- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Wed, 3 Sep 2008 23:23:01 +0000
- To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Firefox 3 displays a site's specified favicon in its Identity Signal, located to the left of the address bar. This icon is also the button which is clicked to get additional authentication information. Needless to say, an attacker could register a domain like mountainamerica.com and use the favicon of Mountain America Credit Union, and similarly for any other site to be impersonated. There is no reason to believe that the specified favicon is trustworthy information. The user is being deceived by this presentation. Surely this implementation could not possibly conform to our current rec text. If by some horrific accident it does conform to the rec, I think we need to change the rec text. --Tyler
Received on Wednesday, 3 September 2008 23:25:16 UTC