
The Line of Death - bpierre
https://textslashplain.com/2017/01/14/the-line-of-death/
======
_yosefk
I think the real issue is that everybody cares about usability but nobody
actually cares about the users. Browsers, web apps, etc. try hard to make it
easy to browse the web, but they don't try very hard to make it clear exactly
what you're doing and what the risks are - in fact, everyone tries rather hard
to downplay the risks and to hide how things actually work. How many users
understand "the line of death", or the basic fact that different pixels are
drawn by different programs, not to mention URL structure, or (gasp) Unicode
and how it fits there, or how rnicrosoft.com isn't what they're looking for?
What makes them understand this? Nothing. Software vendors are very happy with
uninformed users (in fact these are the best users because they don't realize
which of your programs and services can be replaced with an alternative and
how), and users are very happy to stay uninformed, too.

Not saying I know how to fix this, just that in my experience non-tech people
are so completely unaware of what's going on that this "line of death" thing
is not even a thing for them.

~~~
userbinator
To fix this the answer is to educate the users, and also oppose this style of
UI that makes things opaque and hard to comprehend. (Maybe when users are
better educated they will automatically find the problems with such UI and
thus further oppose it.) Incidentally, if users customised their environments
more, they would be far less likely to be fooled by fake dialogs and such,
because they would look very obviously different. With the setup I have, it's
almost hilarious to see all the adverts with fake dialogs and buttons that
look nothing like the real ones on my system; the font, the colours, the
controls, everything stands out as being different.

~~~
ams6110
Back when it was still possible (Windows XP? Maybe Windows 7?) I would always
turn off all the modern Windows chrome and animation and make it look like
Windows 2000. Made for better responsiveness and as you say, you could spot
fake dialog boxes in an instant.

Not a Windows user these days but I understand it's not possible to get the
old Windows 2000 look anymore, though I'm sure you can still change color
themes and appearance to some extent.

~~~
hlandau
You can still do this as late as Win7. I think this was eliminated in Win8,
but I've not used it myself.

If you do use Aero, you can change the window chrome colour to something
custom, which should catch out sites trying to fake windows. I don't _think_
browsers provide any way to get the window chrome colour, though come to think
of it, I'm fairly sure IE does/used to provide system colour names in CSS, so
it might not be impossible... (If you recall the Win2000-era colour
customization window, which IIRC you can still access in current versions of
Windows, it's just hidden, you can set things like default window background
colour, which traditionally in the Win2000 era was grey. So I guess the idea
is that websites could use these system colours if you changed them to be
consistent with the OS. Of course nobody really does this.)

~~~
notriddle
Windows 10 lets you pick a "custom accent color," and it allows you to make a
few other custom tweaks as well (should the titlebar be white or colored?).

Since this is part of the initial setup wizard, I think it would be pretty
hard to fake a Windows 10 dialog from inside a web browser.

~~~
Stratoscope
That problem is easily solved. In your malware, simply use the default
settings for all of those things, and you will catch the 97% of users who
never customize any of it.

You can afford to lose the remaining 3%.

~~~
notriddle
The title bar thing, yes.

The accent color? If you buy a new Windows 10 machine off the shelf, after you
enter your name, it asks what your favorite color is. I think blue is
highlighted when that screen comes up, but you can't miss the opportunity, so
3% is a bit low for an estimate of how many people will change it.

~~~
throwawayish
Favourite colors don't follow a random distribution. IIRC with blue and green
you already have two thirds of the population.

~~~
notriddle
A browser ad that imitates a windows dialog can only guess one color per
impression. Forcing Mallory to settle for 1/3 of the otherwise-vulnerable
population is a definite improvement.

------
lucideer
One of the best UIs I've seen crossing over this line of death was the HTTP
Basic Auth popdown in Opera 12. I've always wondered why that UI concept was
never taken up by other browsers.

... will try and find a screenshot

Edit: Couldn't find one so just installed it myself:
[https://pageshot.net/images/4af15a26-6eb8-45a2-b4d5-ed6ea19a...](https://pageshot.net/images/4af15a26-6eb8-45a2-b4d5-ed6ea19a1028.png)

Edit2: dom0 beat me to it below also

Edit3: reword

~~~
grenoire
Both Chrome and Firefox are under the line of death too. Although for Firefox
it is a bit trickier to replicate as it uses native components whereas Chrome
uses its internal UI kit.

