WebAIM - Web Accessibility In Mind

E-mail List Archives

Thread: How does someone with a visual impairment know if they're viewing a secure URL?

for

Number of posts in this thread: 4 (In chronological order)

From: Date: Sun, Apr 28 2019 5:22AM
Subject: How does someone with a visual impairment know if they're viewing a secure URL?
No previous message | Next message →

The short answer is that they don't, unless they go looking (as you
describe).

I think that any solution has to come from the browser, without needing
web authors to do anything. If the browser's exposed the security state
of the page, as the page loaded, then a screen reader could announce
that information in combination with the page title.

It may be that either in the browser or in the screen reader, it would
be possible to configure those statements to some extent though, or to
be able to query additional information. For example, the initial
announcement might be "Page is secure", but on request additional
information about the certificate could be found.

Léonie.
On 28/04/2019 04:43, Jody H wrote:
> Hi all, new to the list and I have a question!
>
> I have been trying to identify a consistent pattern that allows me to, via
> keyboard and screen reading software, easily and quickly determine if a
> page is "secured"; that is, has an active and valid SSL certificate. I know
> browsers put a lot of effort into visually informing users in the address
> bar if a page is not secure, and I'd love to see the same affordance given
> to the visibly diverse.
>
> How do screen readers do?
>
> – Let's use the Google home page as an example. With VoiceOver on macOS
> activated, Safari appears to announce "www google dot com" on first load.
> Subsequent navigations do yield the full "https" version of the URL being
> read aloud; ChromeVOX (browser extension) does something similar.
> – You can drill down in the toolbar in most cases to get to the padlock
> icon in the URL, but that's not easy to get to using the keyboard without
> vision.
> Even if the web page address is read aloud how does one know if the page is
> truly secure via this method? SSL certificates can expire (thus leaving the
> "https" in the address string while not being valid), and by adding the
> string "https" to the address manually (e.g.
> http://https.example.com/blog/https) one could possibly be fooled.
> – Ultimately I was hoping for some sort of "quick indication", much like
> the address bar padlock, that the details I wanted to submit on the page
> would be transmitted securely. It also appears there isn't a standard
> keyboard shortcut to toggle page certificate information.
>
> Ideal scenario
>
> I don't think the page's certificate information needs to be stated on each
> page load. But I imagine a scenario where, when you focus in on a form
> (e.g. credit card, password, anything really), on perhaps any field or the
> submit button, or by some other condition being met, the screen reader
> would inform you via some mechanism that the content you are submitting is
> safe and secure.
>
> Approach
>
> I'm not seeing an approach to allow a website to accomplish this on its
> own, since they could just spoof it. It requires some sort of independent
> evaluator. With that in mind I'm envisioning a couple routes to possibly
> take:
>
> 1. Page security details (likely brief) could be auto-announced when the
> appropriate conditions are met (e.i. form element is focussed)
> 2. A keyboard shortcut could be implemented to toggle an announcement of
> page security/certificate details (since it's user-triggered it could be
> longer in detail).
> 3. A website could then within its own code, add a screen-reader accessible
> label at the start of its form that can be tabbed onto (or auto-announce
> when the form is focussed), that informs the visitor that they can press a
> key command to view certificate information (handled by browser or
> software). It's possible this could be spoofed, though, if the website is
> allowed to override the key command and just announce fake certificate info.
>
> Either screen-reading tools could independently support this functionality,
> or the browser vendors could implement it. If it were to be implemented at
> a browser level I believe the browser would have to augment an element on
> the web page that is auto-focussed or somehow supply a
> universally-acceptable injection to the screen reading tool to make the
> announcement.
>
> I think, most importantly, this should be standardized to some level, so
> one can be confident about the security of data being submitted.
>
> Interested in hearing your thoughts!
>

--
@TetraLogical TetraLogical.com

From: Jonathan Cohn
Date: Sun, Apr 28 2019 7:58AM
Subject: Re: How does someone with a visual impairment know if they're viewing a secure URL?
← Previous message | Next message →

Well, Safari with VoiceOver will announce that a page is not secure. I believe I have heard this on other browsers as well. Try going to a URL with http instead of https and see what happens.
I remember warnings from Firefox when a specific firewall was acting like a man in the middle.
Best wishes,

