Ack. Chrome has a dedicated user research team for security UX.
Javaun Moradi | [email protected] | IRC: javaun | @javaun > On Aug 17, 2015, at 11:00 AM, Javaun Moradi <[email protected]> wrote: > > The desktop UX team, platform security and media/graphics teams worked > together to find a good compromise that balanced security with user > experience. It was a long conversation. > > The Chrome browser has a similar 2-3 second fullscreen warning, even on > Google sites like Youtube. They have a dedicated team testing security > research. I’m not suggesting we’re fast-following them here (which is not a > bad idea), but to the extent we can piggyback on things they’ve spend > months/years learning, we should try. > > > > > Javaun Moradi | [email protected] <mailto:[email protected]> | IRC: > javaun | @javaun > >> On Aug 17, 2015, at 12:22 AM, Matthew Turnbull <[email protected] >> <mailto:[email protected]>> wrote: >> >> First off, I have to say that I do like the new UI, regardless of the >> impetus for the change. >> >> However, I'm also not entirely sold that this has a strong impact on user >> security. I doubt the practicality of such an attack, since you would have >> to reasonably match: >> >> * The OS native theme. >> * The browsers chrome elements and theme. >> * Basic browser chrome functionality and behavior. >> * Have the user overlook that the browser just flipped out when visiting a >> site or clicking a link. >> >> Fortunately for the user, the first two aspects are incredibly easy to >> change. For example, when I tried the proof of concept, my browser theme >> went from light grey to dark gray and all of the toolbars - and their >> contents - changed. If a malicious site is able to accurately capture the >> state of, and reproduce, the desktop and browser chrome, I'd say that is a >> much more serious issue than triggering full screen. >> >> For me, the biggest issue with this attack is getting the user to ignore the >> browser spontaneously maximizing/full screening, witch is rather jarring. I >> expect most users will only intentionally enter full screen when playing a >> game or watching a video, so having the browser do it on it's own would >> hopefully be enough of a red flag. But if you can get the user to ignore >> that, then they're probably also going to ignore, or be oblivious to the >> full screen notification. >> >> I will grant that there is a large number of users that do not make cosmetic >> changes to their OS or Firefox, so they would be much more susceptible to an >> attack like this. But these user are also not likely to want a knob to turn >> off the notification. >> >> So, implementing a option, per site or globally, to turn off this nag >> doesn't seem like an entirely unreasonable request. I know I certainly would >> turn it off. >> >> On 08/16/2015 11:53 PM, Eric Rescorla wrote: >>> >>> >>> On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[email protected] >>> <mailto:[email protected]>> wrote: >>> I have to agree with Gavin here: the risk of this sort of attack occurring >>> is very low, >>> >>> Do you have some evidence for this? >>> >>> -Ekr >>> >>> but the potential for annoying or confusing users with this presentation >>> is, if not high, at least high enough to make it overkill. At least having >>> a way (even if it's an about:config <about:config> only thing) to drop this >>> reminder once you have it through your head, would be helpful. >>> >>> Or what if we add a checkbox "don't show this again" BUT only after, say, >>> ten times displayed. That way you can be sure they have seen the warning. >>> Then when they opt to stop showing it, have a confirmation dialog remind >>> them of the risk. From then on, they don't get the reminder. >>> >>> Eric Shepherd >>> Sr. Technical Writer >>> Mozilla >>> Blog: http://www.bitstampede.com/ <http://www.bitstampede.com/> >>> Twitter: http://twitter.com/sheppy <http://twitter.com/sheppy> >>> >>> On Aug 16, 2015, at 9:38 PM, Gavin Sharp < >>> <mailto:[email protected]>[email protected] >>> <mailto:[email protected]>> wrote: >>> >>>> I'm not making any statement as asinine as "there's no point worrying >>>> about security", and it's frustrating that