- From: Anil Saldhana <Anil.Saldhana@redhat.com>
- Date: Mon, 01 Oct 2007 17:41:08 -0500
- To: Johnathan Nightingale <johnath@mozilla.com>
- CC: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Johnathan, I added your definition to the draft. But I need to clean it up a little. More in person. Anil Johnathan Nightingale wrote: > > It came up while discussing the robustness section of the draft > recommendations that "whack-a-mole" attacks were being referenced > without definition. Here goes: > > -- > A "whack-a-mole attack" refers to a type of malicious website which > attempts to perform some other action (e.g. installing software) which > normally requires user intervention (e.g. by clicking OK on a warning > dialog) by exploiting distraction and task-focus. > > The web site will deliberately creates a large number of dialog boxes > (real or synthesized with web content) in front of some desirable > content, motivating the user to attempt to dismiss the dialogs > rapidly, without inspecting their contents. Among the many irrelevant > dialog boxes, however, will be the one presented by the user agent > indicating the need for a trust decision. The expectation of the > attacker is that, being focused exclusively on getting rid of the > dialog boxes, the user will not take the necessary care to make > meaningful trust decisions, when they reach the legitimate warning > dialog. > -- > > Too wordy? I resisted giving etymology of the name, easy enough to > google that part. > > J > > --- > Johnathan Nightingale > Human Shield > johnath@mozilla.com > > > > -- Anil Saldhana Project/Technical Lead, JBoss Security & Identity Management JBoss, A division of Red Hat Inc. http://labs.jboss.com/portal/jbosssecurity/
Received on Monday, 1 October 2007 22:41:44 UTC