Hearing a lot of concerns about changing UI. I get it. You like how URLs are now. But we're in a sad state for security: hard to enter correctly, people don't check when they should, and easy to make convincing spoofs. We shouldn't accept the status quo just bc change feels hard.https://twitter.com/__apf__/status/1037057121961967616 …
Solving them probably requires heuristics/AI for "looks like a password field" and/or disabling these features on sites you've never visited before without prompt to opt-in, which is probably a good idea anyway...
-
-
But browser vendors would rather break the web than go back on these tools they invented for the advantage of publishers (and inadvertently, attackers) that behave contrary to best interests of users...
-
Imagine how much better/safer the web would be if sites you hadn't explicitly whitelisted could not read user input in any way except when you explicitly submitted a form - the way it was intended to work.
-
that covers a lot of tracking/analytics for sure, but not all of it
-
Well (aside from styling with a malicious font, which has different mitigations), it covers all ways to get a user to enter a password and grab it without the browser "seeing" that the site is asking for a password.
-
when you say "malicious font" are you referring to something like a VM bug (UAF or BoF or something) in a font parser? or something else
-
No, a font where all characters look like ••••••• for a hunter2 effect, to trick the user into entering a password into a form field the browser doesn't realize is a password field. Also used to break password managers.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.