- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Thu, 13 Mar 2008 14:01:51 -0400
- To: <michael.mccormick@wellsfargo.com>
- Cc: <public-wsc-wg@w3.org>
- Message-Id: <B6085498-3449-41B0-92FD-767EF198593F@mozilla.com>
Feels like scope creep to me - it seems pretty unlikely that a single site browser would ever be able to claim compliance anyhow, given the lack most primary chrome. But I guess it's hard to decide either way without specific text to look at. Cheers, J On 13-Mar-08, at 1:54 PM, <michael.mccormick@wellsfargo.com> wrote: > http://labs.mozilla.com/2007/10/prism/ > http://fluidapp.com/ > > Should WSC take a position on single site browsers created using > tools like Prism or Fluid? > > My biggest concern is they give users a false sense of security. > "If I double click a desktop icon called Wells Fargo then the > application that launches must really be Wells Fargo's." In reality > SSBs are just as vulnerable to DNS poisoning, malware, & most other > attacks as "normal" browsers. > > I would find SSBs more useful from a security perspective if they > could launch the underlying browser engine with specific security > preferences (no SSLv2, no JavaScript, etc.). > > At minimum it seems to me WSC should require SSBs (and other custom > browser personas, skins, etc.) MUST always display the same security > context indicators as "normal" browsers. > > Mike > > P.S. Still trying to figure out how this applies to SSB-like custom > user agents such as iTunes…. > > > Michael McCormick, CISSP > Lead Security Architect, Information Security Technologies > Wells Fargo Bank > “THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF > WELLS FARGO" > This message may contain confidential and/or privileged > information. If you are not the addressee or authorized to receive > this for the addressee, you must not use, copy, disclose, or take > any action based on this message or any information herein. If you > have received this message in error, please advise the sender > immediately by reply e-mail and delete this message. Thank you for > your cooperation. > --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Thursday, 13 March 2008 18:02:42 UTC