More US bank silliness
Sam Hartman
hartmans at mit.edu
Mon Sep 8 11:06:19 EDT 2008
>>>>> "Peter" == Peter Gutmann <pgut001 at cs.auckland.ac.nz> writes:
Peter> On a semi-related topic, it'd be interesting to get some
Peter> discussion about FF3 removing the FF2 SSL indicators of the
Peter> padlock and (more visibly) the background colour-change for
Peter> the URL bar when SSL is active and replacing it with a
Peter> spoof-friendly indicator that's part of the favicon,
Peter> i.e. part of the attacker-controlled content. The URL bar
Peter> colouring was by far the most visible security indicator
Peter> that any web browser had, the giant leap backwards of
Peter> moving to a near-invisible blue border around the favicon
Peter> does nothing to indicate security and is trivially spoofed
Peter> by putting a blue border around the favicon. There's a
Peter> bugzilla bug filed against it,
Peter> https://bugzilla.mozilla.org/show_bug.cgi?id=430790 (with
Peter> inevitable dups,
Peter, list, the W3C W Web Security Context working group is in the
final week of a public last call on their user interface guidelines.
These guidelines take a lookboth at the balance between EV-certs and
at user interface for security indicators.
Comments need to be received by September 15. The draft is at
http://www.w3.org/TR/2008/WD-wsc-ui-20080724/ and my take is at
http://www.painless-security.com/blog/2008/08/w3sc-lc/ .
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list