- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 14 Apr 2006 23:01:22 +0200
- To: Jeffrey Altman <jaltman@secure-endpoints.com>
- Cc: Michael.Mccormick@wellsfargo.com, public-usable-authentication@w3.org
Forwarding on behalf of Jeffrey Altman. Apparently, Jeffrey has had some trouble posting to the list. -- Thomas Roessler, W3C <tlr@w3.org> From: Jeffrey Altman <jaltman@secure-endpoints.com> Organization: Secure Endpoints Inc. To: Michael.Mccormick@wellsfargo.com CC: public-usable-authentication@w3.org Subject: Re: Secure Chrome Michael.Mccormick@wellsfargo.com wrote: > - Make built-in browser dialog boxes visually distinguishable from >script generated dialog boxes This is the real catch. You almost want a requirement that says as long as the browser is using graphic image 'lock' to represent a state of security that no image similar to 'lock' can be displayed as part of the content obtained from the web site. Without such a requirement the attackers simply use the paint a fake browser within the browser window attack. Jeffrey Altman
Received on Friday, 14 April 2006 21:01:25 UTC