Security/Features/UI Telemetry

Status

Team

Open issues/risks

`

Stage 1: Definition

1. Feature overview

Security UI, particularly closed-form questions, typically give the user a question he/she doesn't know the answer to, often blocks any further action (performance hit) and saps user attention. The last has a particularly severe security impact: users get tired of security UI and start pressing the 'whatever' button (i.e., stop noticing the UI and just get on with their jobs). This could result in users ignoring actual attacks. Further, tired users often confuse two similar looking security questions (for example, studies have shown users confuse Android install-time warnings with software EULAs). Thus, excessive security UI leads to an overall decrease in user security, in addition to a bad user experience.

The aim of this project is to measure the relative prevalence of security UI shown to the user. With numbers on what sort of UI is shown to the user, developers can then focus on alleviating the stress on user attention. Further, this also allows us to measure the most common security dialogs, and make sure that they aren't confused with each other.

2. Users & use cases

`

3. Dependencies

`

4. Requirements

`

Non-goals

`

Stage 2: Design

5. Functional specification

The telemtry will measure ALL security UI. To start off, here's a list:

• SSL Cert error warnings (broken down into individual types)

• Add-on installer warnings

• File download warnings

• HTTP/HTTPS warnings like mixed content, insecure forms posts, passwords over cleartext etc.

6. User experience design

`

Stage 3: Planning

7. Implementation plan

`

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

`

Stage 5: Release

10. Landing criteria

`

Feature details

Team status notes