W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: UI issues for security consideration

From: Lisa Dusseault <lisa.dusseault@gmail.com>
Date: Tue, 1 Dec 2009 13:46:30 -0800
Message-ID: <ca722a9e0912011346u38718b43l1e284dd38abc7a9d@mail.gmail.com>
To: David Singer <singer@apple.com>
Cc: public-web-security@w3.org
I've been known to get on a soap-box about how login redirects like
those used in OpenID and OAUTH, if not mediated by a trusted UI,
habituate the user to a specific insidious kind of spoofing (diagrams
and other explanations can be found in
http://blog.commerce.net/wp-content/uploads/2006/10/apachecon-beyond-passwords.pdf).
  But I walked away from that soapbox a while back and can't be arsed
to create a login to add the scenario.

--Lisa "Lazy" Dusseault

On Tue, Dec 1, 2009 at 11:44 AM, David Singer <singer@apple.com> wrote:
> Hi
>
> Thomas asked me to start the page on security issues at the UI (or with the interaction between UI and user).  I have typed something very brief into the Wiki at <http://www.w3.org/Security/wiki/Trusted_User_Interface>, with introductory sentences on spoofing and clickjacking.  I am sure there are other UI level security issues that should be there, and it might be good to have examples (it might be bad also - we don't want to supply a cookbook to would-be malefactors) or pointers to 'well-known' examples of previous, um, 'art'.
>
> Have at it...
>
> David Singer
> Multimedia and Software Standards, Apple Inc.
>
>
>
Received on Tuesday, 1 December 2009 21:47:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:00 GMT