Re: Defenses against phishing via the fullscreen api (was Re: full screen api) from Maciej Stachowiak on 2012-10-22 (public-webapps@w3.org from October to December 2012)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 22 Oct 2012 15:50:44 -0700
To: Chris Pearce <cpearce@mozilla.com>
Cc: Florian Bösch <pyalot@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "Carr, Wayne" <wayne.carr@intel.com>, "public-webapps@w3.org" <public-webapps@w3.org>, Feross Aboukhadijeh <feross@feross.org>, Jonas Sicking <jonas@sicking.cc>
Message-id: <1B70055F-248E-4B11-89BC-89D8FB0BA37A@apple.com>

On Oct 22, 2012, at 3:04 PM, Chris Pearce <cpearce@mozilla.com> wrote:

> 
> This looks remarkably like Mozilla's original proposal:
> https://wiki.mozilla.org/Gecko:FullScreenAPI
> 
> We chose not to implement this as it offers little protection against phishing or spoofing attacks that don't rely on keyboard access. In those cases making the user aware that they've entered fullscreen is pretty much the best defence the user has. Other than not having a fullscreen API at all.

There may be phishing scenarios that work without keyboard access, but I expect they are *far* less common and harder to pull off. To argue from anecdote, I visit many sites where I identify myself with a typed password, and none where I exclusively have a mouse-based credential that does not involve typing (though I've seen sites that use it as an additional factor). I think it's not justified to conclude that the phishing risk with and without alphanumeric keyboard access is identical. They are not.

> 
> Our fullscreen approval UI in Firefox is based around the assumption that for most users the set of sites that use the fullscreen API that the user encounters on a daily basis is small, and users would tend to opt to "remember" the fullscreen approval for those domains. I'd imagine the set would be YouTube, Facebook, and possibly ${FavouriteGame}.com for most users. Thus users would see a notification and not an approval prompt most of the time when they entered fullscreen. But when some other site goes fullscreen they do get a prompt, which is out of the ordinary and more likely to be read.

I think the chance of the user paying attention to a prompt that, every time they have seen it before, has been completely harmless, is pretty low. The odds of the user making an informed security decision based on what the prompt says is even lower.

Based on all this, I continue to think that requesting keyboard access should involve separate API, so that it can be feature-detected and given different security treatment by vendors as desired. This is what Flash does, and they have the most experience dealing with the security implications of fullscreen on the Web.

Regards,
Maciej

Received on Monday, 22 October 2012 22:51:13 UTC