Untrusted text in security dialogs

I just gave a 10-minute lightning talk at SOUPS on the topic of untrusted text in security dialogs.

I've been reading Firefox security bug reports over the years, and I've collected a list of things that can go wrong in security dialogs. New security dialogs should be tested against these attacks, or preferably designed to not be dialogs.

2 Responses to “Untrusted text in security dialogs”

  1. Giorgio Maone Says:

    Interesting stuff. I loved the right-to-left URL attack.
    Thanks for sharing.

  2. Mook Says:

    That is awesome :)

    Sadly, security-related UI (i.e. PSM) is rather underowned – as far as I can tell, the current owner is Johnath, but as you mentioned he seems to be way too loaded to spend time on it :(

    Please think a *lot* more from the web site’s point of view (and not just the security one) before removing things like onbeforeunload; it can also be used for good for things like making sure the user is aware that she hasn’t committed before closing the page.