RE: Favicon as secure chrome from Close, Tyler J. on 2008-09-15 (public-wsc-wg@w3.org from September 2008)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Mon, 15 Sep 2008 21:57:33 +0000
To: Mike Beltzner <beltzner@mozilla.com>
CC: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <1A961C2CE8A6F041856127ED3EA677261E6444A328@GVW0538EXC.americas.hpqcorp.net>

I think the current Firefox 3.0 implementation violates the recommendation's restrictions on displaying content in chrome.

"Web Security Context: User Interface Guidelines - 7.2 Do not mix content and security indicators"
<http://www.w3.org/TR/wsc-ui/#site-identifying>

A discussion of this topic might help us evaluate how useful the current text of this recommentation is; specifically, the line that says:

"Site-controlled content (e.g. page title, favicon) MAY be hosted in chrome, but this content MUST NOT be displayed in a manner that confuses hosted content and chrome indicators."

In this case, the favicon is used as a secure chrome button. To me, that seems like a clear violation. Does the rec text provide a clear answer in this case?

This rec text was previously at:

"Web Security Context: User Interface Guidelines - 7.2 Do not mix content and security indicators"
<http://www.w3.org/TR/wsc-xit/#site-identifying>

--Tyler

-----Original Message-----
From: Mike Beltzner [mailto:beltzner@mozilla.com]
Sent: Wednesday, September 03, 2008 5:12 PM
To: Close, Tyler J.
Cc: public-wsc-wg@w3.org
Subject: Re: Favicon as secure chrome

On 3-Sep-08, at 7:23 PM, Close, Tyler J. wrote:

> Firefox 3 displays a site's specified favicon in its Identity Signal,
> located to the left of the address bar. This icon is also the button
> which is clicked to get additional authentication information.
> Needless to say, an attacker could register a domain like
> mountainamerica.com and use the favicon of Mountain America Credit
> Union, and similarly for any other site to be impersonated.
> There is no reason to believe that the specified favicon is
> trustworthy information. The user is being deceived by this
> presentation.

And if they did so, clicking the button would claim that there was no additional security context information.

To have the dialog make any claims of significance, the user would also have to obtain an EV certificate for Mountain America Credit Union.

cheers,
mike

Received on Monday, 15 September 2008 22:00:08 UTC