However, most users (even experienced users) don't look at the url when visiting information-sensitive websites and www.bankofamerica.fsh4.com would still not alarm them. They don't understand the SSL icon either.
I guess the "padlock means secure" has been superceded a little by "address bar is green somewhere" by now, but the problem remains the same.
The user can hover their mouse over the link and their
status bar will show https://www.bankofamerica.com, as
(It's only when you click the link does it muck around with the DOM to insert the google.com/... redirect link.)
* Open a search in Chrome, and open up the Inspector (making sure not to right-click any links you want to inspect),
* Find an <a href="..."> tag for a search result.
* Right-click the tag in the Inspector, go Break On... => Attributes Modifications.
* Right-click the link like you usually would to copy it, and see what happens.
This is not a rhetorical question; do you think people would ignore the warning and continue to use the site?
An easier phishing technique would be to manipulate the address to appear legitimate using pushState.
I actually made this demo back in April but just got around to posting about it now. In the meantime, Firefox and Chrome have made their warning messages more prominent. Still, I think it's a pretty major issue.
Experienced web users won't be fooled by something like this. But, even if 1% of users are fooled by this technique, that's still potentially thousands of innocent web users, which I think is unacceptable.
This attack triggers no 'warning' that would cause the user unease. The most obnoxious case is Firefox presenting "Allow or Deny Fullscreen?" a question that doesn't imply any danger or downside. A number of victims might even see it as a new kind of convenience, since their phone and tablet already do everything in fullscreen.
"Get me out of here!" is the only visible button and the obvious action. To override the SSL check, you have to click "I Understand the Risks" to expand the page, revealing both an "Add Exception..." button and a further warning (in bold). "Add Exception..." brings up a dialog which again warns you in bold: "Legitimate banks, stores, and other public sites will not ask you to do this." And finally "Confirm Security Exception".
Firefox steers you toward the safe choice and makes you very, very aware of the gravity of the situation before doing something dangerous. That's good UI.
Chrome on the other hand has a "Proceed anyway" button right there that within less than a second you've clicked on and now the warning is gone. Developers who would blame dumb users for this are mistaken. People are busy, they're distracted, and Chrome makes it way too easy to do the wrong thing while Firefox gets this right.
I was mostly disagreeing with the general "blame the users" mentality apparent upthread and among developers in general, not with you specifically. I've edited my post to make that clearer.
Absolutely. My eyes were opened to that when I was troubleshooting my father's webcam over the phone. It kept not working when everything looked like it should. He just failed to let me know about the alert that kept popping up that said "camera is locked by <foo>". Instead, without reading, he just hit the "X", even though I was asking for every step he was performing. Closing a rogue alert isn't even a "step" to most people.
If you are relying on dialogs to keep your users safe, you are doing it wrong. Unfortunately, I don't know what the right answer here is.
Full-screen mode can be useful, but it and other HTML5 features can be used for phishing or to generally annoy users. I'm wondering how soon it will be before someone makes the HTML5-equivalent of ClickToFlash.
NoScript does not seem to have any features targeted directly at HTML5 fullscreen, though.
* Take out everything Google-related, including safebrowsing
* Rip out Flash and Java
* Integrate NoScript
* Integrate an alternate html5/canvas based video player
* Integrate third-party request blocking
* No cookies by default
* Strip out all the tracking id's in URLs (eg. Google search results pages, back to just plain old ?s=search+query)
* Automatically clear cookies such as the __ut* cookies from analytics
* Incognito by default
* Introduce a concept of 'installing' trusted sites that would be allowed to run scripts, etc. not too dissimilar to how desktop computing works
I have had this idea for over a year now, but haven't gone far in implementing it other than doing a test build of chromium with incognito by default and some default extensions.
It came about because my dad and other family members have each had spyware or rootkits installed on their machines. 99.99% of drive-by exploits can be stopped by simply not running IE and switching off Flash and Java.
It would be a browser where you don't have to explain everything, just marketed/renown as being a browser focused on privacy and security features for everyday users.
When I get a chance, I am contemplating putting a team together and forking this as an open source project. If such a project is of interest to anybody else, get in touch (via email in profile).
