- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 25 May 2007 11:01:32 +0200
- To: michael.mccormick@wellsfargo.com
- Cc: public-wsc-wg@w3.org
On 2007-05-24 18:25:25 -0500, michael.mccormick@wellsfargo.com wrote: > Should web security context displays in chrome be rendered by > base web agent software only, or is it acceptable for plug-ins to > render it too? If plug-ins render it, what controls need to be > in place to ensure this doesn't become a new spoofing vector for > phishing perpetrators? Plugins are -- just like any other download of software that can then subvert the user's platform -- a well-known vector to subvert browsing experiences. At least in Europe, there have been broadly-known malware attacks in which browser helper objects and other local code are used to change the web page that is displayed when somebody does online banking (and other activities); the security indicators are then kept intact. So far, we've ruled platform security out of scope. However... > If this group is willing to tackle it, I believe this issue is > probably in scope of the WSC charter. ... the element that I'd say is in scope (and that hasn't received a lot of attention lately) is the user experience while installing local software, or browser extensions. Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 25 May 2007 09:01:35 UTC