Emily StarkDec 19, 2022

New blog post: The death of the line of death

The "line of death" is a security boundary in web browsers about separating trustworthy browser UI from untrusted web content; I think the concept is waning in utility over time.

https://emilymstark.com/2022/12/18/death-to-the-line-of-death.html

The death of the line of death

The line of death, as Eric Lawrence explained in a classic blog post, is the idea that an application should separate trustworthy UI from untrusted content. The typical example is in a web browser, where untrustworthy web content appears below the browser toolbar UI. Trustworthy content provided by the web browser must appear either in the browser toolbar, or anchored to it or overlapping it. If this separation is maintained, then untrusted content can’t spoof the trustworthy browser UI to trick or attack the user.

Emily M. Stark
Show threadJustin SchuhDec 19, 2022

@estark I hope you can feel my look of disapproval over that headline. ಠ_ಠ

But yeah, negative security indicators are generally more effective. That stated, I still think we don't have a good handle on when and how we should make use of positive indicators. Instead we clutter up the security UI space with a variety of things conveying numerous different messages, only a handful of which are even security relevant. I would prefer a very small, clear area delineated by the line of death.

Show threadEmily Stark
@jschuh this was the toned-down headline, believe it or not! agree about very small clear area.
Dec 19, 2022 at 4:35pmWeb
Show threadJustin SchuhDec 19, 2022
@estark This was the toned down headline? 😲 Clearly you're suffering under the loss of discussing this topic ad nauseum with me in the office. Yes... that must be it. 😜