Untrusted text in security dialogs
I just gave a 10-minute lightning talk at SOUPS on the topic of untrusted text in security dialogs.
I've been reading Firefox security bug reports over the years, and I've collected a list of things that can go wrong in security dialogs. New security dialogs should be tested against these attacks, or preferably designed to not be dialogs.
July 14th, 2010 at 4:31 pm
Interesting stuff. I loved the right-to-left URL attack.
Thanks for sharing.
July 14th, 2010 at 10:40 pm
That is awesome :)
Sadly, security-related UI (i.e. PSM) is rather underowned – as far as I can tell, the current owner is Johnath, but as you mentioned he seems to be way too loaded to spend time on it :(
Please think a *lot* more from the web site’s point of view (and not just the security one) before removing things like onbeforeunload; it can also be used for good for things like making sure the user is aware that she hasn’t committed before closing the page.