Re: Web font security issue?

On Wed, Mar 16, 2011 at 12:59 PM, John Hudson <tiro@tiro.com> wrote:
> Chris wrote:
>
>> HTML already allows people to be misled:
>
>> <a href="http://www.givemecash.ca"
>> title="http://scotiabank.ca">scotiabank.ca</a>
>
> True, but using web fonts something like
>
> <a href="http://www.givemecash.ca"
> title="http://scotiabank.ca">scotiabank.ca</a>www.givemecash.ca</a>
>
> could display as text on screen with the appearance 'scotiabank.ca'. The
> security issue is the same, but able to be leveraged in new ways.

Displays where?  In the page?  There's no new leverage here - as Chris
said, the ability to use confusing link text has always existed, and
using webfonts to deliver confusing link text gets you nothing.

Elsewhere in the chrome, the page's styles don't apply.  If the user
looks at the destination in the status bar or the address bar, they'll
get the real address.  If they do a view-source, they'll get
browser-chosen fonts, which will show the link text as normal.

I don't see where any new vulnerability or source of confusion can be
introduced.

~TJ

Received on Wednesday, 16 March 2011 20:52:59 UTC