Emily StarkDec 19, 2022

New blog post: The death of the line of death

The "line of death" is a security boundary in web browsers about separating trustworthy browser UI from untrusted web content; I think the concept is waning in utility over time.

https://emilymstark.com/2022/12/18/death-to-the-line-of-death.html

The death of the line of death

The line of death, as Eric Lawrence explained in a classic blog post, is the idea that an application should separate trustworthy UI from untrusted content. The typical example is in a web browser, where untrustworthy web content appears below the browser toolbar UI. Trustworthy content provided by the web browser must appear either in the browser toolbar, or anchored to it or overlapping it. If this separation is maintained, then untrusted content can’t spoof the trustworthy browser UI to trick or attack the user.

Emily M. Stark
Show threadEricLawDec 20, 2022

@estark One bit that doesn't get much discussion is the role of experts vs. novices. There's no question that novices have no understanding of the difference between trusted UX and untrusted content, but in a design with no trustworthy pixels, even an expert can be completely fooled.

The advantage of allowing an expert to distinguish between trusted and untrusted is that they can "pull the alarm" and escalate to mitigations we know work for novices (URL Reputation interstitials), for example.

Show threadEricLaw
@estark I'd had this discussion with VPs in Windows 8 when we created the "Metro" browser with zero trusted pixels. They asked "How many people will even understand the trusted pixels" and I admitted that the number was low. The problem, I argued, was that some journalist was going to embarrass our security experts on stage at Blackhat with two screenshots: One real, and one fake, and even *they* would be unable to demonstrate that our product could be used safely vs. legacy IE.
Dec 20, 2022 at 4:35pmWeb