RE: Favicon anti-pattern from Mary Ellen Zurko on 2007-04-20 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 20 Apr 2007 17:30:22 -0400
To: <michael.mccormick@wellsfargo.com>
Cc: public-wsc-wg@w3.org
Message-ID: <OFF90992C7.264DABCB-ON852572C3.007613A1-852572C3.00762307@LocalDomain>

Good writeup. I don't want to lose the fact that we've got this in play, 
so I've put in a pointer to your mail message in our wiki discussion 
space:
http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




<michael.mccormick@wellsfargo.com> 
04/20/2007 04:08 PM

To
<Mary_Ellen_Zurko@notesdev.ibm.com>
cc
<public-wsc-wg@w3.org>
Subject
RE: Favicon anti-pattern






Per MEZ's request, I offer the following additional content regarding 
favicons.
 
First, I did find a single paragraph in the current Note (use cases) 
regarding favicons that I feel needs updating:
9.2.5 Favicon
The URL bar may display a logo retrieved from a location specified in the 
web site's content, or discovered in a well known location [favicon]. In 
either case, the choice to display a logo, and what image to use, is at 
the discretion of the visited web site.  In some browsers the favicon logo 
is also displayed in Bookmarks/Favorites listings and associated toolbar 
buttons, window titles, tab titles, and elsewhere.  No central 
organization exists to control or approve these images.
The text I propose we append appears above in red.  (Last 2 sentences for 
those not viewing this email as HTML or suffer red-blue color blindness).
 
Second, there is the matter of Recommendations.  I personally believe 
favicons undermine security context.  Mary Ellen challenged me to document 
my reasons for this so WSC can possibly document favicons as an anti 
pattern:
Whether consciously or unconsciously, many users are beginning to view 
favicon logos as security context information.  Specifically, they feel 
that seeing the logo they expected for a particular site is somehow an 
assurance the site is genuine.  Because the logo appears in browser chrome 
rather than the HTML page, it creates an impression that the logo is more 
"official".
 
This is a mistake on the users' part because no central organization 
controls or approves the assignment of favicons to sites.  A malicious 
entity can steal the exact logo used by a legitimate site (or create a 
visually indistinguishable logo) and associate it with a different site 
for impersonation purposes.
 
Favicons are not registered with nor regulated by a central authority. 
Favicons are not cryptographically protected for authenticity or 
integrity.
 
For these reasons, favicon use on web sites requiring user trust should be 
considered a security anti-pattern.  Favicons undermine the web security 
context display in two ways.  First, they appear to provide security 
context but in reality do not.  Second, they blur the distinction between 
chrome and content.
 
Favicons could be made more secure if they were drawn from a logo registry 
controlled by a central authority, or perhaps tied to signed DNSSEC 
records, and browsers were changed to only display approved and 
cryptographically protected favicons.  The central authority would have to 
prevent two sites from using visually similar logos.
 
Finally, it's worth noting that logographic extensions to X.509, which 
many sites plan to use in future to visually brand their SSL certificates, 
suffer from many of the same security problems as favicons.
I welcome feedback.  I have not entered any of this in the wiki because I 
feel it needs some group discussion first.
 
Thanks, Mike

Received on Friday, 20 April 2007 21:30:28 UTC