ISSUE-184
chrome vs. content security indicators
Section 9.1 is too broad (security indicators in chrome vs. content)
- State:
- CLOSED
- Product:
- wsc-xit
- Raised by:
- Rachna Dhamija
- Opened on:
- 2008-02-14
- Description:
- Section 9.1 of wsc-xit states:
"9.1 Do not put Security Indicator images to indicate trust in content
This specification requires that web pages MUST NOT include trust indicating images such as padlocks in the web content."
This statement is too broad, because it includes websites that include secret images (or other shared secrets chosen by the user) to create a trusted path between the user and the website (e.g. SiteKey).
In the spirit of being constructive, here is re-write that I don't really agree with:
"This specification requires that web pages MUST NOT include images that are designed to indicate trust in the chrome, such as padlocks, in the web content. Web designers may include other images, that do not mimic chrome images, such as shared secret images designed to create a trusted path between the user and the website".
The reason I don't agree completely with the above is that I think images in the content are a GOOD THING. Web designers (and attackers) understand that the user's locus of attention is in the content and that users can't easily distinguish chrome from content. Therefore, a well placed indicator in the content and ideally in the path of the user's task, is the best way to communicate a security signal. The root of the problem lies in creating chrome security indicators can be easily copied, and I don't think we should dictate where they are placed.
- Related Actions Items:
- No related actions
- Related emails:
- ISSUE-184 (chrome vs. content security indicators): Section 9.1 is too broad (security indicators in chrome vs. content) [wsc-xit] (from sysbot+tracker@w3.org on 2008-02-14)
Related notes:
No additional notes.
Display change log
