University of Chicago SUPERgroup

Usable Security and Privacy
Problem Set 5

Problem 1 is due on Canvas at 10:45am on Thursday, May 16th 11:59pm on Sunday, May 19th. Problem 2 is due on Canvas at 10:45am on Thursday, May 23rd. Problem 3, for the graduate section only, is also due on Canvas at 10:45am on Thursday, May 23rd.

Problem 1 (70 points)

As we've discussed, the X.509 certificates used for HTTPS websites embed a lot of complicated information. Users usually only gain visibility into certificates through a browser's lock icon and perhaps through error messages. Can you create a data-driven explanation that helps a non-technical user understand the certificate for a website they are visiting?

Do so by building a browser extension for Mozilla Firefox using the WebExtensions framework that provides a detailed, data-driven explanation of what a given certificate is telling the user. That is, opening the extension should bring the user to a page where they can enter a particular domain/subdomain/URL. The extension should then retrieve the certificate for that query (or lack of a certificate) and provide the user an explanation of what it is telling them designed using the usable security principles learned in class. It is up to you to decide what is important or unimportant to communicate about the certificate. You should aim to be relatively comprehensive in communicating what you deem to be the important differences across certificates.

You can access security information using the WebExtensions framework. Notably, getSecurityInfo, SecurityInfo, and CertificateInfo will be very helpful in this task. Note that these only work in recent versions of Firefox, not in Chrome or other browsers!

Please submit: (1) an explanation of your design choices (about a page of text, loosely defined); (2) all of your code (which we will run); and (3) screenshots (PDF or image files are all ok) showing examples of what your tool communicates on a number of different websites. For the third of these requirements, you should test your tool on a number of different pages with "good" certificates from different CAs (and whose certificates have a variety of characteristics)., as well as a few using badSSL. (It turns out that the current spec does not support retrieving the certificate when TLS setup fails due to a bad certificate, so you may ignore this case. Sorry about that!)

Problem 2 (30 points)

As platforms like Samsung's SmartThings have brought an app-ified Internet of Things (IoT) to consumers, concerns have been raised about whether consumers are truly being notified about the privacy risks of having Internet-connected devices in their home. Thus, we want you to design a privacy notice for Internet of Things apps. You should turn in:

  1. One paragraph describing what medium (screen on a smart phone, spoken notification from something like the Amazon Echo, paper notices, etc.) you have chosen for delivering this privacy notice, and why.
  2. One paragraph describing what details you believe to be most important for an IoT app privacy notice to communicate, and why.
  3. One paragraph describing the decisions you made in designing your privacy notice.
  4. Sketches of your notice that you will use for a paper prototype. For more information on creating a paper prototype, please read this article. Note that you should have examples of all major screens or displays that a user would see. You can create sketches on paper (but turn them into PDFs), in Powerpoint, in rapid-prototyping software, etc.

(CMSC 33210 only!) Problem 3 (0 points; -45 points if not completed)

Write 3-7 sentence summaries and short "highlights" for the Englehardt and Narayanan reading assigned for May 2nd, the Miramirkhani et al. reading assigned for May 14th, and Degeling et al. reading assigned for May 21st.