« Fuzzing talk at the Mozilla Summit
War on Orange update »

Untrusted text in security dialogs

I just gave a 10-minute lightning talk at SOUPS on the topic of untrusted text in security dialogs.

I've been reading Firefox security bug reports over the years, and I've collected a list of things that can go wrong in security dialogs. New security dialogs should be tested against these attacks, or preferably designed to not be dialogs.

This entry was posted on Wednesday, July 14th, 2010 at 3:29 pm and is filed under Mozilla, Presentations, Security, User Interfaces. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “Untrusted text in security dialogs”

  1. Giorgio Maone Says:
    July 14th, 2010 at 4:31 pm

    Interesting stuff. I loved the right-to-left URL attack.
    Thanks for sharing.

  2. Mook Says:
    July 14th, 2010 at 10:40 pm

    That is awesome :)

    Sadly, security-related UI (i.e. PSM) is rather underowned – as far as I can tell, the current owner is Johnath, but as you mentioned he seems to be way too loaded to spend time on it :(

    Please think a *lot* more from the web site’s point of view (and not just the security one) before removing things like onbeforeunload; it can also be used for good for things like making sure the user is aware that she hasn’t committed before closing the page.