~~~
lucideer
Sorry, perhaps my comment was unclear. I meant "breaking" in a positive way
(hence "best") - the UI crossed the line in a very significant and impossible-
not-to-notice way.

Still searching for a screenshot unfortunately... may just re-install it and
take one myself.

~~~
dom0
[http://schubiserv.de/images/opera-
benutzerauthentifizierung....](http://schubiserv.de/images/opera-
benutzerauthentifizierung.png)

~~~
niftich
I still disagree with both lucideer's original and improved wording, but I
agree with their message, which praises Opera's basic auth UI as making it
clear with the borders and 3D foreground overlay effect that it's a part of
the browser-produced "trusted zone", and not the pool of untrusted content
behind.

Moreover, these kinds of UIs are still possible with the 'flat' look that's in
vogue today, so there's little excuse why others choose not to do it. Perhaps
one reason is that basic auth lost out early on to site-supplied login forms,
so people got used to entering usernames and passwords into the page content
anyway, instead of the browser UI.

For the most part, basic auth only tends to affect uses like intranet sites,
router login pages, web services, remote management pages -- settings where
phishing can still cause (serious) damage, so a harder-to-fake UI would be
beneficial nonetheless.

~~~
lucideer
On my wording, apologies (edited). I was thinking of "breaking" in terms of
"breaking/crossing a line/barrier one does not typically cross". Probably not
the best wording in retrospect.

On the comments on basic auth losing out, you might be right that that's a
reason, but HTML5 APIs requiring some kind of UI confirmation from the user
(like HTTP basic auth does) are far more proliferant than they once were (see
[http://permission.site/](http://permission.site/) for many examples), so I
don't think that excuse is really good enough for browser vendors.

Incidentally, it's worth noting that the UI for this kind of thing (user
confirmation prompts) is pretty much a solved problem on mobile: these prompts
tend to use the OS notification API, so always appear outside the browser
chrome entirely.

~~~
niftich
Desktop platforms like OS X, most Linux desktop environments, and newer
versions of Windows have similarly allowed applications to hook into the OS'
own notification mechanism for a while, but for some reason this model never
caught on. One can argue that it's much clunkier on these platforms than on
mobile, but the capability is now there.

Unfortunately, with HTML5 notifications, the ship has probably sailed on this
and it went from being an intriguing idea to a bad one, as now it's getting
mainstream for individual websites to generate OS-level notifications. This
made a previously privileged pool of messages full of untrusted content.

------
bcjordan
Speaking of zones of death, I was recently the (unsuccessful) target of a
credit card gathering scam—on a Twitter ad, pretending to _be Twitter_.

[https://twitter.com/bcjordan/status/819894043870105602](https://twitter.com/bcjordan/status/819894043870105602)

Multiple users actually entered their CC #s, two canceled them after they saw
my reply to the tweet warning users.

Incredibly, Twitter has still not notified the scammed users about it despite
removing the ad after my report and multiple tweets to support requesting they
notify the affected users.

The fact that they allowed that ad to get through (essentially _profiting_
from users identities and financial information being leaked?!) is just
unbelievable, separate from their failure to protect/notify the users affected
by the scam.

~~~
djsumdog
I don't know why you'd need to scam people on Twitter. There are plenty of
people who just post photos of their cards:

[https://twitter.com/needadebitcard](https://twitter.com/needadebitcard)

~~~
syphilis2
I was pleasantly surprised when my grandmother showed me her new chip credit
card and it didn't have the numbers stamped on the front. They're instead
printed on the back. I suspect the bank was getting sick of issuing new
numbers after people inadvertently posted their own card numbers online.

