29C3 - Version 1.9

F/a{hr-p).l//a,n
2.9/C-3

Speakers
Anna Shubina
Schedule
Day Day 1 - 2012-12-27
Room Saal 6
Start time 16:00
Duration 01:00
Info
ID 5208
Event type Lecture
Language used for presentation English
Feedback

What accessibility has to do with security

Accessibility of digital content is a hugely misunderstood issue. Programmers and content developers tend to view it as a distraction or a special interest concern. Accessibility advocates fail to describe it in terms that would put it in the proper place for other technologists, in particular security practitioners.
We argue that if a format or a document has systemic accessibility problems, then accessibility is likely to be the least of its problems; that accessibility only collapses first, like a canary in a mine, and security is next to follow. We argue that many accessibility problems, just like many security problems, stem from documents being hard to parse or containing executable content, and that the accessibility community is only the first to suffer, due to not having the manpower to make extremely complicated formats to almost work almost always. It's an arms race tougher than the security patching cycle, made worse by there being no common model for what accessibility properties should look like.

In fact, accessibility software is an unexpected consumer of complicated formats, and is thus the first sanity check on complexity gone out of whack. We believe that accessibility community and security community should join their efforts for working to the same goal of documents that can be easily and consistently parsed without compromising security.

We now live in the digital world where both security and accessibility solutions are daily tasked with solving problems that are in general undecidable like the halting problem. The least we can do is acknowledge the situation and accept accessibility as an asset to the computer security field.

This is a talk that attempts to place accessibility of digital content within the security field. The main point is very simple: accessibility suffers where documents are hard to parse or contain executable content, and this is where security also suffers. For example, it is not coincidental that the same features of PDF and Flash that make them the prime attack vectors also make them very hard for screenreaders to handle; in fact, a pretty good guess of where vulnerabilities are can frequently be made from what features tend to be accessibility breakers. Accessibility software developers might notice these issues before security community does, but will typically fail to communicate them to anyone who might care.

The feature bloat in digital documents is getting worse and worse, and despite frequently being of no value or of negative value to the user, it is propagated in the name of providing a better user experience. Accessibility and security would both be good reasons to stop increasing the complexity of formats and the amount of executable content in digital documents, if someone would just take this to heart.

I would like to hope that accessibility could become a reason to revert the current situation where one can no longer trust a webpage or an e-mail to be opened in any browser or mailreader that tries to parse and represent everything that is in it. If we cannot make people care about security, perhaps we can make them care about accessibility?

I will show how typical "accessible" web pages look to text-only tools such as text browsers and screen readers, and summarize several years of experience trying to understand what the users who require them must go through every day, even with the so-called "accessible" formats. The web can be surprisingly different through a text-only prism.