Q: How can you tell when a web font technology gone mainstream? from Levantovsky, Vladimir on 2019-01-14 (public-webfonts-wg@w3.org from January 2019)

From: Levantovsky, Vladimir <Vladimir.Levantovsky@monotype.com>
Date: Mon, 14 Jan 2019 12:44:32 +0000
To: "w3c-webfonts-wg (public-webfonts-wg@w3.org)" <public-webfonts-wg@w3.org>
Message-ID: <SN6PR06MB46078BCC0BEF9C60DDB6BECCFC800@SN6PR06MB4607.namprd06.prod.outlook.com>

A: When a major security research company discovers that scumbags are now using it for their phishing campaigns! (https://www.siliconrepublic.com/enterprise/phishing-web-fonts-fake)

I must admit that using webfonts as a substitution cypher is a clever idea, and I can see some potentially good uses for it (imagine building a secure communication channel where a cypher is switched algorithmically by e.g. using different font style/weights), but it also begs another question to be asked - were we too optimistic when we declared DSIG to be of no significant importance for webfonts / WOFF2? And, do we need to update "Security considerations" section knowing that webfonts could be a much more treacherous grounds than we previously imagined?

Thanks,
Vlad

Received on Monday, 14 January 2019 12:44:59 UTC