- From: Henrich C. Pöhls <newsletter@2000grad.com>
- Date: Fri, 21 Jan 2011 11:03:07 +0100
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Giorgio Maone <g.maone@informaction.com>, Michal Zalewski <lcamtuf@coredump.cx>, Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>, "Henrich C. Pöhls" <hp@sec.uni-passau.de>
Dear all, Am 21.01.2011 um 10:25 schrieb gaz Heyes: > On 21 January 2011 07:32, Giorgio Maone <g.maone@informaction.com> wrote: > >> overwhelmingly negative. >>> >> ...but the response to any solutions that require any UI logic was >> Well, just a few days later a quite similar concept was implemented and >> successfully shipped: >> >> http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/ > > > Clear click is great it prevents clickjacking very well and gives a clear > indicator to override and allow. </endorsement> > > To prevent "like" buttons being used without a users knowledge they really > need to become part of the browser UI or external content needs to be > highlighted in such a way it's clear to the user, e.g. a iframe shouldn't be > able to be styled in such a way that it's dimensions are too small and > elements should not overlay it. The iframe itself needs to be clear where > it's coming from, I've mocked up a way to highlight a iframes domain:- > > <http://www.businessinfo.co.uk/labs/test_files/iframe-indicator.png> > > So when some content is intended to be included a web site the > X-Frame-Options:Allow, then the iframe indicator shows and prevents the > iframe from being resized to very small dimensions and it should always > appear on top of any content and within the screen area. This is a nice mockup and nice UI extension, I would like to see another addition to this iframe-indicator: TLS-Certificate-Verification-Information. By this I mean that if the iframe was delivered over https, from a different location than the site, than it should be communicated to the user where it comes from. At the moment, any nested SSL-Verification is done under the hood, and positive verification results can not be seen by the user. Of course browsers flag a warning if there are negative results. Hence, with existing UIs a user cannot see on the checkout page of a merchant, if the iframe embedded credit card data field comes from the "Verified-By-Visa" process or a phisher. More details, I had a paper on this, on GI Sicherheit 2010: <http://web.sec.uni-passau.de/papers/2010_Poehls_Show_Multiple_SSL_Certificate_Verifications_GI-Sicherheit.pdf> So I suggest that the Domain is shown with the same UI-highlighting and UI-indicator-elements (padlocks…) that the address-bar uses for the communication of the TLS-Certificate Verification. And of course clicking the iframe indicator takes the user directly to the verified certificate details. Best Regards, Henrich C. Pöhls --- Dipl.-Inform. M.Sc. Info.-Security Henrich C. Poehls Research Assistant Institute of IT-Security and Security Law (ISL) University of Passau, Innstr. 43, 94032 Passau, Germany Tel: +49 851 - 509 3217 <http://web.sec.uni-passau.de/members/henrich> <mailto:hp@sec.uni-passau.de>
Received on Saturday, 22 January 2011 07:06:42 UTC