- From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Thu, 14 Feb 2008 20:51:47 +0000 (GMT)
- To: public-wsc-wg@w3.org
ISSUE-184 (chrome vs. content security indicators): Section 9.1 is too broad (security indicators in chrome vs. content) [wsc-xit] http://www.w3.org/2006/WSC/track/issues/ Raised by: Rachna Dhamija On product: wsc-xit Section 9.1 of wsc-xit states: "9.1 Do not put Security Indicator images to indicate trust in content This specification requires that web pages MUST NOT include trust indicating images such as padlocks in the web content." This statement is too broad, because it includes websites that include secret images (or other shared secrets chosen by the user) to create a trusted path between the user and the website (e.g. SiteKey). In the spirit of being constructive, here is re-write that I don't really agree with: "This specification requires that web pages MUST NOT include images that are designed to indicate trust in the chrome, such as padlocks, in the web content. Web designers may include other images, that do not mimic chrome images, such as shared secret images designed to create a trusted path between the user and the website". The reason I don't agree completely with the above is that I think images in the content are a GOOD THING. Web designers (and attackers) understand that the user's locus of attention is in the content and that users can't easily distinguish chrome from content. Therefore, a well placed indicator in the content and ideally in the path of the user's task, is the best way to communicate a security signal. The root of the problem lies in creating chrome security indicators can be easily copied, and I don't think we should dictate where they are placed.
Received on Thursday, 14 February 2008 20:51:53 UTC