Hearing a lot of concerns about changing UI. I get it. You like how URLs are now. But we're in a sad state for security: hard to enter correctly, people don't check when they should, and easy to make convincing spoofs. We shouldn't accept the status quo just bc change feels hard.https://twitter.com/__apf__/status/1037057121961967616 …
-
-
that's a great idea
-
There are some difficult details, like catching it when sites don't use password-type text boxes but implement their own with styling or even from scratch on a canvas.
-
Solving them probably requires heuristics/AI for "looks like a password field" and/or disabling these features on sites you've never visited before without prompt to opt-in, which is probably a good idea anyway...
-
But browser vendors would rather break the web than go back on these tools they invented for the advantage of publishers (and inadvertently, attackers) that behave contrary to best interests of users...
-
Imagine how much better/safer the web would be if sites you hadn't explicitly whitelisted could not read user input in any way except when you explicitly submitted a form - the way it was intended to work.
-
that covers a lot of tracking/analytics for sure, but not all of it
-
Well (aside from styling with a malicious font, which has different mitigations), it covers all ways to get a user to enter a password and grab it without the browser "seeing" that the site is asking for a password.
-
when you say "malicious font" are you referring to something like a VM bug (UAF or BoF or something) in a font parser? or something else
- 1 more reply
New conversation -
-
-
Don't make the user try to figure out if it's the site they think it is or the one you think is legitimate. Tell them they've never been there before, block pw entry behind big red warning.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.