Gervase Markham wrote: > Ram A M wrote: > > I think if you're trying to address reused passwords harvested via > > website compromise this is indeed effective. > > > > I was thinking it could also be leveraged to work against domain > > spoofing attacks as well and without a resilient UI it is not very > > effective at this as an attacker (phisher) could build a website with a > > look-alike site and address bar and have the user enter their password > > into the form (or script) while bypassing the PwdHash technology. > > But that's true of a site spoofing any browser UI, including the master > password dialog. So, we have to design our UI to make it clear what is > content and what is chrome.
I think using the technique I described earlier in the thread you can avoid this issue (once you are past the bootstrap) though at the cost of losing of username/password portability across browser instances. _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security