Maybe we don't live in the same world.
the idea is that you have a button next to the URL to install it, from where it just runs as normal (albeit still without third-party cookies, as with fb buttons)
You're right that Chrome extensions can't do that, though.
IMO this is why the constant pushing of the browser as a platform is more trouble than it's worth. Everything that your OS does now will be re-invented (badly, several times) in one or more of the different web-browsers, lost, found, queried in triplicate, standardised before finally being recycled as firelighter when the next "paradigm shift" takes over.
"Also, any alphanumeric keyboard input while in full-screen mode causes a warning message to appear; this is done to help guard against phishing attacks. The following keys are the only ones that don't cause this warning message to appear (...)"
The article and demo are nice though. Good work.
Safari, on the other hand, appears to prevent keyboard input, which I just recently found out.
Yeah, you can tell the difference. I could tell the difference. Yes it was very obvious even though the demo was very accurate in reproducing my browser's chrome. But the rest of the world is nothing like us. Feross says 10% will be tricked. I think that's a very conservative estimate. I wouldn't be surprised is the numbers went above 50%. If this sort of attack becomes common then I bet you anything that the majority of users will be tricked just because full screen is not very common. You'll say full screen is common but again, you're thinking of people just like you who are in the minority. Most people have never seen a website in full screen mode. Even with Facebook's full screen option it doesn't mean your parents are clicking that option or have even noticed it yet.
I'm actually building an app currently that greatly benefits from the full screen API and I really hope vendors don't start putting more restrictions on it. Instead I'm hoping there's a way to make full screen more common in legitimate ways, get users used to full screen mode so they are aware of it and know what the little "Now in full screen mode" dialog means. Sure, people will still get tricked but I'd bet it would be in far less numbers and that 10% figure Feross throws out there might become more realistic.
When you went to fullscreen in flash, it printed a giant "you are now in fullscreen mode" in the middle of the screen, but somebody showed that simply by printing similar text all over your screen, it hid that warning very well.
Otherwise, it's pretty frightening, because I can imagine that in spite of the browser warnings, there are many non-savvy users who probably wouldn't give it a second thought.
As a KDE user, the blatant Gnome UI was kind of glaring but otherwise well done. ;)
I certainly wouldn't be tricked by this, but someone less technically savvy could be.
Chrome 23 just makes it full screen with a small notice.
The least savvy are UI-blind, a big portion won't realize a transition just occurred, and a great majority of them will not read the warning beyond the first line.
Of course, now with pages requesting to go fullscreen there isn't a browser UI anymore that could show things that cannot normally appear in the page content. Hitting F11 previously at least was something no web page could ever do by itself. On the other hand, having to wade through warnings like Firefox' SSL warnings probably scares away users from fullscreen games and developers from using the feature.
I wouldn't really have an answer to anything of that. I don't even know whether I embedded a question, I think it was just rambling :-)
This API means that if a malicious JS can be executed, it's game over for a number of defenses that only communicate visually.
Perhaps the solution could be to handle this at the network level. In other words create what is effectively a "personal information firewall" built into the browser.
Have the browser detect when certain information is about to be send over the network, it would need to be checked prior to being passed to SSL. Things that fit formats like CC numbers or authorisation codes for banks. There could then be a prompt appear on top of all active windows saying "A CC number is about to be sent to xxx" Allow/Deny.
I suppose this would be difficult because phishers could re-encode data using JS into some other format before it is sent. So you would need some of mapping keyboard inputs to networking events.
The solution was that to recommend vendors print warning labels across the top or add a layer of permissions around the feature - which Chrome and Safari have done.
for eg. when I open it I get a message saying 'Chrome is currently in fullscreen mode'. They will likely both also add permission boxes similar to when the browser requests your location.
It is good for developers to understand this, though, but I wouldn't say that the spec is broken, or that this is a bad feature, it can be implemented securely and with warnings. Anti-phishing education for users should involve primarily talking about not trusting links anywhere and typing in the address directly.
Edit: Here it is from the Spec:
> 7. Security and Privacy Considerations
> User agents should ensure, e.g. by means of an overlay, that the end user is aware something is displayed fullscreen. User agents should provide a means of exiting fullscreen that always works and advertise this to the user. This is to prevent a site from spoofing the end user by recreating the user agent or even operating system environment when fullscreen. See also the definition of requestFullscreen().
