RE: Single site browsers from michael.mccormick@wellsfargo.com on 2008-03-13 (public-wsc-wg@w3.org from March 2008)

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 13 Mar 2008 13:27:37 -0500
To: <johnath@mozilla.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164D01043FFE@msgswbmnmsp17.wellsfargo.com>

A user agent running with a customized user interface such as a "skin"
or "persona" is within scope of this standard.  Specifically such
agents:
 
 1. MUST include some minimal primary chrome where signals can be
presented to the user outside of the site's control
 
 2. SHOULD include in primary chrome the security context indicators
mandated elsewhere in this standard
 
 3. SHOULD provide alternative means of viewing security context
information normally displayed in chrome that is not present (e.g.,
location bar)
 


  _____  

From: Johnathan Nightingale [mailto:johnath@mozilla.com] 
Sent: Thursday, March 13, 2008 1:02 PM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org
Subject: Re: Single site browsers


Feels like scope creep to me - it seems pretty unlikely that a single
site browser would ever be able to claim compliance anyhow, given the
lack most primary chrome. 

But I guess it's hard to decide either way without specific text to look
at.

Cheers,

J 

On 13-Mar-08, at 1:54 PM, <michael.mccormick@wellsfargo.com> wrote:


	http://labs.mozilla.com/2007/10/prism/
<http://labs.mozilla.com/2007/10/prism/>  
	http://fluidapp.com/ <http://fluidapp.com/>  

	Should WSC take a position on single site browsers created using
tools like Prism or Fluid? 

	My biggest concern is they give users a false sense of security.
"If I double click a desktop icon called Wells Fargo then the
application that launches must really be Wells Fargo's."  In reality
SSBs are just as vulnerable to DNS poisoning, malware, & most other
attacks as "normal" browsers.

	I would find SSBs more useful from a security perspective if
they could launch the underlying browser engine with specific security
preferences (no SSLv2, no JavaScript, etc.).

	At minimum it seems to me WSC should require SSBs (and other
custom browser personas, skins, etc.) MUST always display the same
security context indicators as "normal" browsers.

	Mike 

	P.S. Still trying to figure out how this applies to SSB-like
custom user agents such as iTunes.... 


	Michael McCormick, CISSP 
	Lead Security Architect, Information Security Technologies 
	Wells Fargo Bank 
	"THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF
WELLS FARGO" 
	This message may contain confidential and/or privileged
information.  If you are not the addressee or authorized to receive this
for the addressee, you must not use, copy, disclose, or take any action
based on this message or any information herein.  If you have received
this message in error, please advise the sender immediately by reply
e-mail and delete this message.  Thank you for your cooperation.


---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Thursday, 13 March 2008 18:28:57 UTC