- From: Lisa Dusseault <lisa.dusseault@gmail.com>
- Date: Tue, 1 Dec 2009 13:46:30 -0800
- To: David Singer <singer@apple.com>
- Cc: public-web-security@w3.org
I've been known to get on a soap-box about how login redirects like those used in OpenID and OAUTH, if not mediated by a trusted UI, habituate the user to a specific insidious kind of spoofing (diagrams and other explanations can be found in http://blog.commerce.net/wp-content/uploads/2006/10/apachecon-beyond-passwords.pdf). But I walked away from that soapbox a while back and can't be arsed to create a login to add the scenario. --Lisa "Lazy" Dusseault On Tue, Dec 1, 2009 at 11:44 AM, David Singer <singer@apple.com> wrote: > Hi > > Thomas asked me to start the page on security issues at the UI (or with the interaction between UI and user). I have typed something very brief into the Wiki at <http://www.w3.org/Security/wiki/Trusted_User_Interface>, with introductory sentences on spoofing and clickjacking. I am sure there are other UI level security issues that should be there, and it might be good to have examples (it might be bad also - we don't want to supply a cookbook to would-be malefactors) or pointers to 'well-known' examples of previous, um, 'art'. > > Have at it... > > David Singer > Multimedia and Software Standards, Apple Inc. > > >
Received on Tuesday, 1 December 2009 21:47:10 UTC