W3C home > Mailing lists > Public > www-style@w3.org > December 2006

RE: [CSS3UI] Concerned about Appearance:Password

From: Robert Chapin <w3-list@info-svc.com>
Date: Sat, 2 Dec 2006 10:00:36 -0500
To: <www-style@w3.org>
Message-Id: <20061202150036.ADF06223AB9@smtp1.dnsmadeeasy.com>

 
If UAs interpret this property as a display feature for non-password inputs,
then a phisher could create a quasi-password input under CSS3 that appears
identical to a legitimate password input.

On the other hand, if UAs interpret this property as an instruction to
convert non-password inputs into trusted password inputs, then anyone with
the ability to inject some CSS could potentially compromise the UA and its
credential store.
_____________
Robert Chapin
Chapin Information Services, Inc. 
-----Original Message-----
From: Bjoern Hoehrmann [mailto:derhoermi@gmx.net] 
Sent: Saturday, December 02, 2006 5:42 AM
To: Robert Chapin
Cc: www-style@w3.org
Subject: Re: [CSS3UI] Concerned about Appearance:Password

* Robert Chapin wrote:
>In light of new attack vectors described at ...
>
>http://www.info-svc.com/news/11-21-2006/
>
>.... it is highly unlikely that an Appearance:Password property would 
>be implemented in a safe way.

I don't see the relationship between the two, could you elaborate?
--
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 2 December 2006 15:05:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:47 GMT