Jonathan Cohn



> On Apr 28, 2019, at 7:22 AM, Léonie Watson via WebAIM-Forum < = EMAIL ADDRESS REMOVED = > wrote:
>
> The short answer is that they don't, unless they go looking (as you describe).
>
> I think that any solution has to come from the browser, without needing web authors to do anything. If the browser's exposed the security state of the page, as the page loaded, then a screen reader could announce that information in combination with the page title.
>
> It may be that either in the browser or in the screen reader, it would be possible to configure those statements to some extent though, or to be able to query additional information. For example, the initial announcement might be "Page is secure", but on request additional information about the certificate could be found.
>
> Léonie.
> On 28/04/2019 04:43, Jody H wrote:
>> Hi all, new to the list and I have a question!
>> I have been trying to identify a consistent pattern that allows me to, via
>> keyboard and screen reading software, easily and quickly determine if a
>> page is "secured"; that is, has an active and valid SSL certificate. I know
>> browsers put a lot of effort into visually informing users in the address
>> bar if a page is not secure, and I'd love to see the same affordance given
>> to the visibly diverse.
>> How do screen readers do?
>> – Let's use the Google home page as an example. With VoiceOver on macOS
>> activated, Safari appears to announce "www google dot com" on first load.
>> Subsequent navigations do yield the full "https" version of the URL being
>> read aloud; ChromeVOX (browser extension) does something similar.
>> – You can drill down in the toolbar in most cases to get to the padlock
>> icon in the URL, but that's not easy to get to using the keyboard without
>> vision.
>> Even if the web page address is read aloud how does one know if the page is
>> truly secure via this method? SSL certificates can expire (thus leaving the
>> "https" in the address string while not being valid), and by adding the
>> string "https" to the address manually (e.g.
>> http://https.example.com/blog/https) one could possibly be fooled.
>> – Ultimately I was hoping for some sort of "quick indication", much like
>> the address bar padlock, that the details I wanted to submit on the page
>> would be transmitted securely. It also appears there isn't a standard
>> keyboard shortcut to toggle page certificate information.
>> Ideal scenario
>> I don't think the page's certificate information needs to be stated on each
>> page load. But I imagine a scenario where, when you focus in on a form
>> (e.g. credit card, password, anything really), on perhaps any field or the
>> submit button, or by some other condition being met, the screen reader
>> would inform you via some mechanism that the content you are submitting is
>> safe and secure.
>> Approach
>> I'm not seeing an approach to allow a website to accomplish this on its
>> own, since they could just spoof it. It requires some sort of independent
>> evaluator. With that in mind I'm envisioning a couple routes to possibly
>> take:
>> 1. Page security details (likely brief) could be auto-announced when the
>> appropriate conditions are met (e.i. form element is focussed)
>> 2. A keyboard shortcut could be implemented to toggle an announcement of
>> page security/certificate details (since it's user-triggered it could be
>> longer in detail).
>> 3. A website could then within its own code, add a screen-reader accessible
>> label at the start of its form that can be tabbed onto (or auto-announce
>> when the form is focussed), that informs the visitor that they can press a
>> key command to view certificate information (handled by browser or
>> software). It's possible this could be spoofed, though, if the website is
>> allowed to override the key command and just announce fake certificate info.
>> Either screen-reading tools could independently support this functionality,
>> or the browser vendors could implement it. If it were to be implemented at
>> a browser level I believe the browser would have to augment an element on
>> the web page that is auto-focussed or somehow supply a
>> universally-acceptable injection to the screen reading tool to make the
>> announcement.
>> I think, most importantly, this should be standardized to some level, so
>> one can be confident about the security of data being submitted.
>> Interested in hearing your thoughts!
>
> --
> @TetraLogical TetraLogical.com
> > > >

From: Mallory
Date: Sun, Apr 28 2019 1:31PM
Subject: Re: How does someone with a visual impairment know if they're viewing a secure URL?
← Previous message | Next message →

Here's a page that only says "not secure" in the browser chrome but doesn't have on-page warnings: http://www.picat-lang.org/. Manually navigating with F6 seems to be the only place where the this-is-not-https is to be found.

I recall seeing a talk by someone on the Chrome team who thought they'd rather show who was secure than who wasn't, as far as which to focus on. They feared emphasising a site wasn't secure while that was still the majority (this was before LetsEncrypt and the number of https sites rose) would teach people to ignore the warning since they'd get it on most sites.

