Hearing a lot of concerns about changing UI. I get it. You like how URLs are now. But we're in a sad state for security: hard to enter correctly, people don't check when they should, and easy to make convincing spoofs. We shouldn't accept the status quo just bc change feels hard.https://twitter.com/__apf__/status/1037057121961967616 …
-
Show this thread
-
Replying to @__apf__
You can't stop spoofs without imposing authoritative judgement of legitimacy. Instead why not focus on preventing users from entering credentials at a site they've never visited before?
2 replies 1 retweet 14 likes -
-
There are some difficult details, like catching it when sites don't use password-type text boxes but implement their own with styling or even from scratch on a canvas.
2 replies 0 retweets 1 like -
Solving them probably requires heuristics/AI for "looks like a password field" and/or disabling these features on sites you've never visited before without prompt to opt-in, which is probably a good idea anyway...
1 reply 0 retweets 0 likes -
But browser vendors would rather break the web than go back on these tools they invented for the advantage of publishers (and inadvertently, attackers) that behave contrary to best interests of users...
1 reply 0 retweets 2 likes -
Imagine how much better/safer the web would be if sites you hadn't explicitly whitelisted could not read user input in any way except when you explicitly submitted a form - the way it was intended to work.
1 reply 0 retweets 1 like -
Replying to @RichFelker @__apf__
that covers a lot of tracking/analytics for sure, but not all of it
1 reply 0 retweets 0 likes -
Well (aside from styling with a malicious font, which has different mitigations), it covers all ways to get a user to enter a password and grab it without the browser "seeing" that the site is asking for a password.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @__apf__
when you say "malicious font" are you referring to something like a VM bug (UAF or BoF or something) in a font parser? or something else
1 reply 0 retweets 0 likes
No, a font where all characters look like ••••••• for a hunter2 effect, to trick the user into entering a password into a form field the browser doesn't realize is a password field. Also used to break password managers.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.