Re: ACTION6: URL display as anti-pattern from Mary Ellen Zurko on 2006-12-11 (public-wsc-wg@w3.org from December 2006)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Mon, 11 Dec 2006 11:08:06 -0500
To: mikes@opera.com
Cc: W3 Work Group <public-wsc-wg@w3.org>
Message-ID: <OF71A3C2BC.16F84A58-ON85257241.005851C0-85257241.0058A1F3@LocalDomain>

I agree, and it's a tricky point (which I don't think subsequent 
discussion has brought out sufficiently). We'll tend to see everything 
through usable security glasses. Some things in web user agents will be 
there for other reasons. Reasons we may not be expert enoug to properly 
evaluate (though we'll certainly be able to say something about their 
impact on usable security). The browser vendor representatives here will 
be critical to ensuring that we do not make recommendations that cannot be 
followed, because they do not suffiiciently take into account the many 
other requirements a web user agent needs to satisfy. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




"Michael(tm) Smith" <mikes@opera.com> 
Sent by: public-wsc-wg-request@w3.org
12/06/2006 07:47 AM

To
W3 Work Group <public-wsc-wg@w3.org>
cc

Subject
Re: ACTION6: URL display as anti-pattern







"Close, Tyler J." <tyler.close@hp.com>, 2006-12-04 13:51 -0600:

> Domain names can be very deceptive: www.bankofthevvest.com,
> paypal.secure.com, paypa1.com, etc.  We need to provide the user
> with a site identifier which will not attempt to deceive the
> user. This means we can't use text that came from the potential
> attacker.
> 
> Frankly, I think we would be better off removing the Location bar from
> the default browser user interface. I think it does more harm than good.
> 
> Thoughts? Would Konqueror seriously consider dropping the Location bar
> from the default user interface? Or is it too big a change? Pushing in
> this same direction, I'd like to see the browser move all potentially
> misleading data out of the chrome area, providing a graphically clear
> dividing line between what is reliable and what is suspect.

The URL information in the location bar is useful for more than
just providing security-context information, and I think users
might lose more if it were suppressed than they gain by having it
displayed. I think in general that in deciding what should and
should not be displayed in the browser chrome, the criteria that
need to be considered are more than just whether the data can be
abused to provide potentially misleading data.

  --Mike

Received on Monday, 11 December 2006 16:08:36 UTC