Unforgeable dialog.

James A. Donald jamesd at echeque.com
Mon Jan 30 11:25:56 EST 2006

One needs to differentiate dialogs brought up from within the browser
client, which are trustworthy unless one is infected with malware,
from popups brought up by some other web page. (Of course if popups
are disabled except for specific sites, this is considerably less of a

How would one construct a dialog from within Firebox so that it is
obviously different from any unprivileged web page that attempts to
imitate it?

(The motivation for all this is that is seems that the architects of
the major browsers are not looking for a solution to the phishing
problem. They are looking for a solution to the phishing problem that
fits into the existing business models of existing certification

The easy thing to do is to turn off the title bar and status bar, but
I am a bit worried that this is not glaringly obvious enough.

What I would really like to do is use transparency against the
desktop, so that I can have a non rectangular dialog, but it only
seems possible to do this in native mode, not obvious that it can be
done in XUL, despite XUL's supposed support for transparency, and
doing it in native mode seems much like hard work.

Another approach is to take advantage of the only-one-popup rule for
untrusted web pages, by popping up two related overlapping dialogs
which hold a fixed position relative to each other - which visually is
a sort of non rectangular dialog.

          James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list