Re: Security of Autocomplete - Good News! from Chaals Nevile on 2018-02-28 (w3c-wai-gl@w3.org from January to March 2018)

From: Chaals Nevile <chaals@yandex.ru>
Date: Wed, 28 Feb 2018 18:43:21 +0100
To: "John Foliot" <john.foliot@deque.com>, WCAG <w3c-wai-gl@w3.org>, "Alastair Campbell" <acampbell@nomensa.com>
Cc: "stommepoes@stommepoes.nl" <stommepoes@stommepoes.nl>, Léonie Watson <tink@tink.uk>
Message-ID: <op.ze5p6jn4nd6f5a@ordhord.home>

On Wed, 28 Feb 2018 18:33:42 +0100, Alastair Campbell
<acampbell@nomensa.com> wrote:

> John wrote:
>
>> RE: Horizontal Security Review: I think that the time is *now* (as  
>> other specs come to APA for >their accessibility horizontal review at  
>> around this same time - i.e. CR or sooner).
>
> Maybe it has been submitted already, but noted, I’ll ask about that.

Not sure where it would have been submitted. You could check with the  
Security IG, or look in the security considerations section(s) of relevant  
specs.

>> I am stunned that the browsers have not addressed this *STILL*.
>
> I’m a bit surprised given the mainstream press on it, and it does put  
> this SC in a difficult position.

I'm sad rather than surprised.

> I would be interested to know from Charles or Léonie:
>
> * Is there active work on the issue of phishing user-data via  
> autocomplete? [1]

Not that I know of. It would be very helpful if you filed the relevant  
issues (since you have a head start on us in understanding the problem, so  
have more chance to get the framing right first-time.

> * Where would a suitable place for that discussion to happen?

https://github.com/w3c/html/issues

> It occurs to me a good solution to prevent the phishing would be to add  
> visible (foreground) symbols next to fields which can be autocompleted,  
> a bit like Lastpass adds an icon inside of username/password inputs.

Some browsers do something like this. I am pretty sure it is the case, for  
example, for Yandex browser.

> The browser could ensure
> the symbols are shown even if the inputs were hidden.  If those symbols  
> were user-configurable, that would also help with the personalisation  
> aspects as well (or at least be compatible).

> 1] the trigger for this discussion was a comment about this article:
> https://www.digitaltrends.com/computing/browser-bug-can-fill-in-personal-information-in-hidden->fields/
> If you fill in an autocomplete field (e.g. name), the site can have  
> visually hidden fields with >email, password, credit card number etc. It  
> can grab that data without the user realising because >it is  
> auto-populated.

That rings a bell, actually. I'll have a search through the HTML issues  
history...

cheers

-- 
Using Opera's mail client: http://www.opera.com/mail/

Received on Wednesday, 28 February 2018 17:43:57 UTC