- From: Mike Beltzner <beltzner@mozilla.com>
- Date: Wed, 3 Sep 2008 20:11:41 -0400
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
On 3-Sep-08, at 7:23 PM, Close, Tyler J. wrote: > Firefox 3 displays a site's specified favicon in its Identity > Signal, located to the left of the address bar. This icon is also > the button which is clicked to get additional authentication > information. Needless to say, an attacker could register a domain > like mountainamerica.com and use the favicon of Mountain America > Credit Union, and similarly for any other site to be impersonated. > There is no reason to believe that the specified favicon is > trustworthy information. The user is being deceived by this > presentation. And if they did so, clicking the button would claim that there was no additional security context information. To have the dialog make any claims of significance, the user would also have to obtain an EV certificate for Mountain America Credit Union. cheers, mike
Received on Thursday, 4 September 2008 00:12:23 UTC