that's something I would even >>>> have to clarify. >>>> >>>> Richard stated he thought the current solution had a "small price" and I >>>> disagreed with him. >>>> >>>> This boils down to a classic security/usability tradeoff. Those tradeoffs >>>> are ultimately matters of opinion, not fact, and need to be made by >>>> estimating what is likely in addition to understanding what is possible. >>>> >>>> None of us are the product owners responsible for making that tradeoff, so >>>> having stated my opinion I'll defer to them. >>>> >>>> Gavin >>>> >>>> On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann < >>>> <mailto:[email protected]>[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> >>>> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla < >>>> <mailto:[email protected]>[email protected] <mailto:[email protected]>> wrote: >>>> >>>> >>>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp < >>>> <mailto:[email protected]>[email protected] >>>> <mailto:[email protected]>> wrote: >>>> > But a 2-3 second box for each fullscreen transition seems like a >>>> > small price. >>>> >>>> Seems like a pretty large price to me, given a combination of factors: >>>> - significant added friction to a common user action ("start watching >>>> this video in fullscreen") >>>> - low likelihood that the type of attack this mitigates ("fullscreen >>>> spoofing") is successful even without any mitigation, and the >>>> relatively high cost/benefit ratio for such an attack >>>> >>>> Not sure if I understand the point you are trying to make with this and >>>> the next item below. >>>> >>>> Are you saying that there is high cost to building such an attack and low >>>> benefit to the attacker? >>>> >>>> Are you suggesting that a small level of defense is worthless to its >>>> better to just get rid of all the defenses? >>>> >>>> Good reading from a few years ago, with the proof of concept to go along >>>> with it. >>>> http://feross.org/html5-fullscreen-api-attack/ >>>> <http://feross.org/html5-fullscreen-api-attack/> >>>> >>>> The "full screen browser mode" to "full screen video" is an interesting >>>> scenario. >>>> >>>> What's the likelihood of increased targeted attacks against firefox it we >>>> remove or reduce the defenses? >>>> >>>> -chofmann >>>> >>>> >>>> - low likelihood that it usefully mitigates a sophisticated attack of this >>>> sort >>>> >>>> Can you please point to some supporting documentation for these claims? >>>> >>>> -Ekr >>>> >>>> - low rate of abuse of pre-existing equivalent functionality (e.g. >>>> Flash's fullscreen) >>>> >>>> >>>> >>>> Gavin >>>> >>>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes < >>>> <mailto:[email protected]>[email protected] >>>> <mailto:[email protected]>> wrote: >>>> > This prompt is an important part of the security story for fullscreen. >>>> > Since a fullscreen web app can hijack your entire browsing session, it's >>>> > important that the user know that he's entering fullscreen and not >>>> > looking >>>> > at an actual browser window -- and to know that every time something goes >>>> > fullscreen. So if we're going to back off of displaying the prompt every >>>> > time, we need to be clear that we're assuming that the user can make this >>>> > distinction. >>>> > >>>> > That honestly seems like a bad deal to me. If the prompt stays up (as >>>> > Brian mentions), that's a bug and we should fix it. But a 2-3 second box >>>> > for each fullscreen transition seems like a small price. >>>> > >>>> > --Richard >>>> > >>>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith < >>>> > <mailto:[email protected]>[email protected] >>>> > <mailto:[email protected]>> wrote: >>>> > >>>> >> IIUC, the reminder is supposed to go away after a few seconds. However, >>>> >> I >>>> >> have experienced the case, many times, where the reminder stays on >>>> >> screen >>>> >> for the entire video. IIRC, if I restart the browser and replay the same >>>> >> video again, then the reminder goes away. >>>> >> >>>> >> HTH, >>>> >> Brian >>>> >> >>>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein < >>>> >> <mailto:[email protected]>[email protected] <mailto:[email protected]>> >>>> >> wrote: >>>> >> >>>> >> > Including dev-media and dev-security. >>>> >> > >>>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd < >>>> >> > <mailto:[email protected]>[email protected] >>>> >> > <mailto:[email protected]>> >>>> >> > wrote: >>>> >> > >>>> >> > > Chris wrote: >>>> >> > > >>>> >> > > After quite a while of watching HTML 5 video content in fullscreen, >>>> >> > > I'm >>>> >> > > getting a bit tired of being reminded with a huge banner at the top >>>> >> that >>>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like >>>> >> > > myself >>>> >> > > that have gotten tired of seeing this message, could there possibly >>>> >> > > be >>>> >> an >>>> >> > > option somewhere (maybe in about:config <about:config>) that allows >>>> >> > > the user to turn >>>> >> > them >>>> >> > > off? It's been years now. What do you think? >>>> >> > > >>>> >> > > OMG yes please. I know how to get out of full screen mode. Make the >>>> >> > > reminders stop! :) >>>> >> > > >>>> >> > > -- >>>> >> > > >>>> >> > > Eric Shepherd >>>> >> > > Senior Technical Writer >>>> >> > > Mozilla < <https://www.mozilla.org/>https://www.mozilla.org/ >>>> >> > > <https://www.mozilla.org/>> >>>> >> > > Blog: <http://www.bitstampede.com/>http://www.bitstampede.com/ >>>> >> > > <http://www.bitstampede.com/> >>>> >> > > Twitter: <http://twitter.com/sheppy>http://twitter.com/sheppy >>>> >> > > <http://twitter.com/sheppy> >>>> >> > > Check my Availability < >>>> >> > > <https://freebusy.io/[email protected]>https://freebusy.io/[email protected] >>>> >> > > <https://freebusy.io/[email protected]>> >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > firefox-dev mailing list >>>> >> > > <mailto:[email protected]>[email protected] >>>> >> > > <mailto:[email protected]> >>>> >> > > >>>> >> > > <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev >>>> >> > > <https://mail.mozilla.org/listinfo/firefox-dev> >>>> >> > > >>>> >> > > >>>> >> > _______________________________________________ >>>> >> > dev-security mailing list >>>> >> > >>>> >> > <mailto:[email protected]>[email protected] >>>> >> > <mailto:[email protected]> >>>> >> > >>>> >> > <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security >>>> >> > <https://lists.mozilla.org/listinfo/dev-security> >>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> <https://briansmith.org/>https://briansmith.org/ >>>> >> <https://briansmith.org/> >>>> >> _______________________________________________ >>>> >> dev-security mailing list >>>> >> <mailto:[email protected]>[email protected] >>>> >> <mailto:[email protected]> >>>> >> >>>> >> <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security >>>> >> <https://lists.mozilla.org/listinfo/dev-security> >>>> >> >>>> > _______________________________________________ >>>> > dev-media mailing list >>>> > <mailto:[email protected]>[email protected] >>>> > <mailto:[email protected]> >>>> > >>>> > <https://lists.mozilla.org/listinfo/dev-media>https://lists.mozilla.org/listinfo/dev-media >>>> > <https://lists.mozilla.org/listinfo/dev-media> >>>> _______________________________________________ >>>> firefox-dev mailing list >>>> <mailto:[email protected]>[email protected] >>>> <mailto:[email protected]> >>>> >>>> <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev >>>> <https://mail.mozilla.org/listinfo/firefox-dev> >>>> >>>> >>>> _______________________________________________ >>>> firefox-dev mailing list >>>> [email protected] <mailto:[email protected]> >>>> https://mail.mozilla.org/listinfo/firefox-dev >>>> <https://mail.mozilla.org/listinfo/firefox-dev> >>>> >>>> >>>> >>> >>> >>> >>> _______________________________________________ >>> firefox-dev mailing list >>> [email protected] <mailto:[email protected]> >>> https://mail.mozilla.org/listinfo/firefox-dev >>> <https://mail.mozilla.org/listinfo/firefox-dev> >> >> -- >> Bluefang-Logic Networks: >> >> Scaled for your pleasure. >> _______________________________________________ >> firefox-dev mailing list >> [email protected] <mailto:[email protected]> >> https://mail.mozilla.org/listinfo/firefox-dev > _______________________________________________ dev-media mailing list [email protected] https://lists.mozilla.org/listinfo/dev-media