------
grenoire
From a few weeks ago:

[https://twitter.com/tomscott/status/812265182646927361](https://twitter.com/tomscott/status/812265182646927361)

This is a neat blog post that goes to show the extents of faking that can be
done in the browser. More talks about this will hopefully lead to better
"security UI" as the author puts it.

~~~
vanderZwan
I have my browser default to non-standard zoom (150%). Assuming the fake
attachments use a jpg instead of an SVG, they would look different. Not to
mention miss the on-hover CSS. I wonder if I would notice it or not; something
would probably feel off but not enough to fully register.

------
rocqua
The comment made about domain names not being trustworthy is why I like EV-
certificates.

Some people (notably google) argue that EV-certificates add very little of
value because the user can just as easily check the domain name. Thing is, I
could probably get some paypal or google like domain. Even if I can't, I could
use a data URI as in [1] to put [https://google.com](https://google.com) in
the address bar.

Compare that to EV. To get a browser to display google (or googel, or paypal),
I'd need to convince a CA to issue such an EV cert. Whilst that might not be
impossible, it takes something close to a state-level actor. A lot of phishers
operate below that level.

What EV gives over the domain name is a fully CA controlled part of the UI.
Whilst the address bar is the 'zone of death by phisher' the EV bar is the
'zone of death by CIA/KGB'.

[1] [https://www.wordfence.com/blog/2017/01/gmail-phishing-
data-u...](https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/)

------
throwawayish
An entirely different but similar issue is logs. If you aggregate logs in a
simple, unstructed text file, then it becomes pretty easy to add faked log
lines, or, if they're viewed in the terminal plain-and-easy, embed VT control
characters in log lines that can hide other log lines. And with creative use
of Unicode one can also often confuse readers.

~~~
henrikschroder
I saw an example of that with shellscript files you're supposed to run with
'curl [http://example.com/script.sh](http://example.com/script.sh) | sh' or
something, where if you pipe it to cat instead, it looks harmless enough,
because it contains control characters that erase the dangerous parts. So you
have to download the script, and load it up in an editor before you can see
what it actually does.

...which of course is _so much work_ that noone does it.

~~~
stable-point
Opening it in a text editor is not sufficient. With clever use of 'sleep' you
can even have the server return a malicious payload only if it thinks its
getting immediately piped to sh[0].

If you're opening it in a browser to check, you've also got to worry that the
server may be looking at curl's user agent to decide whether to serve up a
malicious payload[1].

[0] [https://www.idontplaydarts.com/2016/04/detecting-curl-
pipe-b...](https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-
server-side/) [1] [https://jordaneldredge.com/blog/one-way-curl-pipe-sh-
install...](https://jordaneldredge.com/blog/one-way-curl-pipe-sh-install-
scripts-can-be-dangerous/)

------
walrus01
In my experience the ordinary user is no longer able to distinguish between a
native binary that is running on their OS (example: the windows update feature
of the win10 control panel) and data presented inside a browser window.
witness the number of people who have fallen for the bsod scam sites and given
away their CC info.

[https://www.google.com/search?q=bsod+scam+site&num=100&prmd=...](https://www.google.com/search?q=bsod+scam+site&num=100&prmd=inv&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiw-
ti_g8PRAhUP1WMKHQhiC9oQ_AUIBygB)

Even when people see a scam where the UI obviously doesn't match with the OS,
ignorant non technical people fall for it. People get those scam sites in
safari on OSX and still click and pay.

------
kibwen
I've never heard the term "line of death" used to describe this before, but
this concept is exactly why I've sadly convinced myself that fully chromeless
browsers are a bad idea. Unless there were some sort of spoofless hardware
indicator that a given UI element was being displayed by the browser, I
suppose... but that sort of defeats the purpose.

~~~
inconclusive
What's a chromeless browser?

~~~
userbinator
Something like this: [http://techcrunch.com/2014/11/28/yandex-brwoser-
concept/](http://techcrunch.com/2014/11/28/yandex-brwoser-concept/)

Discussed at
[https://news.ycombinator.com/item?id=8670503](https://news.ycombinator.com/item?id=8670503)

------
smacktoward
This is an interesting case where security and design are in direct collision.
From a security perspective you'd want the demarcation between the application
itself and the untrusted content area to be as clear and obvious as possible,
which would mean drawing big borders between them so thick nobody could
possibly miss them. But contemporary design is all about being "clean," part
of which involves making borders razor thin and so lightly colored you can
barely see them.

The example given of Chrome's line-of-death-crossing chevron is a good
illustration of this tension. Say what you want to about it security-wise, but
you can't say it's not clean!

