RE: Rec Proposal: Separate in-browser editor for entry of Personally Identifiable Information (PII)

Hi Shawn, 

Shawn Duffy wrote:
> I'd be interested in hearing more about this...  Do you have 
> any URLs I could check out for some more background info?

I've implemented the Petname Tool part of the proposal as a Firefox
addon. You can find it at:
 
https://addons.mozilla.org/en-US/firefox/addon/957

The only documentation I have for the rest of the proposal are the
emails I've sent to this list. Hopefully we'll be spending a lot more
time documenting this concept though. ;)

> I don't want to get too mired in the technical description 
> but...  I can see how this might foil a phishing "site", per 
> se, but would it also be able to foil instances where a 
> phishing form is injected via XSS into a trusted site?

Not as described in the email I sent. I think XSS attacks are
problematic to solve in the web user agent. The problem is that the user
agent really has no way of knowing whether or not a FORM was generated
by the host on purpose, or by accident. There are both legitimate and
nefarious reasons for changing the target of a FORM post.

I think there are some things that could be done at the HTML level to
make page authors less vulnerable to XSS when quoting content received
from others, but that's not in scope for this WG. For example, it would
be nice to be able to declare in the <HEAD> of an HTML document that the
<BODY> will not accept any PII identifiers. The browser could then
notice the contradiction if, through an XSS attack, a login FORM is
presented. Hopefully the new HTML WG will take on this topic. 

Given the constraints of this WG's charter, I suspect we're only in
position to do something about imposter web sites, rather than hacked
web sites. That said, just doing something positive about imposter web
sites is a big step forward.

Tyler

Received on Thursday, 29 March 2007 22:56:59 UTC