W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Henrich C. Pöhls <newsletter@2000grad.com>
Date: Fri, 21 Jan 2011 11:03:07 +0100
Cc: Giorgio Maone <g.maone@informaction.com>, Michal Zalewski <lcamtuf@coredump.cx>, Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>, "Henrich C. Pöhls" <hp@sec.uni-passau.de>
Message-Id: <9C7E9336-CD90-45A1-B661-2A1F72E85977@2000grad.com>
To: gaz Heyes <gazheyes@gmail.com>
Dear all,

Am 21.01.2011 um 10:25 schrieb gaz Heyes:

> On 21 January 2011 07:32, Giorgio Maone <g.maone@informaction.com> wrote:
>> overwhelmingly negative.
>> ...but the response to any solutions that require any UI logic was
>> Well, just a few days later a quite similar concept was implemented and
>> successfully shipped:
>> http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/
> Clear click is great it prevents clickjacking very well and gives a clear
> indicator to override and allow. </endorsement>
> To prevent "like" buttons being used without a users knowledge they really
> need to become part of the browser UI or external content needs to be
> highlighted in such a way it's clear to the user, e.g. a iframe shouldn't be
> able to be styled in such a way that it's dimensions are too small and
> elements should not overlay it. The iframe itself needs to be clear where
> it's coming from, I've mocked up a way to highlight a iframes domain:-
> <http://www.businessinfo.co.uk/labs/test_files/iframe-indicator.png>
> So when some content is intended to be included a web site the
> X-Frame-Options:Allow, then the iframe indicator shows and prevents the
> iframe from being resized to very small dimensions and it should always
> appear on top of any content and within the screen area.

This is a nice mockup and nice UI extension, I would like to see another addition 
to this iframe-indicator: TLS-Certificate-Verification-Information.
By this I mean that if the iframe was delivered over https, from a different 
location than the site, than it should be communicated to the user where it comes from.
At the moment, any nested SSL-Verification is done under the hood, and positive verification
results can not be seen by the user. Of course browsers flag a warning if there are 
negative results.
Hence, with existing UIs a user cannot see on the checkout page of a merchant,
if the iframe embedded credit card data field comes from the "Verified-By-Visa" process or a phisher.

More details, I had a paper on this, on GI Sicherheit 2010: <http://web.sec.uni-passau.de/papers/2010_Poehls_Show_Multiple_SSL_Certificate_Verifications_GI-Sicherheit.pdf>

So I suggest that the Domain is shown with the same UI-highlighting and 
UI-indicator-elements (padlocks…) that the address-bar uses for the communication of the TLS-Certificate Verification.
And of course clicking the iframe indicator takes the user directly to the verified certificate details.

Best Regards,
Henrich C. Pöhls

Dipl.-Inform. M.Sc. Info.-Security Henrich C. Poehls
Research Assistant
Institute of IT-Security and Security Law (ISL)
University of Passau, Innstr. 43, 94032 Passau, Germany

Tel: +49 851 - 509 3217
Received on Saturday, 22 January 2011 07:06:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 22 January 2011 07:08:11 GMT