Unforgeable dialog.
Alex Iliev
sasho at cs.dartmouth.edu
Fri Feb 3 00:02:15 EST 2006
James A. Donald wrote:
> --
> One needs to differentiate dialogs brought up from within the browser
> client, which are trustworthy unless one is infected with malware,
> from popups brought up by some other web page. (Of course if popups
> are disabled except for specific sites, this is considerably less of a
> problem.)
>
> How would one construct a dialog from within Firebox so that it is
> obviously different from any unprivileged web page that attempts to
> imitate it?
This was exactly what a project in our lab addressed, a few years ago.
Check out "Trusted Paths for Browsers" at
http://www.cs.dartmouth.edu/~sws/research/pubs.shtml. The approach was
to have trusted windows' frames flash randomly but in synchrony with an
indicator window which is inaccessible to javascript etc. The flashing
pattern is inaccessible to unprivileged code, so cannot be spoofed.
Includes some user studies.
Alex
--
Alex Iliev <sasho at cs.dartmouth.edu>
Dartmouth College Computer Science
http://www.cs.dartmouth.edu/~sasho/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list