It seems like a phishing attack would occur if a user clicks on a link and doesn't notice the absence of a new standard tab opening. E.g., I have a link to "Bank of America" but it's really still in the same site; the user can't see in the indicator bar that it's not bankofamerica.com, because there is no indicator bar.
On Fri, Jun 25, 2010 at 12:17 PM, Sid Stamm <[email protected]> wrote: > This strangeness occurred to me too. > > The assumption indeed is that the user expresses trust on sites > converted to app tabs; he will check his location and the security UI > before converting the tab to an app tab. Once it is an app tab, any > links directing the user off the site will open in a new standard tab, > so that the user won't be switching top-level document domains in the > app tab. > > There are two other things to consider. There must be a way to get at > the security/SSL UI; this will be available when the user clicks the app > tab's icon. Also, certificate errors should be obvious; the usual > security warnings will show up if there are cert errors. > > We've briefly discussed downgrading the app tab to a regular tab if the > certificate's security properties change (e.g., EV->DV, or a new cert > shows up, etc). We also briefly discussed what would cause the tab > downgrade to happen (e.g., should we downgrade when the cert changes > even if it's valid? This would hose CDNs). > > Cheers, > Sid > > > > On 6/24/10 11:18 p, Devdatta Akhawe wrote: > > Hi > > > > I was looking at > > > http://blog.mozilla.com/faaborg/2010/06/24/why-tabs-are-on-top-in-firefox-4/ > > and noticed the app tabs feature being talked about. I am concerned > > about the security implications of app tabs. I can't seem to notice > > any trusted indicator of my current location while in an app tab > > (slide over to 2:30 in the video). It seems like this would make app > > tabs ripe for phishing attacks. > > > > Is the assumption that the user will always first check his location > > and only then convert to app tabs ? What exactly is the model here ? > > > > > > thanks > > devdatta > _______________________________________________ > dev-security mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
