W3C home > Mailing lists > Public > public-usable-authentication@w3.org > April 2006

Re: Secure Chrome

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 14 Apr 2006 23:01:22 +0200
To: Jeffrey Altman <jaltman@secure-endpoints.com>
Cc: Michael.Mccormick@wellsfargo.com, public-usable-authentication@w3.org
Message-ID: <20060414210122.GC28531@lavazza.does-not-exist.org> 

Forwarding on behalf of Jeffrey Altman.  Apparently, Jeffrey
has had some trouble posting to the list.
-- 
Thomas Roessler, W3C   <tlr@w3.org>



From: Jeffrey Altman <jaltman@secure-endpoints.com>
Organization: Secure Endpoints Inc.
To: Michael.Mccormick@wellsfargo.com
CC: public-usable-authentication@w3.org
Subject: Re: Secure Chrome

Michael.Mccormick@wellsfargo.com wrote:

> - Make built-in browser dialog boxes visually distinguishable from
>script generated dialog boxes

This is the real catch.  You almost want a requirement that says as long
as the browser is using graphic image 'lock' to represent a state of
security that no image similar to 'lock' can be displayed as part of the
content obtained from the web site.  Without such a requirement the
attackers simply use the paint a fake browser within the browser window
attack.

Jeffrey Altman
Received on Friday, 14 April 2006 21:01:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT