- From: <michael.mccormick@wellsfargo.com>
- Date: Thu, 13 Mar 2008 12:54:23 -0500
- To: <public-wsc-wg@w3.org>
- Message-ID: <9D471E876696BE4DA103E939AE64164D01043FC1@msgswbmnmsp17.wellsfargo.com>
http://labs.mozilla.com/2007/10/prism/ http://fluidapp.com/ Should WSC take a position on single site browsers created using tools like Prism or Fluid? My biggest concern is they give users a false sense of security. "If I double click a desktop icon called Wells Fargo then the application that launches must really be Wells Fargo's." In reality SSBs are just as vulnerable to DNS poisoning, malware, & most other attacks as "normal" browsers. I would find SSBs more useful from a security perspective if they could launch the underlying browser engine with specific security preferences (no SSLv2, no JavaScript, etc.). At minimum it seems to me WSC should require SSBs (and other custom browser personas, skins, etc.) MUST always display the same security context indicators as "normal" browsers. Mike P.S. Still trying to figure out how this applies to SSB-like custom user agents such as iTunes.... > Michael McCormick, CISSP > Lead Security Architect, Information Security Technologies > Wells Fargo Bank > "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS > FARGO" > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose, or take any action based > on this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation. >
Received on Thursday, 13 March 2008 17:55:56 UTC