Re: UI issues for security consideration from Eduardo Vela on 2009-12-04 (public-web-security@w3.org from December 2009)

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Fri, 4 Dec 2009 22:21:10 +0800
To: public-web-security@w3.org
Message-ID: <8ba534860912040621l2fb59370q49c2629859abf5d9@mail.gmail.com>

I think the wiki should include examples, and I think security community
will be happy to provide them.. if noone opposes against that I'll start
doing so when I find time.

Regarding UI issues, maybe covering LTR/RTL chars on browser's dialog boxes
would be wise on the Spoofing section.

Stuff like:

"The website [URL] wants to be your default homepage, ok? [OK]"

with this input:

"http://sirdarckcat.net/?x=[RTL]x?detacsufbo/moc.elgoog.www//:ptth"

will be shown in some browser's dialogs as:

The website wants to show you some cool stuff! check it out:
http://www.google.com/obfuscated?x?ko ,egapemoh tluafed rouy eb ot
stanw=x?/net.tackcradris//:ptth

Some rather popular browser has an issue like this.. and they aint fixing
it.

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

Received on Saturday, 5 December 2009 14:29:19 UTC