W3C home > Mailing lists > Public > public-wsc-wg@w3.org > September 2008

RE: Favicon as secure chrome

From: Close, Tyler J. <tyler.close@hp.com>
Date: Tue, 16 Sep 2008 21:13:53 +0000
To: Mike Beltzner <beltzner@mozilla.com>
CC: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <1A961C2CE8A6F041856127ED3EA677261E644A5060@GVW0538EXC.americas.hpqcorp.net>

I'm wondering if any part of the Firefox 3.0 identity signal complies with the conformance language in section 7.2 of wsc-ui. For example, consider the page at:

https://addons.mozilla.org/en-US/firefox/

-The displayed URL is site-controlled content.
-The displayed favicon is site-controlled content.
-Clicking on the favicon brings up a pop-up that displays:
    -The site's effective TLD, "mozilla.org", which is also site-controlled content. For example, a phisher might obtain a certificate for a similar TLD, like "mozila.org".

Is section 7.2 a feature-at-risk?

--Tyler

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Close, Tyler J.
Sent: Monday, September 15, 2008 2:58 PM
To: Mike Beltzner
Cc: public-wsc-wg@w3.org
Subject: RE: Favicon as secure chrome


I think the current Firefox 3.0 implementation violates the recommendation's restrictions on displaying content in chrome.

"Web Security Context: User Interface Guidelines - 7.2 Do not mix content and security indicators"
<http://www.w3.org/TR/wsc-ui/#site-identifying>

A discussion of this topic might help us evaluate how useful the current text of this recommentation is; specifically, the line that says:

"Site-controlled content (e.g. page title, favicon) MAY be hosted in chrome, but this content MUST NOT be displayed in a manner that confuses hosted content and chrome indicators."

In this case, the favicon is used as a secure chrome button. To me, that seems like a clear violation. Does the rec text provide a clear answer in this case?

This rec text was previously at:

"Web Security Context: User Interface Guidelines - 7.2 Do not mix content and security indicators"
<http://www.w3.org/TR/wsc-xit/#site-identifying>

--Tyler

-----Original Message-----
From: Mike Beltzner [mailto:beltzner@mozilla.com]
Sent: Wednesday, September 03, 2008 5:12 PM
To: Close, Tyler J.
Cc: public-wsc-wg@w3.org
Subject: Re: Favicon as secure chrome

On 3-Sep-08, at 7:23 PM, Close, Tyler J. wrote:

> Firefox 3 displays a site's specified favicon in its Identity Signal,
> located to the left of the address bar. This icon is also the button
> which is clicked to get additional authentication information.
> Needless to say, an attacker could register a domain like
> mountainamerica.com and use the favicon of Mountain America Credit
> Union, and similarly for any other site to be impersonated.
> There is no reason to believe that the specified favicon is
> trustworthy information. The user is being deceived by this
> presentation.

And if they did so, clicking the button would claim that there was no additional security context information.

To have the dialog make any claims of significance, the user would also have to obtain an EV certificate for Mountain America Credit Union.

cheers,
mike
Received on Tuesday, 16 September 2008 21:15:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 16 September 2008 21:15:33 GMT