RE: Security Evaluation Request

(reading that thread late)

I believe Ben answer is reasonable one.
Adding a password "flag" will ease the automated spoofing on "password related operations". Is it a tolerable additional risk, or not, stays an open question to me.


-----Original Message-----
From: Ben Gidley []
Sent: vendredi 8 avril 2016 15:58
To: Gervase Markham; Rich Schwerdtfeger
Cc: GALINDO Virginie;; ARIA; Mike Cooper
Subject: Re: Security Evaluation Request

This does make a systematic attack on those password fields a bit easier - at present if I was to write a malicious browser plugin to capture such passwords I’d have to find the field on each site (e.g. By finding the label Password) etc, it would be mildly tricky to make it work on all sites. With this ARIA tag I could do that trivially.

I suspect the real world difference in ease to write password stealing plugin is minimal, but this is a little bit worse that the current situation. It’s probably tolerable additional risk.

I agree with comments we should discourage people doing this, but given they are doing it I’d argue it should be made potentially accessible.

Ben Gidley

On 08/04/2016, 14:38, "Gervase Markham" <> wrote:

>On 06/04/16 21:27, Rich Schwerdtfeger wrote:
>> ARIA is not meant to be the web police. The reality is that people
>> are doing this in the wild and if you are interacting with one of
>> these things and you can’t see the screen you want to know what the
>> intent of the author is.
>So the target of this feature is people who care enough about web
>accessibility to include ARIA roles, but not enough to use semantic markup?
>> So, we agree that people should not do this but if a user encounters
>> it they need to know what it is for. Does adding the role attribute
>> with a value of “password" create a security problem that was not there before?
>Well, it encourages people to use non-password fields for passwords,
>which is arguably a security problem because if people's password
>managers don't save the passwords, they are more likely to use bad
>(simple, short) passwords.
 This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Received on Tuesday, 12 April 2016 11:37:01 UTC