~~~
lucideer
I don't think I really agree with this. Making good visual design, or let's
say in this case "clean" visual design, work is up to the designer.

Taking for example the Opera 12 example I mentioned in comments above[0]:
while I don't think Opera's overall UI design in 2011 was particularly
visually pleasing, and certainly not as clean as Chrome's today, if you
consider the UI pattern in isolation there's nothing preventing it from being
done cleanly. Facebook uses the same UI pattern for the active state of its
status input today.

That's just one obvious example - I'm not suggesting it's the only one.
Google's Material Design guidelines advocate a lot of context-crossing - the
canonical example being the "Floating action button" attaching to sheets[1]

[0]
[https://news.ycombinator.com/item?id=13400645](https://news.ycombinator.com/item?id=13400645)

[1] [https://material.io/guidelines/components/buttons-
floating-a...](https://material.io/guidelines/components/buttons-floating-
action-button.html#buttons-floating-action-button-large-screens)

------
jameshart
Occurs to me that counteracting this problem might be one of the strengths of
3D UIs, such as we might have to look forward to in AR systems, or with
display advances. Untrusted content can literally be loaded up and restricted
to exist only 'inside' a chrome box, making its provenance clear.

Of course, chances are that we'll get carried away with the possibilities of
allowing AR web browsers to create arbitrary objects in the AR space long
before we realize what a terrible idea that is...

------
alexpete
Something else to add, a Data URI can do this:
[https://twitter.com/tomscott/status/812268998742118400](https://twitter.com/tomscott/status/812268998742118400)

------
franciscop
I have found a much worse case in mobile apps. I do not have Facebook App
installed, so I get a prompt from some apps when I try to auth through
facebook in-app to login into facebook, which could be totally fake.

------
JetSpiegel
This is a truly dark pattern.
[https://textplain.files.wordpress.com/2017/01/image38.png?w=...](https://textplain.files.wordpress.com/2017/01/image38.png?w=287&h=164)
Faking browser popups is evil, and unexpected for a high-profile site such as
Tom's Hardware.

~~~
hlandau
What exactly does it accomplish, though, in this instance? Since it's not real
it can't actually authorize anything the site can't already do. It's a dubious
approach, but it seems more misguided than actively malicious.

~~~
owenversteeg
If they say no to the real thing, the site can't ask again. But of course they
can present the fake one on every page as many times as they want until the
user acquiesces. So once they click "yes" on the mini dialog, the page opens
the real permissions dialog, because you can be much more certain that they'll
allow it.

Good TC article on the practice: [https://techcrunch.com/2014/04/04/the-right-
way-to-ask-users...](https://techcrunch.com/2014/04/04/the-right-way-to-ask-
users-for-ios-permissions/)

~~~
eriknstr
On iOS I think it is correct to first ask in app and then trigger the real
thing if the user agrees because in an app there is a context that the app
usually needs the permission so it makes sense and I feel it's nicer to ask me
first inside the app and usually to explain why they need it at the same time
than to take me straight to the real thing without warning because that puts
me outside of the app. On websites it might have been ok if they asked in a
proper way but presenting something that is pretending to be part of the
browser UI when it isn't -- that is, as parent commenter said, a dark pattern.

------
the8472
Put the tab strip below the URL bar. This used to be the case in the past.

That'll leave plenty of room to have things drop down from the URL bar without
much ambiguity.

------
Herrera
I was playing with picture-in-picture attacks on Chrome some time ago and even
proposed a way for mitigation, but it was dismissed.

Here's the PoC I did:
[https://www.youtube.com/watch?v=0oega6C5SF0](https://www.youtube.com/watch?v=0oega6C5SF0)

And the mitigation I proposed was from this:
[http://i.imgur.com/8m6UdiC.png](http://i.imgur.com/8m6UdiC.png)

To this: [http://i.imgur.com/turRAdc.png](http://i.imgur.com/turRAdc.png)

------
xg15
> _Unfortunately, on windowed operating systems, this is worse than it sounds,
> because it creates the possibility of picture-in-picture attacks, where an
> entire browser window, including its trusted pixels, can be faked [...]

They retorted “Well, we passed this screenshot around our entire information
security department, and nobody could tell it’s a picture-in-picture attack.
Can you?”_

Maybe I'm naive, but shouldn't you be able to detect picture-in-picture
attacks rather easily because _you never opened that window in the first
place_?

Additionally, the "chrome" of the picture-in-picture would behave
significantly than a real chrome.

I feel both of those points can't be assessed by showing people a screenshot,
because people have significantly different expectations when looking at a
screenshot of a website than when browsing a website by themselves.

