RE: Favicon anti-pattern from michael.mccormick@wellsfargo.com on 2007-04-20 (public-wsc-wg@w3.org from April 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Fri, 20 Apr 2007 15:08:28 -0500
To: <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <8A794A6D6932D146B2949441ECFC9D6802B4D3B5@msgswbmnmsp17.wellsfargo.com>
Per MEZ's request, I offer the following additional content regarding favicons.
 
First, I did find a single paragraph in the current Note (use cases) regarding favicons that I feel needs updating:

 

 9.2.5 Favicon


 The URL bar may display a logo retrieved from a location specified in the web site's content, or discovered in a well known location [favicon <http://www.w3.org/TR/wsc-usecases/#favicon-howto> ]. In either case, the choice to display a logo, and what image to use, is at the discretion of the visited web site.  In some browsers the favicon logo is also displayed in Bookmarks/Favorites listings and associated toolbar buttons, window titles, tab titles, and elsewhere.  No central organization exists to control or approve these images.

The text I propose we append appears above in red.  (Last 2 sentences for those not viewing this email as HTML or suffer red-blue color blindness).
 
Second, there is the matter of Recommendations.  I personally believe favicons undermine security context.  Mary Ellen challenged me to document my reasons for this so WSC can possibly document favicons as an anti pattern:

 Whether consciously or unconsciously, many users are beginning to view favicon logos as security context information.  Specifically, they feel that seeing the logo they expected for a particular site is somehow an assurance the site is genuine.  Because the logo appears in browser chrome rather than the HTML page, it creates an impression that the logo is more "official".
  
 This is a mistake on the users' part because no central organization controls or approves the assignment of favicons to sites.  A malicious entity can steal the exact logo used by a legitimate site (or create a visually indistinguishable logo) and associate it with a different site for impersonation purposes.
  
 Favicons are not registered with nor regulated by a central authority.  Favicons are not cryptographically protected for authenticity or integrity.
  
 For these reasons, favicon use on web sites requiring user trust should be considered a security anti-pattern.  Favicons undermine the web security context display in two ways.  First, they appear to provide security context but in reality do not.  Second, they blur the distinction between chrome and content.
  
 Favicons could be made more secure if they were drawn from a logo registry controlled by a central authority, or perhaps tied to signed DNSSEC records, and browsers were changed to only display approved and cryptographically protected favicons.  The central authority would have to prevent two sites from using visually similar logos.
  
 Finally, it's worth noting that logographic extensions to X.509, which many sites plan to use in future to visually brand their SSL certificates, suffer from many of the same security problems as favicons.

I welcome feedback.  I have not entered any of this in the wiki because I feel it needs some group discussion first.
 
Thanks, Mike

  _____  

From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
Sent: Friday, April 13, 2007 4:53 PM
To: McCormick, Mike
Subject: RE: URL Recommendation




I thought so (I'm offline in a plane right now).

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




<michael.mccormick@wellsfargo.com> 

04/12/2007 07:35 PM

To
<Mary_Ellen_Zurko@notesdev.ibm.com> 
cc
Subject
RE: URL Recommendation

 




OK, maybe I'll take a stab at that.  There's already a discussion of favicons somewhere in the Note, right?


  _____  

From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
Sent: Thursday, April 12, 2007 3:23 PM
To: McCormick, Mike
Subject: Re: URL Recommendation


I'm on the fence about extracting your favicon comment and making it a separate anti pattern proposed recommendation "Favicon is evil for [list of reasons] - discuss". I think for now I won't, but if you believe it's a good one, feel free to put it in the wiki. 

         Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect



<michael.mccormick@wellsfargo.com>
Sent by: member-wsc-wg-request@w3.org 

04/11/2007 08:04 PM



To
<member-wsc-wg@w3.org> 
cc
Subject
URL Recommendation


 





As long as I'm clogging your Inboxes, allow me to very briefly reiterate my points from this morning's Lightning Discussion regarding the "URL Recommendation" (http://www.w3.org/2006/WSC/wiki/UrlRecommendation <http://www.w3.org/2006/WSC/wiki/UrlRecommendation> ). 

Setting aside the favicon (which was a bad idea IMHO since users mistakenly rely on it as a trust cue) nothing in the address bar or URL string is looked at by the majority of ordinary users.  This has been confirmed by the Carnegie Mellon study among others. 

For the small minority of users who do look at the address/location bar, there are really two security cues we need to think about: 

1. "https" indicates SSL/TLS security is active 
2. domain portion of the host (e.g., "mybank.com" in https://www.mybank.com/index.html <https://www.mybank.com/index.html> ) identifies the site 

For cue (1) we already have a corresponding graphical indicator in the form of the much maligned padlock.  Considering all the confusion it causes though, one has to wonder whether its benefit outweighs its weakness.  I for one don't trust it as much as the "https" in the URL.  This ties back to the need for secure chrome. 

For cue (2) I do see an opportunity for browsers to add some value by displaying the current domain name somewhere in chrome.  This would particularly help in situations where the domain is not in fact accurately represented by the domain portion of the host string.  See http://www.contentverification.com/obfuscation-attacks/index.html <http://www.contentverification.com/obfuscation-attacks/index.html> for some common domain obfuscation exploits used by phishers. 

Michael McCormick,CISSP
Lead Architect, Information Security Technology 
Wells Fargo Bank 
255 Second Avenue South 
MAC N9301-01J 
Minneapolis MN 55479 
*      612-667-9227 (desk)             *      612-667-7037 (fax) 
(   michael.mccormick@wellsfargo.com (AIM) 
*       612-621-1318 (pager)            *      michael.mccormick@wellsfargo.com <mailto:michael.mccormick@wellsfargo.com>  

“THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS FARGO"
This message may contain confidential and/or privileged information.  If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein.  If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message.  Thank you for your cooperation.
Received on Friday, 20 April 2007 20:09:23 UTC