- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Thu, 27 Sep 2007 10:40:49 -0400
- To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
It came up while discussing the robustness section of the draft recommendations that "whack-a-mole" attacks were being referenced without definition. Here goes: -- A "whack-a-mole attack" refers to a type of malicious website which attempts to perform some other action (e.g. installing software) which normally requires user intervention (e.g. by clicking OK on a warning dialog) by exploiting distraction and task-focus. The web site will deliberately creates a large number of dialog boxes (real or synthesized with web content) in front of some desirable content, motivating the user to attempt to dismiss the dialogs rapidly, without inspecting their contents. Among the many irrelevant dialog boxes, however, will be the one presented by the user agent indicating the need for a trust decision. The expectation of the attacker is that, being focused exclusively on getting rid of the dialog boxes, the user will not take the necessary care to make meaningful trust decisions, when they reach the legitimate warning dialog. -- Too wordy? I resisted giving etymology of the name, easy enough to google that part. J --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Thursday, 27 September 2007 14:41:09 UTC