First off, I have to say that I do like the new UI, regardless of the
impetus for the change.
However, I'm also not entirely sold that this has a strong impact on
user security. I doubt the practicality of such an attack, since you
would have to reasonably match:
* The OS native theme.
* The browsers chrome elements and theme.
* Basic browser chrome functionality and behavior.
* Have the user overlook that the browser just flipped out when visiting
a site or clicking a link.
Fortunately for the user, the first two aspects are incredibly easy to
change. For example, when I tried the proof of concept, my browser theme
went from light grey to dark gray and all of the toolbars - and their
contents - changed. If a malicious site is able to accurately capture
the state of, and reproduce, the desktop and browser chrome, I'd say
that is a much more serious issue than triggering full screen.
For me, the biggest issue with this attack is getting the user to ignore
the browser spontaneously maximizing/full screening, witch is rather
jarring. I expect most users will only intentionally enter full screen
when playing a game or watching a video, so having the browser do it on
it's own would hopefully be enough of a red flag. But if you can get the
user to ignore that, then they're probably also going to ignore, or be
oblivious to the full screen notification.
I will grant that there is a large number of users that do not make
cosmetic changes to their OS or Firefox, so they would be much more
susceptible to an attack like this. But these user are also not likely
to want a knob to turn off the notification.
So, implementing a option, per site or globally, to turn off this nag
doesn't seem like an entirely unreasonable request. I know I certainly
would turn it off.
On 08/16/2015 11:53 PM, Eric Rescorla wrote:
On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[email protected]
<mailto:[email protected]>> wrote:
I have to agree with Gavin here: the risk of this sort of attack
occurring is very low,
Do you have some evidence for this?
-Ekr
but the potential for annoying or confusing users with this
presentation is, if not high, at least high enough to make it
overkill. At least having a way (even if it's an about:config only
thing) to drop this reminder once you have it through your head,
would be helpful.
Or what if we add a checkbox "don't show this again" BUT only
after, say, ten times displayed. That way you can be sure they
have seen the warning. Then when they opt to stop showing it, have
a confirmation dialog remind them of the risk. From then on, they
don't get the reminder.
Eric Shepherd
Sr. Technical Writer
Mozilla
Blog: http://www.bitstampede.com/
Twitter: http://twitter.com/sheppy
On Aug 16, 2015, at 9:38 PM, Gavin Sharp <[email protected]
<mailto:[email protected]>> wrote:
I'm not making any statement as asinine as "there's no point
worrying about security", and it's frustrating that that's
something I would even have to clarify.
Richard stated he thought the current solution had a "small
price" and I disagreed with him.
This boils down to a classic security/usability tradeoff. Those
tradeoffs are ultimately matters of opinion, not fact, and need
to be made by estimating what is likely in addition to
understanding what is possible.
None of us are the product owners responsible for making that
tradeoff, so having stated my opinion I'll defer to them.
Gavin
On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann
<[email protected] <mailto:[email protected]>> wrote:
On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla <[email protected]
<mailto:[email protected]>> wrote:
On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp
<[email protected] <mailto:[email protected]>> wrote:
> But a 2-3 second box for each fullscreen transition
seems like a
> small price.
Seems like a pretty large price to me, given a
combination of factors:
- significant added friction to a common user action
("start watching
this video in fullscreen")
- low likelihood that the type of attack this
mitigates ("fullscreen
spoofing") is successful even without any mitigation,
and the
relatively high cost/benefit ratio for such an attack
Not sure if I understand the point you are trying to make
with this and the next item below.
Are you saying that there is high cost to building such an
attack and low benefit to the attacker?
Are you suggesting that a small level of defense is worthless
to its better to just get rid of all the defenses?
Good reading from a few years ago, with the proof of concept
to go along with it.
http://feross.org/html5-fullscreen-api-attack/
The "full screen browser mode" to "full screen video" is an
interesting scenario.
What's the likelihood of increased targeted attacks against
firefox it we remove or reduce the defenses?
-chofmann
- low likelihood that it usefully mitigates a
sophisticated attack of this sort
Can you please point to some supporting documentation for
these claims?
-Ekr
- low rate of abuse of pre-existing equivalent
functionality (e.g.
Flash's fullscreen)
Gavin
On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes
<[email protected] <mailto:[email protected]>> wrote:
> This prompt is an important part of the security
story for fullscreen.
> Since a fullscreen web app can hijack your entire
browsing session, it's
> important that the user know that he's entering
fullscreen and not looking
> at an actual browser window -- and to know that
every time something goes
> fullscreen. So if we're going to back off of
displaying the prompt every
> time, we need to be clear that we're assuming that
the user can make this
> distinction.
>
> That honestly seems like a bad deal to me. If the
prompt stays up (as
> Brian mentions), that's a bug and we should fix
it. But a 2-3 second box
> for each fullscreen transition seems like a small
price.
>
> --Richard
>
> On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith
<[email protected] <mailto:[email protected]>>
wrote:
>
>> IIUC, the reminder is supposed to go away after a
few seconds. However, I
>> have experienced the case, many times, where the
reminder stays on screen
>> for the entire video. IIRC, if I restart the
browser and replay the same
>> video again, then the reminder goes away.
>>
>> HTH,
>> Brian
>>
>> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein
<[email protected] <mailto:[email protected]>> wrote:
>>
>> > Including dev-media and dev-security.
>> >
>> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd
<[email protected] <mailto:[email protected]>>
>> > wrote:
>> >
>> > > Chris wrote:
>> > >
>> > > After quite a while of watching HTML 5 video
content in fullscreen, I'm
>> > > getting a bit tired of being reminded with a
huge banner at the top
>> that
>> > > yes, I can still hit ESC to exit fullscreen
mode. For those like myself
>> > > that have gotten tired of seeing this message,
could there possibly be
>> an
>> > > option somewhere (maybe in about:config) that
allows the user to turn
>> > them
>> > > off? It's been years now. What do you think?
>> > >
>> > > OMG yes please. I know how to get out of full
screen mode. Make the
>> > > reminders stop! :)
>> > >
>> > > --
>> > >
>> > > Eric Shepherd
>> > > Senior Technical Writer
>> > > Mozilla <https://www.mozilla.org/>
>> > > Blog: http://www.bitstampede.com/
>> > > Twitter: http://twitter.com/sheppy
>> > > Check my Availability
<https://freebusy.io/[email protected]>
>> > >
>> > > _______________________________________________
>> > > firefox-dev mailing list
>> > > [email protected]
<mailto:[email protected]>
>> > > https://mail.mozilla.org/listinfo/firefox-dev
>> > >
>> > >
>> > _______________________________________________
>> > dev-security mailing list
>> > [email protected]
<mailto:[email protected]>
>> > https://lists.mozilla.org/listinfo/dev-security
>> >
>>
>>
>>
>> --
>> https://briansmith.org/
>> _______________________________________________
>> dev-security mailing list
>> [email protected]
<mailto:[email protected]>
>> https://lists.mozilla.org/listinfo/dev-security
>>
> _______________________________________________
> dev-media mailing list
> [email protected]
<mailto:[email protected]>
> https://lists.mozilla.org/listinfo/dev-media
_______________________________________________
firefox-dev mailing list
[email protected] <mailto:[email protected]>
https://mail.mozilla.org/listinfo/firefox-dev
_______________________________________________
firefox-dev mailing list
[email protected] <mailto:[email protected]>
https://mail.mozilla.org/listinfo/firefox-dev
_______________________________________________
firefox-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/firefox-dev
--
Bluefang-Logic Networks:
Scaled for your pleasure.
_______________________________________________
dev-media mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-media