~~~
breakingcups
A few websites I know will pop up a separate window for entering credit card
credentials.

------
agumonkey
I can't thank this article enough for raising a stupidly simple yet very
generic problem.

------
makecheck
I thought Microsoft or somebody implemented a prototype for secure pop-ups
where the windows had animated borders containing personal user information as
a marquee? The idea was that this would be extremely difficult to fake (even
if it looked a bit weird).

------
qume
How about we put a distinctive icon in the trusted zones, which the renderer
won't allow under any circumstances in the untrusted area.

Also with a buffer so nothing too similar is allowed, or perhaps a warning
comes up if something is close.

I vote for something like the chrome dinosaur.

~~~
deathanatos
Isn't this essentially the lock icon, today?

What is "trusted"? We get the lock icon if a valid TLS connection is formed;
if you want a more secure connection, you can get EV certificates. We could do
away with the lock icon and only show a broken lock if not on TLS, and only
show something that looks secure on EV certs, (which seems to be where
browsers are headed.)

A simple valid TLS connection getting the lock icon is problematic when people
are using DNS names that are close-but-not-quite to things like paypal.com.
And we _want_ TLS certs to be issued automagically ala Let's Encrypt and such,
so it's easy, unfortunately, to get a cert for paypal-not-quite.com. Such is
the difference in "secure connection" and "a secure connection to a party
_you_ trust."

~~~
qume
Pretty much - except the rending engine won't let that block of pixels allow
to hit the framebuffer

------
dtjohnnymonkey
Can someone explain the risk of something like Mac OS Mail asking for your
gmail password? There's no address bar so I've wondered if I can really trust
that I'm not handing my password to a MITM.

~~~
karthikp
Google usually suggests that users create app specific passwords for anything
that requires you to enter your Google credentials inside another app. If we
follow this religiously, then the risk will be quite low

------
gumernatorial
Why can't browsers do image differencing to detect when the page contains
something pretending to be the browser or OS chrome, and plaster warnings
overtop?

~~~
ambrop7
Surely it would have an unacceptable performance impact. Probably you'd need
to run the matching in the GPU to get anything remotely useful, and you would
literally kill battery life.

------
ensignavenger
It would be helpful if this post included mentions or links to any best
practices to help mitigate this. Does anyone have any they would like to
share?

~~~
dsr_
Here's one: don't use the default window manager theme. This is much easier on
Linux and *BSD than in Windows or MacOS.

I've seen lots of picture-in-picture attacks. They usually simulate Windows
title bars and controls. Hah. I once saw one on a Mac which adapted to the OS
and tried to show a Mac window frame, but it was an outdated version.

That brings me to another point: send an incorrect User-Agent. Same browser on
a different OS, perhaps.

~~~
userbinator
It used to be pretty easy to customise appearance on Windows, but the latest
versions seem to have mostly castrated that functionality.

~~~
slobotron
Would you say that castrating window decorations was a misguided attempt by
Microsoft to make Windows more like eunuchs?

(I'll let myself out)

------
aashishkoirala
With HTML5 push state navigation, can we really trust the address bar? Or is
the domain part protected from that?

~~~
lucideer
The domain part is protected from that, though as shown in grenoire's link
there are other reasons to distrust the address bar.

------
inconclusive
Why is there a line of death to begin with?

The picture-in-picture attacks seem serious enough to warrant a new kind of
browser.

~~~
RugnirViking
How could we eliminate the line of death? There has to be a part of the page
that we hand control to the site, otherwise there wouldn't be any content, and
the line of death is just the boundaries of that.

------
teapejon
Oh my grandma what big teeth you have!