> To prevent embedded content from going fullscreen only embedded content specifically allowed via the allowfullscreen attribute of the HTML iframe element will be able to go fullscreen. This prevents untrusted content from going fullscreen.
I am most familiar with Safari and Chrome (have been meaning to get up-to-date with Firefox, which has had a lot of good work put into it) but all of the major browser vendors have done something around this in their own way with both desktop and mobile releases.
It is at the discretion of each vendor how they implement security warnings or settings around full screen mode. They all have slightly different implementations but the end result is that they go some way towards preventing a phishing attack using Fullscreen.
That said, it was a good idea to bring this issue to the attention of developers and users as a potential attack vector and as a demonstration of why the security dialogs are important.
Edit II: The whatwg thread where the security considerations are discussed begins here:
The first post rightly points out that Flash had the feature implemented in a non-secure manner for a long time.
Firefox does it too, and in a much more obvious way than either Chrome or Safari. Here are all the latest browsers on Mac compared: http://imgur.com/a/jdcI7 (Sorry Opera; I haven't re-installed you yet.)
I actually didn't get any permissions dialog or warning label in Safari 6; maybe I ok'd it for another site at some point in the past, but I definitely didn't whitelist this domain.
Your browser does not support the Fullscreen API.
The fact that this is a real technology being deployed right now doesn't hurt.
Flash disabled all "printing" keys in full-screen mode, and disabled a warning label when entered into the mode. FS could only be entered from user action. So Flash's full-screen mode was limited but fairly secure.
Basically, if I wasn't paying attention, I feel like this was good enough to fool me. What can be done to save the casual, but maybe unfortunately inept internet user?
"What can be done to save the casual, but maybe unfortunately inept internet user?"
That's a really good question and unfortunately I don't think anyone has a good answer.
The solution is to have an area where only the operating system can draw (and which cannot be screen-captured, the same way Apple currently does with DRM movies). In this area, the system would present to the user a phrase which the user selected when setting up their account. This would prevent phishing, as users would be trained to look for the phrase (and / or icon ... the reason you can't have an icon alone is because the phisher could get it right 1 out of N times).
Now, on the web there is a similar thing you can do! When someone places KEYBOARD FOCUS in your password box, and starts typing the correct password, you display the icon + phrase that you previously selected when setting up your account. If the phrase doesn't pop up or is different, you know you're being phished.
THIS is a great way to stop phishing on the web. Anyone impersonating you will not know what phrase to display. Only by starting to type the correct pass phrase will they get this information. On the other hand, they won't be able to place anything fake over the password input box and capture your input, because the phrase only appears when you type IN the password input box, which the attacker can't get to, thanks to the cross-domain security in browsers!
Details - https://protect.login.yahoo.com/login/set_pref?faq=1#faq2, it's called "yahoo sign-in seal".
But if you have a session cookie, then you hardly need a password. Unless we are talking about a public computer where you need to enter your password.
I am talking about the times when you DON'T have a session cookie, and you are prompted to sign in with a password. That's the thing that could be spoofed.
(Certainly, most any adequate web developer with nefarious intensions would be able to reproduce this quite easily. But why make it point-and-click easy for them?)
In 2004 pretty much the same vulnerability exploited in IE and later on this feature removed from IE: http://www.kb.cert.org/vuls/id/490708
Imagine you opened new fresh HTML5-based game. It requested fullscreen, you allowed. You finished game and clicked on "Exit fullscreen" button. Then, instead of canceling fullscreen mode, you got just perfect illusion of it. Site author created almost complete replacement of your browser or ever your OS UI. So when you created new tab and entered news.ycombinator.com address it was loaded via proxy.
May be it's already happened in this demo. Wake up, Neo, and press Esc to exit from Matrix, ...sorry, from Fullscreen Mode.
Actually, it isn't, at least for some users. More than one member of my family has fallen for the "your computer has a virus" scams, which use Windows chrome, on Ubuntu machines.
It doesn't go full screen at all, it just stays in the window normally.
Iceweasel can't establish a connection to the server at www.feross.org.
Are you, by chance, using HTTPS Everywhere? I think they have an erroneous rule about my site which redirects you to https:// which I no longer provide.