Re: css3-fonts: should not dictate usage policy with respect to origin

If there is a corporate font or specialized dingbat font that is only loaded and used when a person has signed into a secure site (for online banking, let's say), then an attacker whose site is open in another window or tab can find out about it using the method Tab described earlier. That is information leakage that would allow the attacker to know when to attack. He could, for instance, pop open a small window that says, "you are about to be automatically signed out. Click OK to stay signed in." And then the OK button would lead to a phishing site that looked just like the online banking site, and a lot of users wouldn't realize it. That is a security risk that has nothing to do with EULAs. 




On Jun 30, 2011, at 1:42 PM, Glenn Adams <glenn@skynav.com> wrote:

> So, as I've previously said, this is only about content protection mechanisms and their enforcement. There is no security risk on the part of the end user (viewer of content rendered with web fonts) that is at stake here.
> 
> On Thu, Jun 30, 2011 at 2:09 PM, John Daggett <jdaggett@mozilla.com> wrote:
> Glenn Adams wrote:
> 
> > So, there is no end-user risk that is being addressed here other than
> > the hypothetical case of violating an EULA? Is that really what all
> > this noise is about?
> 
> No Glenn, this is an information leakage issue, it allows for the
> contents of a font, the glyph data, to be transmitted beyond the
> boundaries specified by an *author* (for example, on an access-limited
> site), not just beyond what is allowed by some form of licensing.

Received on Thursday, 30 June 2011 22:36:42 UTC