lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 13 Feb 2007 19:52:23 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: Andreas Beck <becka-list-bugtraq@...atec.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Firefox focus stealing vulnerability   (possibly other browsers)

On Tue, 13 Feb 2007, Andreas Beck wrote:

> Let scripts and form parser handle upload fields just as usual form
> fields. Prefilling them with VALUE, changing them from script, etc. pp.
>
> BUT: Warn the user about uploading files.

The problem here is that a majority of users find browser warnings
impossible to understand, far too frequent, perceive them as roadblocks
(see dancing hamsters, or "reject an invalid certificate"?), and above
all, are not sure who is to be trusted (the author of the webpage, who
tells us to click "yes", or the author of a browser, who is a whiny
geek?).

Otherwise, we wouldn't have *millions* of users running attached EXE files
or clicking to install ActiveX controls despite big, honking, sometimes
repeated warnings that say "YOUR COMPUTER WILL BE OWNED" and default to
"cancel".

Adding warnings that pop up during normal activity (such as uploading your
new baby photos) further blurs the line and conditions users into clicking
"yes" on all such notices.

So, although it's a good solution from a technical standpoint, I do not
think it's optimal as far as users are concerned - whenever we can avoid
giving a non-expert user a choice without impacting functionality, we
should go for it.

In this particular case, preventing scripts from reading .value of such
input fields, moving focus to or away from these fields, and in any way
influencing the delivery of keystroke events while this field is in focus,
seems to be a good solution that wouldn't significantly interfere with
legitimate web functionality.

/mz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