cheers,
Mallory

On Sun, Apr 28, 2019, at 3:59 PM, Jonathan Cohn wrote:
> Well, Safari with VoiceOver will announce that a page is not secure. I
> believe I have heard this on other browsers as well. Try going to a URL
> with http instead of https and see what happens.
> I remember warnings from Firefox when a specific firewall was acting
> like a man in the middle.
> Best wishes,
>
> Jonathan Cohn
>
>
>
> > On Apr 28, 2019, at 7:22 AM, Léonie Watson via WebAIM-Forum < = EMAIL ADDRESS REMOVED = > wrote:
> >
> > The short answer is that they don't, unless they go looking (as you describe).
> >
> > I think that any solution has to come from the browser, without needing web authors to do anything. If the browser's exposed the security state of the page, as the page loaded, then a screen reader could announce that information in combination with the page title.
> >
> > It may be that either in the browser or in the screen reader, it would be possible to configure those statements to some extent though, or to be able to query additional information. For example, the initial announcement might be "Page is secure", but on request additional information about the certificate could be found.
> >
> > Léonie.
> > On 28/04/2019 04:43, Jody H wrote:
> >> Hi all, new to the list and I have a question!
> >> I have been trying to identify a consistent pattern that allows me to, via
> >> keyboard and screen reading software, easily and quickly determine if a
> >> page is "secured"; that is, has an active and valid SSL certificate. I know
> >> browsers put a lot of effort into visually informing users in the address
> >> bar if a page is not secure, and I'd love to see the same affordance given
> >> to the visibly diverse.
> >> How do screen readers do?
> >> – Let's use the Google home page as an example. With VoiceOver on macOS
> >> activated, Safari appears to announce "www google dot com" on first load.
> >> Subsequent navigations do yield the full "https" version of the URL being
> >> read aloud; ChromeVOX (browser extension) does something similar.
> >> – You can drill down in the toolbar in most cases to get to the padlock
> >> icon in the URL, but that's not easy to get to using the keyboard without
> >> vision.
> >> Even if the web page address is read aloud how does one know if the page is
> >> truly secure via this method? SSL certificates can expire (thus leaving the
> >> "https" in the address string while not being valid), and by adding the
> >> string "https" to the address manually (e.g.
> >> http://https.example.com/blog/https) one could possibly be fooled.
> >> – Ultimately I was hoping for some sort of "quick indication", much like
> >> the address bar padlock, that the details I wanted to submit on the page
> >> would be transmitted securely. It also appears there isn't a standard
> >> keyboard shortcut to toggle page certificate information.
> >> Ideal scenario
> >> I don't think the page's certificate information needs to be stated on each
> >> page load. But I imagine a scenario where, when you focus in on a form
> >> (e.g. credit card, password, anything really), on perhaps any field or the
> >> submit button, or by some other condition being met, the screen reader
> >> would inform you via some mechanism that the content you are submitting is
> >> safe and secure.
> >> Approach
> >> I'm not seeing an approach to allow a website to accomplish this on its
> >> own, since they could just spoof it. It requires some sort of independent
> >> evaluator. With that in mind I'm envisioning a couple routes to possibly
> >> take:
> >> 1. Page security details (likely brief) could be auto-announced when the
> >> appropriate conditions are met (e.i. form element is focussed)
> >> 2. A keyboard shortcut could be implemented to toggle an announcement of
> >> page security/certificate details (since it's user-triggered it could be
> >> longer in detail).
> >> 3. A website could then within its own code, add a screen-reader accessible
> >> label at the start of its form that can be tabbed onto (or auto-announce
> >> when the form is focussed), that informs the visitor that they can press a
> >> key command to view certificate information (handled by browser or
> >> software). It's possible this could be spoofed, though, if the website is
> >> allowed to override the key command and just announce fake certificate info.
> >> Either screen-reading tools could independently support this functionality,
> >> or the browser vendors could implement it. If it were to be implemented at
> >> a browser level I believe the browser would have to augment an element on
> >> the web page that is auto-focussed or somehow supply a
> >> universally-acceptable injection to the screen reading tool to make the
> >> announcement.
> >> I think, most importantly, this should be standardized to some level, so
> >> one can be confident about the security of data being submitted.
> >> Interested in hearing your thoughts!
> >
> > --
> > @TetraLogical TetraLogical.com
> > > > > > > > >
> > > > >

From: Brandon Keith Biggs
Date: Sun, Apr 28 2019 2:12PM
Subject: Re: How does someone with a visual impairment know if they're viewing a secure URL?
← Previous message | No next message

Hello,
I always use F6 and look at the https. There are multiple types of https
though and I don't know how to view the different types.
Thanks,

Brandon Keith Biggs <http://brandonkeithbiggs.com/>;


On Sun, Apr 28, 2019 at 12:31 PM Mallory < = EMAIL ADDRESS REMOVED = > wrote:

