W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

Re[2]: Secure Chrome

From: Chris Drake <christopher@pobox.com>
Date: Tue, 13 Jun 2006 01:01:40 +1000
Message-ID: <1158332059.20060613010140@pobox.com>
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
CC: "Frederick Hirsch" <frederick.hirsch@nokia.com>, "George Staikos" <staikos@kde.org>, <public-usable-authentication@w3.org>

Hi Phillip,

> Preventing that attack is the job of the operating system.
> If the O/S is compromised there can be no security.

This is only true when the OS has been compromised by something
specifically targeting your authentication system (or, like the
pile of banking viruses and trojans did, targeting the more general
case of any browser window with passwords, or that had credit card
numbers keyed into them).

I don't believe we should declare all protection against client-side
attacks "out of scope", nor should we not at least attempt to do what
we can while the O/S people tinker about the edges of this problem.
No fix has arrived for two decades so far - so I think it's more than
reasonable to assume that O/S vendors are not going to be delivering
one anytime soon.

Either we protect our users - or nobody does.

Kind Regards,
Chris Drake
Received on Monday, 12 June 2006 15:02:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:46:08 UTC