I don't think the page's certificate information needs to be stated
> on each
> > >> page load. But I imagine a scenario where, when you focus in on a form
> > >> (e.g. credit card, password, anything really), on perhaps any field
> or the
> > >> submit button, or by some other condition being met, the screen reader
> > >> would inform you via some mechanism that the content you are
> submitting is
> > >> safe and secure.
> > >> Approach
> > >> I'm not seeing an approach to allow a website to accomplish this on
> its
> > >> own, since they could just spoof it. It requires some sort of
> independent
> > >> evaluator. With that in mind I'm envisioning a couple routes to
> possibly
> > >> take:
> > >> 1. Page security details (likely brief) could be auto-announced when
> the
> > >> appropriate conditions are met (e.i. form element is focussed)
> > >> 2. A keyboard shortcut could be implemented to toggle an announcement
> of
> > >> page security/certificate details (since it's user-triggered it could
> be
> > >> longer in detail).
> > >> 3. A website could then within its own code, add a screen-reader
> accessible
> > >> label at the start of its form that can be tabbed onto (or
> auto-announce
> > >> when the form is focussed), that informs the visitor that they can
> press a
> > >> key command to view certificate information (handled by browser or
> > >> software). It's possible this could be spoofed, though, if the
> website is
> > >> allowed to override the key command and just announce fake
> certificate info.
> > >> Either screen-reading tools could independently support this
> functionality,
> > >> or the browser vendors could implement it. If it were to be
> implemented at
> > >> a browser level I believe the browser would have to augment an
> element on
> > >> the web page that is auto-focussed or somehow supply a
> > >> universally-acceptable injection to the screen reading tool to make
> the
> > >> announcement.
> > >> I think, most importantly, this should be standardized to some level,
> so
> > >> one can be confident about the security of data being submitted.
> > >> Interested in hearing your thoughts!
> > >
> > > --
> > > @TetraLogical TetraLogical.com
> > > > > > > > > > > > > >
> > > > > > > > > >
> > > > >