padlock icon relies on address bar being visible
George Staikos
staikos at kde.org
Thu Apr 21 19:02:11 BST 2005
On Wednesday 20 April 2005 15:04, Michael Roitzsch wrote:
> Hi Konqueror team,
>
> I just want to pass an idea of mine around amongst browser vendors:
>
> I have lately written an article about a security flaw common to a lot of
> browsers: The closed padlock icon is completely worthless when the user
> does not verify the domain by looking at the address bar, yet there is no
> indication in the user interface telling the user to do that. Even worse,
> some browsers allow UI configurations where the padlock icon is visible,
> but the address bar is not. While this is a good idea (URIs are an internal
> detail, the user should not have to worry about it), the padlock icon needs
> enhancement to ensure secure operation.
I agree, it is a bit of a problem.
> You can find my small article about the subject here:
> http://www.amalthea.de/publications/browser-padlock-flaw.pdf
>
> A generic solution to homograph attacks I presented can be easily included
> into the above idea, since the verification of the domain name is
> susceptible to homograph attacks:
> http://www.amalthea.de/publications/homograph.pdf
Or even misspellings that many users wouldn't catch. Or the popular
"www.paypal.vg". Sometimes that's all that's needed to trick users.
> To summarize: I propose a whitelist of trusted domains. Everytime the user
> enters a new SSL site, a dialog asks, if the domain is trusted. The closed
> padlock is only shown for trusted SSL sites.
Interesting idea. I think you need to file it as a feature request for
Konqueror at http://bugs.kde.org/ . Please bring it to my attention so I can
add myself to the CC: list.
--
George Staikos
KDE Developer http://www.kde.org/
Staikos Computing Services Inc. http://www.staikos.net/
More information about the kfm-devel
mailing list