Re: Risks the password role does create from John Foliot on 2016-06-22 (public-aria@w3.org from June 2016)

From: John Foliot <john.foliot@deque.com>
Date: Wed, 22 Jun 2016 13:09:38 -0500
To: Richard Schwerdtfeger <richschwer@gmail.com>
Cc: Mike Cooper <cooper@w3.org>, ARIA <public-aria@w3.org>
Message-ID: <CAKdCpxwwZwQpp1+perzYZDTAw93ADBLoqF-gUcVuF7zxi63uuA@mail.gmail.com>

Actually Rich, the first bullet *has* been brought forward before as a
potential issue:


“This does make a systematic attack on those password fields a bit easier -
at present if I was to write a malicious browser plugin to capture such
passwords I’d have to find the field on each site (e.g. By finding the
label Password) etc, it would be mildly tricky to make it work on all
sites. With this ARIA tag I could do that trivially.”

Ben Gidley (Irdeto)  -
https://lists.w3.org/Archives/Public/public-aria/2016Apr/0053.html



“I believe Ben answer is reasonable one. Adding a password "flag" will ease
the automated spoofing on "password related operations". *Is it a tolerable
additional risk, or not, stays an open question to me*.”

Virginie Galindo (Gemalto) -
https://lists.w3.org/Archives/Public/public-aria/2016Apr/0100.html

JF

On Wed, Jun 22, 2016 at 12:58 PM, Richard Schwerdtfeger <
richschwer@gmail.com> wrote:

> Well,
>
> Michael, as it turns out input type=“password” is not secure either. I
> will be filing an APA issue.
>
> The first bullet is a new one I had not seen. However, the same bots can
> search for the label “password” on input fields and do the same thing.
> There is nothing new here.
>
> Rich
>
>
> On Jun 22, 2016, at 12:20 PM, Michael Cooper <cooper@w3.org> wrote:
>
> In my previous message
> <https://lists.w3.org/Archives/Public/public-aria/2016Jun/0177.html> I
> tried to separate out the risks people were concerned about with the
> password role, that I think are not caused by the role itself. Here I want
> to identify the risks that *are* created by the role, so we can weigh those
> since they're the ones I argue are the only ones we should be considering
> for the role. So far, two concerns specific to the role stick out in my
> memory:
>
>    - The presence of the role makes it easier for bots to discover custom
>    password fields and exploit such unsecured fields.
>    - The availability of the role may encourage authors to use custom
>    password fields with the risks those bring.
>
> Are there others I missed? That are caused by the password role itself,
> not by custom password fields in general.
>
> Michael
>
>
>


-- 
John Foliot
Principal Accessibility Strategist
Deque Systems Inc.
john.foliot@deque.com

Advancing the mission of digital accessibility and inclusion

Received on Wednesday, 22 June 2016 18:10:10 UTC