Preventing browser UI spoofing

The problem of web sites being able to spoof browser UI was on Slashdot recently. This is a hard problem that browser vendors have known about for a long time.

The most popular solution, preventing web sites from disabling the status bar, is insufficient. Keeping the status bar always on would only keep malcious sites from spoofing https sites. In contrast, keeping the address bar always on would keep malicious sites from spoofing all web sites. Keeping the address bar always on would also be more effective at preventing web sites from spoofing native applications.

One argument for using the status bar is that it's smaller than the address bar. But it's only about 8px shorter if we use small-icons mode for pop-ups, and we can probably make it even shorter.

One suggestion was to show the hostname in the status bar. The hope is that users would then look there instead of the address bar to verify what site they're on. I don't think enough users would change their habits for this to work. It would also require cluttering the status bar in ordinary windows, which seems like a high price to pay to save 8px in pop-up windows.

Whatever we choose (address bar or status bar), we can do things to avoid breaking existing web sites. If a web site requests a 400x300 window without an address bar, we can give it a 400x334 window with an address bar. We can add a menubutton to the address toolbar in pop-up windows with menu items "Restore toolbars", "Hide address toolbar", and "Hide address toolbar in all pop-ups from https://gmail.google.com/".

14 Responses to “Preventing browser UI spoofing”

  1. Bram Says:

    The strange thing with showing an address bar is that you suggest navigating in that window while the site opening the pop-up wants to discourage that. Actually surfing in that window would be quite annoying if it’s none resizable and doesn’t have all toolbars

    If your purpose is just to show the current address, and some “Restore toolbars” button you could actually create a new kind of toolbar (pop-up bar?) which has more or less the same height as the statusbar and just some address label instead of a full-blown address bar.

  2. Mathieu Pellerin Says:

    I dont think making the statusbar permanent is the best solution (I think it can be very useful to remove the statusbar for the good looking of it)

    imo, the solution should be placed in the _titlebar_ simply because the titlebar is something that the web doesnt play with (except of course giving it a different name)

    so

    a) there’s a titlebar icon change to indicate that this window is missing the statusbar (or any other part: menu, toolbar)

    b) (my favorite :) and original) you add a button next to the system buttons to unhide/hide the statusbar and/or any other missing parts removed by the javascript call …

    I would vote for the solution B for two reasons
    – it’s visualy more obvious to see an added system button rather than a slightly changed titlebar icon
    – it adds the possibility to the user to get their toolbar,menubar,statusbar back (something I often wanted when I was using a window without menubar)

    dont make the statusbar permanent, that’s not the right solution (especialy if somebody simply dont like statusbar and disable it all the time :) )

  3. mark Says:

    The status bar is the least useful real estate on the screen. I don’t know if any one had done usability tests on the status bar, but my experience is that it is very unnatural for users to look at that area of the screen. I’m sure that even if there were two status bar displayed I would not have noticed it.

    IMHO the basic problem is that a site should not be given any ability to change the GUI of the browser. Why is it assumed that when I surf a site, I give it an automatic permission to manipulate my GUI?. This the same as giving sites a permision to set my home site, and the solution should be the same, ask the user if he permits it per a specific site, then store this as prefference for the future.

  4. Justin Says:

    Why not simply put a (bright red, striped, something) border around any XUL-based GUI retrieved from a remote location? Even if the GUI is opened in a new fullscreen window, the border will be there to let the user know it’s not locally generated. It’d also be fairly inconspicuous in comparison to requiring the status bar/menu bar/toolbar be visible 100% of the time, while still informing the user of what was happening.

  5. i5mast Says:

    how about checking the form submission. is it possible to determine whether it is being submitted from a spoofed window?

  6. Jesse Ruderman Says:

    Bram (#1): Web sites have no business creating non-resizable windows (bug 177838), so that part of your argument doesn’t work. Other than that, your idea is reasonable.

    Mathieu (#2): I don’t know about you, but I rarely look at the title bar. That said, I think we should do what you describe in addition to preventing web sites from hiding the address bar. Then if someone chooses “Hide address toolbar in all pop-ups from https://gmail.google.com/“, they’ll still have something they can look at.

    Justin (#4): You can spoof the browser UI just as effectively with HTML+JS as you can with XUL. That’s why I didn’t mention XUL in my post.

  7. Jesse Ruderman Says:

    i5mast (#5): You assume malicious sites will use ordinary form controls rather than some other method of capturing passwords you enter.

  8. john Says:

    You’ve described, and I think Bram was talking about, exactly what I’ve always wished for in those little pop-up windows.

    A minimal addressbar (no need even for back/forward/etc) with a button to turn the ‘pop-up’ window into a full-fledged browser window would be just perfect. This would be so unobtrusive as not to mess with web UIs, but still make it perfectly clear that the window involved is in fact part of the browser.

    Just my thoughts.

  9. Mathieu Pellerin Says:

    Jesse: True that the title bar is not an important part of the window but I know that adding a system button is something people notice (by experience).

    Plus the titlebar is the only thing a remote combinaison of html+js or xul can’t remove or spoof

    And like you said, when a site decides to use a popup window with no ui element, it gives us a new feature to bring back a part or all the missing elements…

  10. Anonymous Says:

    How about using the yellow bar for this and display the URL or domain there (somwhat like SpoofStick): “Note: You’re on evilsite.com”? With a “hidden” option to disable it, that is.

  11. James Slaughter Says:

    I see that the status bar stays about in popups now, but notice that it has another problem: it can be hidden by resizing the browser below a certain height. Unfortunately, the height at which this happens is ideal for presenting log-in dialogue boxes.

    I basically agree with the general sentiment that showing the status bar doesn’t help very much unless there is useful information in it. Can it display some extra gubbins whenever the address bar has been hidden? Something like “http://example.com (insecure)” would suit me.

  12. Jesse Ruderman Says:

    http://www.saintpatrickdc.org/bsmedberg/index.php?p=22

  13. Stephen Duncan Jr Says:

    My thoughts:

    http://www.stephenduncanjr.com/2004/09/browser-spoofing-summary.shtml

  14. PukiWiki/TrackBack 0.1 Says:

    Mozilla Firefox/0.10

    ¢«Á°¥Ð¡¼¥¸¥ç¥ó¡§0.9.3 | ¼¡¥Ð¡¼¥¸¥ç¥ó¡§1.0RC¢ª Mozilla Firefox 0.10 (1.0 Preview Release) 2004/9/14¥ê¥ê¡¼¥¹¡£ ³µÍ× ¿·µ¡Ç½ ¼ç¤Ê²þÎÉÅÀ ¿·µ¡Ç½¡§¥¦¥§¥Ö³«È¯´ØÏ¢ ¼çÍפÊÉÔ¶ñ¹ç¤Î½¤Àµ ºï½ü¤µ¤ì¤¿µ¡Ç½ ¥»¥­¥å¥ê¥Æ¥£¥Û¡¼¥ë¤Î½¤Àµ ¿·µ¡Ç½²òÀâ ¸¡º÷¥Ä¡¼¥ë¥Ð¡¼ ưŪ¥Ö¥Ã¥¯¥Þ…