search

w3c / wcag2ict

WCAG2ICT deliverable of Accessibility Guidelines WG
https://wcag2ict.netlify.app/
Other
24 stars 4 forks source link

Ideas for writing up security considerations #508

Closed daniel-montalvo closed 2 months ago

daniel-montalvo commented 2 months ago

@simoneonofri provided some ideas for crafting a security considerations section, similarly to how we did with privacy.

In general, I don’t think there are no security impact on assistive technology in software. There is an increase of attackable surface on one side and how can be mis-used (we can consider this as an abuse of functionality):

  • A common example are on kiosks, where there is a security assumption that without keyboard or kiosk mode, so that users have a limited interaction but often I used to run the On Screen Keyboard to then open a shell, another approach that was working on ATMs, it was an escape pressing repeatedly the shift key.

  • Always on On Screen Keyboard there are a lot of stories such as the substitution of the executable file which runs in a privileged context and usable before the login^1.

  • The last CAPTCHA bypasses leverage on alternative an accessible versions. In fact, there are several schools of thinking of the captcha use for how we know them now that they are based on the javascript challenges - or for example the Google captcha that if you are not incognito and you are logged in with a Google account, think that You are a human.

I don't know if it makes sense to insert this type of considerations, at least in terms of concept.

maryjom commented 2 months ago

@simoneonofri Thank you for your review WCAG2ICT and for your comments. I have done an initial draft of updated Security Considerations content based on your comments and thoughts. See Option 2: Proposed updates to Security Considerations due to issue 508 in our Horizontal review google doc. Could you please review this draft content to see if it sufficiently addresses the points you raised?

NOTE: This has not yet been reviewed by the Task Force, but since we are trying to publish the final Note soon I'd like to get your input in parallel with their review.

maryjom commented 2 months ago

@simoneonofri See also the draft PR #510 where you can read the proposed content in the context of the built document Security Considerations section.

maryjom commented 2 months ago

@simoneonofri Thank you for your review of the Security Considerations in the draft WCAG2ICT Note. We have added the following text to that section to address your concerns:

This Working Group Note does not introduce any new security considerations. Since any software feature has the potential to compromise security, take care when implementing non-web ICT features added to meet WCAG 2 success criteria. NOTE: The WCAG 2 Security Considerations section lists specific success criteria with possible implications for security, which could also exist for non-web ICT. This text has been incorporated into the latest editor’s draft Security Considerations section.