Re: Available security information section clarification from Serge Egelman on 2007-04-09 (public-wsc-wg@w3.org from April 2007)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Mon, 09 Apr 2007 09:44:15 -0400
To: "Close, Tyler J." <tyler.close@hp.com>, public-wsc-wg@w3.org
Message-ID: <461A432F.9020502@cs.cmu.edu>

There's another attack that has to do with whether the page has finished 
rendering:

A lot of anti-phishing tools won't examine the page until it has 
completed rendering.  This leads to an attack where the phisher can 
include code to force the page to take an infinite time to load, thus 
causing the indicator to fail.  I wrote about this here:
http://lorrie.cranor.org/pubs/toolbars.html

serge

Thomas Roessler wrote:
> On 2007-04-05 00:34:00 -0000, Close, Tyler J. wrote:
> 
>> I've edited the "Available security information" section in
>> accordance with the discussion that generated ACTION-157. In
>> particular, I've added some preamble text describing the
>> structure of the section and broadened the "Provided by HTML"
>> section into "Provided by web content". I've also added an entry
>> to "Provided by user agent" for "Has the page completed
>> rendering?" This last item comes out of the white text on a white
>> background case that results from failing to fetch a stylesheet.
> 
> That's a fascinating attack vector.  But consider what happens if a
> user stylesheet is in place that sets the text color to white,
> globally, and with an "!important" declaration...
> 
> I guess what all this boils down to is the question whether a page
> as rendered to a particular user "looks" the way it was intended.
> And that, in turn, leads us directly here:
> 
>   http://www.w3.org/TR/webarch/#pci
> 
> I wonder if we really want to go down that particular direction of
> discussion...
> 
> Coming back to the "has page complete rendering" piece of context, I
> wonder if there is a security-related motivation for looking at it
> that is different from the issues that you get when content can be
> presented in multiple ways, possibly by way of multiple modalities.
> 
> If there is no such motivation, then I'd respectfully suggest we
> drop it.
> 

-- 
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Monday, 9 April 2007 13:45:30 UTC