Re: Single site browsers

Feels like scope creep to me - it seems pretty unlikely that a single  
site browser would ever be able to claim compliance anyhow, given the  
lack most primary chrome.

But I guess it's hard to decide either way without specific text to  
look at.

Cheers,

J

On 13-Mar-08, at 1:54 PM, <michael.mccormick@wellsfargo.com> wrote:

> http://labs.mozilla.com/2007/10/prism/
> http://fluidapp.com/
>
> Should WSC take a position on single site browsers created using  
> tools like Prism or Fluid?
>
> My biggest concern is they give users a false sense of security.   
> "If I double click a desktop icon called Wells Fargo then the  
> application that launches must really be Wells Fargo's."  In reality  
> SSBs are just as vulnerable to DNS poisoning, malware, & most other  
> attacks as "normal" browsers.
>
> I would find SSBs more useful from a security perspective if they  
> could launch the underlying browser engine with specific security  
> preferences (no SSLv2, no JavaScript, etc.).
>
> At minimum it seems to me WSC should require SSBs (and other custom  
> browser personas, skins, etc.) MUST always display the same security  
> context indicators as "normal" browsers.
>
> Mike
>
> P.S. Still trying to figure out how this applies to SSB-like custom  
> user agents such as iTunes….
>
>
> Michael McCormick, CISSP
> Lead Security Architect, Information Security Technologies
> Wells Fargo Bank
> “THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF  
> WELLS FARGO"
> This message may contain confidential and/or privileged  
> information.  If you are not the addressee or authorized to receive  
> this for the addressee, you must not use, copy, disclose, or take  
> any action based on this message or any information herein.  If you  
> have received this message in error, please advise the sender  
> immediately by reply e-mail and delete this message.  Thank you for  
> your cooperation.
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com