- From: Dan Schutzer <dan.schutzer@fstc.org>
- Date: Thu, 7 Dec 2006 07:25:54 -0500
- To: "'Amir Herzberg'" <herzbea@macs.biu.ac.il>, "'Stephen Farrell'" <stephen.farrell@cs.tcd.ie>
- Cc: "'Close, Tyler J.'" <tyler.close@hp.com>, "'W3 Work Group'" <public-wsc-wg@w3.org>
Or block suspect content (e.g. unsigned by a trusted party) when the browser is placed in a safe mode - the kind of mode one might want to go in when dealing with ones bank -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Amir Herzberg Sent: Thursday, December 07, 2006 1:53 AM To: Stephen Farrell Cc: Close, Tyler J.; W3 Work Group Subject: Re: ACTION6: URL display as anti-pattern Stephen Farrell wrote: > Close, Tyler J. wrote: >> My perspective is that the difference between chrome and page area >> should be the difference between "browser says" and "web site says". > > Nice distinction. Too nice. Our experiments show quite clearly: users do not make the distinction between the chrome and the web page. I don't think this is (only) due to the fact that sites control the location bar (and possibly other parts of the chrome). Unfortunately, this implies that whatever we do in this group, it will only be of partial help. To really solve phishing, spoofing and other website attacks, we need to block suspect content in the first place. I think that's the long term solution (and am working towards making appropriate tools - again, a relatively long term goal). However, imho this is not in the scope of this WG. Another implication, imho, is that any attempt by us to recommend a dramatic change on the chrome, e.g. remove the location bar, has the potential to cause vendors to ignore (possibly all of) our recommendations. This adds to the (limited) security value of the location bar, which I'll address in another note (in response to Tyler). Best, Amir Herzberg
Received on Thursday, 7 December 2006 12:26:17 UTC