> Here's a page that only says "not secure" in the browser chrome but
> doesn't have on-page warnings: http://www.picat-lang.org/. Manually
> navigating with F6 seems to be the only place where the this-is-not-https
> is to be found.
>
> I recall seeing a talk by someone on the Chrome team who thought they'd
> rather show who was secure than who wasn't, as far as which to focus on.
> They feared emphasising a site wasn't secure while that was still the
> majority (this was before LetsEncrypt and the number of https sites rose)
> would teach people to ignore the warning since they'd get it on most sites.
>
> cheers,
> Mallory
>
> On Sun, Apr 28, 2019, at 3:59 PM, Jonathan Cohn wrote:
> > Well, Safari with VoiceOver will announce that a page is not secure. I
> > believe I have heard this on other browsers as well. Try going to a URL
> > with http instead of https and see what happens.
> > I remember warnings from Firefox when a specific firewall was acting
> > like a man in the middle.
> > Best wishes,
> >
> > Jonathan Cohn
> >
> >
> >
> > > On Apr 28, 2019, at 7:22 AM, Léonie Watson via WebAIM-Forum <
> = EMAIL ADDRESS REMOVED = > wrote:
> > >
> > > The short answer is that they don't, unless they go looking (as you
> describe).
> > >
> > > I think that any solution has to come from the browser, without
> needing web authors to do anything. If the browser's exposed the security
> state of the page, as the page loaded, then a screen reader could announce
> that information in combination with the page title.
> > >
> > > It may be that either in the browser or in the screen reader, it would
> be possible to configure those statements to some extent though, or to be
> able to query additional information. For example, the initial announcement
> might be "Page is secure", but on request additional information about the
> certificate could be found.
> > >
> > > Léonie.
> > > On 28/04/2019 04:43, Jody H wrote:
> > >> Hi all, new to the list and I have a question!
> > >> I have been trying to identify a consistent pattern that allows me
> to, via
> > >> keyboard and screen reading software, easily and quickly determine if
> a
> > >> page is "secured"; that is, has an active and valid SSL certificate.
> I know
> > >> browsers put a lot of effort into visually informing users in the
> address
> > >> bar if a page is not secure, and I'd love to see the same affordance
> given
> > >> to the visibly diverse.
> > >> How do screen readers do?
> > >> – Let's use the Google home page as an example. With VoiceOver on
> macOS
> > >> activated, Safari appears to announce "www google dot com" on first
> load.
> > >> Subsequent navigations do yield the full "https" version of the URL
> being
> > >> read aloud; ChromeVOX (browser extension) does something similar.
> > >> – You can drill down in the toolbar in most cases to get to the
> padlock
> > >> icon in the URL, but that's not easy to get to using the keyboard
> without
> > >> vision.
> > >> Even if the web page address is read aloud how does one know if the
> page is
> > >> truly secure via this method? SSL certificates can expire (thus
> leaving the
> > >> "https" in the address string while not being valid), and by adding
> the
> > >> string "https" to the address manually (e.g.
> > >> http://https.example.com/blog/https) one could possibly be fooled.
> > >> – Ultimately I was hoping for some sort of "quick indication", much
> like
> > >> the address bar padlock, that the details I wanted to submit on the
> page
> > >> would be transmitted securely. It also appears there isn't a standard
> > >> keyboard shortcut to toggle page certificate information.
> > >> Ideal scenario
> > >> I don't think the page's certificate information needs to be stated
> on each
> > >> page load. But I imagine a scenario where, when you focus in on a form
> > >> (e.g. credit card, password, anything really), on perhaps any field
> or the
> > >> submit button, or by some other condition being met, the screen reader
> > >> would inform you via some mechanism that the content you are
> submitting is
> > >> safe and secure.
> > >> Approach
> > >> I'm not seeing an approach to allow a website to accomplish this on
> its
> > >> own, since they could just spoof it. It requires some sort of
> independent
> > >> evaluator. With that in mind I'm envisioning a couple routes to
> possibly
> > >> take:
> > >> 1. Page security details (likely brief) could be auto-announced when
> the
> > >> appropriate conditions are met (e.i. form element is focussed)
> > >> 2. A keyboard shortcut could be implemented to toggle an announcement
> of
> > >> page security/certificate details (since it's user-triggered it could
> be
> > >> longer in detail).
> > >> 3. A website could then within its own code, add a screen-reader
> accessible
> > >> label at the start of its form that can be tabbed onto (or
> auto-announce
> > >> when the form is focussed), that informs the visitor that they can
> press a
> > >> key command to view certificate information (handled by browser or
> > >> software). It's possible this could be spoofed, though, if the
> website is
> > >> allowed to override the key command and just announce fake
> certificate info.
> > >> Either screen-reading tools could independently support this
> functionality,
> > >> or the browser vendors could implement it. If it were to be
> implemented at
> > >> a browser level I believe the browser would have to augment an
> element on
> > >> the web page that is auto-focussed or somehow supply a
> > >> universally-acceptable injection to the screen reading tool to make
> the
> > >> announcement.
> > >> I think, most importantly, this should be standardized to some level,
> so
> > >> one can be confident about the security of data being submitted.
> > >> Interested in hearing your thoughts!
> > >
> > > --
> > > @TetraLogical TetraLogical.com
> > > > > > > > > > > > > >
> > > > > > > > > >
> > > > >