On Jan 3, 2008 12:48 PM, Michal Zalewski <lcamtuf@dione.cc> wrote:
> Note that any person familiar with the dialog is unlikely to be confused
> by this prompt, as a clear indication of the originating site, consistent
> with the design of this dialog, is preserved ("...at
> http://avivraff.com").
Might be, if the domain indication was more clear, and not at the end
of the attacker controlled text.
> As such, I would certainly not go as far as
> recommending "not to provide username and password to web sites which show
> this dialog" - that's an overkill. Just don't trust self-contradictory or
> unusually structured dialogs - you never should.
I think regular users would find it difficult to distinguish between a
normal dialog and an unusually structured dialog.
> Naturally, any person *not* used to seeing this dialog might be eager to
> enter his credentials there, lulled by the tech lingo - but that's a
> general complaint about browser design that is in no way specific to
> Firefox; the same person would be likely to give out his password to:
>
> prompt("Please enter your password for foocorp.com (certified by Verisign)")'.
>
> ...simply because a systemic failure of browser vendors to provide
> user-friendly security signaling and UI behavior (along the lines of: "as
> far as we're concerned, any person with no understanding of SSL, HTTP, and
> DNS had it coming and should die in a fire").
>
Actually, the prompt is not a good example, as FireFox does show the
originating domain in the title, and IE7 disables prompt by default.
Though, I do agree that there are people out there that will be fooled
by this too.
--Aviv.
> Note that any person familiar with the dialog is unlikely to be confused
> by this prompt, as a clear indication of the originating site, consistent
> with the design of this dialog, is preserved ("...at
> http://avivraff.com").
Might be, if the domain indication was more clear, and not at the end
of the attacker controlled text.
> As such, I would certainly not go as far as
> recommending "not to provide username and password to web sites which show
> this dialog" - that's an overkill. Just don't trust self-contradictory or
> unusually structured dialogs - you never should.
I think regular users would find it difficult to distinguish between a
normal dialog and an unusually structured dialog.
> Naturally, any person *not* used to seeing this dialog might be eager to
> enter his credentials there, lulled by the tech lingo - but that's a
> general complaint about browser design that is in no way specific to
> Firefox; the same person would be likely to give out his password to:
>
> prompt("Please enter your password for foocorp.com (certified by Verisign)")'.
>
> ...simply because a systemic failure of browser vendors to provide
> user-friendly security signaling and UI behavior (along the lines of: "as
> far as we're concerned, any person with no understanding of SSL, HTTP, and
> DNS had it coming and should die in a fire").
>
Actually, the prompt is not a good example, as FireFox does show the
originating domain in the title, and IE7 disables prompt by default.
Though, I do agree that there are people out there that will be fooled
by this too.
--Aviv.