comment on journal entry: the fundamental security flaw in Mozilla browsers
:-
the ever-so-evil 5 year 'bug'
this "bug" exists in practically any browser that can display fake browser-like XUL buttons and such. you could even fake an AOL window or a windows update window. it's not just firefox.
"do not follow untrusted links" is really the only advice you can give - think of all of the people who use IE who get POPUPS of fake internet explorer images? SP2 fixes the popup problem, but not a lot of people have downloaded the update, and even so... IE is still way behind with tons of other things.
there is a VerifyURL extension that allows you to right-click and see the true URL of any website (even the ones with fake buttons or within frames). this does more than solve the problem, it gives you a new tool to check other seemingly fake sites.
taking away a great feature because it can be abused is no good. that'd be like assuming your entire userbase is dumb and won't know that they're using a fake browser window. [Andrew Saturn] [reply] -
er, yes, but...
"this "bug" exists in practically any browser that can display fake browser-like XUL"
Yes, and thankfully, IE does NOT support XUL. Problem solved! [Chris Beach] [reply] -
XAML
It is, however, getting XAML. [Marcus] [reply] -
thankfully, Microsoft can learn from the huge mistakes of the Mozilla Organisation when developing their own application markup language. Here's to progress!
[Chris Beach] [reply] -
XUL is just like HTML (with some extra's)
The appearance of a XUL document is governed by CSS rules, just like HTML pages. You can just as easily fake an IE window using plain HTML. Heck, in the pre-SP2 era, any website could create a chromeless window! Recent nightlies, and as such the upcoming 1.0, don't allow the hiding of the status bar by default, so there's always one area of the chrome that is the real thing.
Hate to burst your bubble, Chris, but there's no such thing as a completely safe browser. Well, Lynx probably comes pretty close. ;-) [Jan!] [reply] -
XUL is as much like HTML as CSS is like cheese
The only similarity between HTML and XUL is the fact they both look like XML when viewed in a text-editor. It pretty much ends there! You need to read a touch more into the subject.
XUL is the language used to write the high-level interface for Firefox. It was designed from day 1 to be an application markup language. The core of the Firefox interface is available to be reused in XUL, so each element (back/fwd buttons, status bar etc) will appear identical to the real versions. These components will even assume the current theme. Therefore, to both the layman and the advanced user, a Firefox spoof interface will be almost impossible to spot.
HTML on the other hand, can also be used to create simple "interfaces," but it was initially devised as a document markup language. A spoof browser created in HTML is much easier to spot, and much "hackier" to code.
[Chris Beach] [reply] -
Spoofing with HTML
A spoofed window created in HTML is no more easier to spot, and no more "hackier" to code, than an XUL version. Creating the necessary UI elements in HTML and CSS system colours is incredibly easy and, because the affected versions of IE all use the same "theme", there's no need to point to system-based resources to make it convincing.
You don't need to spoof the menu, standard, address and link toolbars because you can tell IE to include them as usual for the spoofed window. All you need to do is: (a) spoof or obfuscate an address, (b) stop the actual status bar from appearing, and (c) spoof a new status bar with the security lock icon and associated dialogs. The UI involved does not use anything that can't be identically reproduced in HTML/CSS (and a total of 9 graphics).
Also, (X)HTML and XUL are both XML; they don't just look like it. [Marcus] [reply] -
this thread is getting rather repetitive
I think most well-read web developers would understand the threat posed by a website being able to rewrite the application-logic of a browser, preserving its look and feel. The XUL implementation in Mozilla is a vulnerability almost by design.
It's use allows the spoofer much greater power than a simple "cardboard cutout" HTML rendition of a browser. Surely you can see that?
I do understand that XHTML and XUL are both forms of XML but you simply can't compare them in a debate like this. [Chris Beach] [reply] -
A spoof is a... (and repeat)
A spoof is a spoof is a spoof. If I get you to believe that my site is PayPal, I get your money... whether it's made from HTML, XUL, XAML, Flash, whatever.
As long as they continue to display content, which is their entire purpose, browsers can only do so much to prevent such things fooling its users.
The XUL part of the Mozilla spoofing problem is a non-issue. Now, for Firefox as well as IE6 XP SP2, spoofing will be less of a problem all round. [Marcus] [reply] -
allegedly: "The XUL part of the Mozilla spoofing problem is a non-issue"
Just wait till someone re-writes your browser in XUL and you know nothing about it. I think as a web developer I'll be able to spot when someone uses a few images and a bit of javascript to try and emulate the UI of Internet Explorer...
According to Mozilla:
"The goal of XUL is to build cross platform applications, in contrast to DHTML which is intended for developing web pages."
"XUL blurs the distinction between desktop application and Internet browser apps because it is firmly entrenched in both worlds" [Chris Beach] [reply]
[view more replies on journal entry the fundamental security flaw in mozilla browsers]