Wednesday, June 22, 2005
If a box pops up and asks for a password, think twice
I'm not sure how real a problem this is, but one browser vendor thought it was worth fixing.
Suppose you're looking through the web and have more than one web site open. Either of them can ask you for information by popping up a dialog box. The problem is that your web browser doesn't tell you which one the dialog box comes from.
Suppose that porcupinesonspringbreak.com is run by a shady person, and you're looking at it for entertainment while you have another tab open to your bank. Now the shady operator pops up a dialog box that says "Your online banking session has expired. Please re-enter your password.", the dialog box appears over your banking session, and the answer you type in goes to porcupinesonspringbreak.com.
Except, this isn't news. That dialog box is always going to have a title like "Javascript" or "Javascript application", precisely because the people who build web browsers were worried that something like this would happen and made sure that the dialog box title was impossible for web sites to change. They were afraid someone might pop up fake dialog boxes.
The makers of Opera were sufficiently afraid people might get fooled anyway that they stuck in something to identify who popped up the dialog.
One good way to protect yourself against problems like this is to close all your other windows and tabs when you're doing something sensitive. And of course it improves your security to avoid sleazy sites about porcupines in Fort Lauderdale.
|
Suppose you're looking through the web and have more than one web site open. Either of them can ask you for information by popping up a dialog box. The problem is that your web browser doesn't tell you which one the dialog box comes from.
Suppose that porcupinesonspringbreak.com is run by a shady person, and you're looking at it for entertainment while you have another tab open to your bank. Now the shady operator pops up a dialog box that says "Your online banking session has expired. Please re-enter your password.", the dialog box appears over your banking session, and the answer you type in goes to porcupinesonspringbreak.com.
Except, this isn't news. That dialog box is always going to have a title like "Javascript" or "Javascript application", precisely because the people who build web browsers were worried that something like this would happen and made sure that the dialog box title was impossible for web sites to change. They were afraid someone might pop up fake dialog boxes.
The makers of Opera were sufficiently afraid people might get fooled anyway that they stuck in something to identify who popped up the dialog.
One good way to protect yourself against problems like this is to close all your other windows and tabs when you're doing something sensitive. And of course it improves your security to avoid sleazy sites about porcupines in Fort Lauderdale.
# posted by Frederick @ 7:13 PM Email to a friend:
Haloscan: they provide trackback