Re: css3-fonts: should not dictate usage policy with respect to origin

On Thu, Jun 30, 2011 at 3:35 PM, Brad Kemper <> wrote:
> If there is a corporate font or specialized dingbat font that is only loaded
> and used when a person has signed into a secure site (for online banking,
> let's say), then an attacker whose site is open in another window or tab can
> find out about it using the method Tab described earlier. That is
> information leakage that would allow the attacker to know when to attack. He
> could, for instance, pop open a small window that says, "you are about to be
> automatically signed out. Click OK to stay signed in." And then the OK
> button would lead to a phishing site that looked just like the online
> banking site, and a lot of users wouldn't realize it. That is a security
> risk that has nothing to do with EULAs.

In other words, betting that a particular filetype will never be used
in malicious attacks is a good way to lose money.  ^_^


Received on Thursday, 30 June 2011 22:39:12 UTC