- From: John Foliot <john.foliot@deque.com>
- Date: Wed, 22 Jun 2016 13:09:38 -0500
- To: Richard Schwerdtfeger <richschwer@gmail.com>
- Cc: Mike Cooper <cooper@w3.org>, ARIA <public-aria@w3.org>
- Message-ID: <CAKdCpxwwZwQpp1+perzYZDTAw93ADBLoqF-gUcVuF7zxi63uuA@mail.gmail.com>
Actually Rich, the first bullet *has* been brought forward before as a potential issue: “This does make a systematic attack on those password fields a bit easier - at present if I was to write a malicious browser plugin to capture such passwords I’d have to find the field on each site (e.g. By finding the label Password) etc, it would be mildly tricky to make it work on all sites. With this ARIA tag I could do that trivially.” Ben Gidley (Irdeto) - https://lists.w3.org/Archives/Public/public-aria/2016Apr/0053.html “I believe Ben answer is reasonable one. Adding a password "flag" will ease the automated spoofing on "password related operations". *Is it a tolerable additional risk, or not, stays an open question to me*.” Virginie Galindo (Gemalto) - https://lists.w3.org/Archives/Public/public-aria/2016Apr/0100.html JF On Wed, Jun 22, 2016 at 12:58 PM, Richard Schwerdtfeger < richschwer@gmail.com> wrote: > Well, > > Michael, as it turns out input type=“password” is not secure either. I > will be filing an APA issue. > > The first bullet is a new one I had not seen. However, the same bots can > search for the label “password” on input fields and do the same thing. > There is nothing new here. > > Rich > > > On Jun 22, 2016, at 12:20 PM, Michael Cooper <cooper@w3.org> wrote: > > In my previous message > <https://lists.w3.org/Archives/Public/public-aria/2016Jun/0177.html> I > tried to separate out the risks people were concerned about with the > password role, that I think are not caused by the role itself. Here I want > to identify the risks that *are* created by the role, so we can weigh those > since they're the ones I argue are the only ones we should be considering > for the role. So far, two concerns specific to the role stick out in my > memory: > > - The presence of the role makes it easier for bots to discover custom > password fields and exploit such unsecured fields. > - The availability of the role may encourage authors to use custom > password fields with the risks those bring. > > Are there others I missed? That are caused by the password role itself, > not by custom password fields in general. > > Michael > > > -- John Foliot Principal Accessibility Strategist Deque Systems Inc. john.foliot@deque.com Advancing the mission of digital accessibility and inclusion
Received on Wednesday, 22 June 2016 18:10:10 UTC