F23 System Wide Change: Default Local DNS Resolver
Andrew Lutomirski
luto at mit.edu
Fri Jun 12 22:49:23 UTC 2015
On Fri, Jun 12, 2015 at 3:32 PM, Michael Catanzaro <mcatanzaro at gnome.org> wrote:
> On Fri, 2015-06-12 at 11:19 -0700, Andrew Lutomirski wrote:
>> It wouldn't really have to be Firefox, but getting the browser chrome
>> right to avoid trivial phishing attacks is critical, and all real
>> browsers already do that fairly well, whereas the simple embedded web
>> views (e.g. gnome-shell-portal-helper) get it nearly 100% wrong.
>
> Hi, it sounds like we have a problem to fix in gnome-shell-portal
> -helper. What specifically are your requirements for the browser
> chrome? I figure as long as the window title is something along the
> lines of "Connect to wireless network" and the hotspot can't change
> that, then we should be good?
Barely. GNOME seems to do its best to hide window titles, so
something like a URL bar is probably a better bet. Also, users are
already (hopefully) trained to look for an indication in the URL bar
that something is secure or insecure.
> We could also put a short explanation of
> what is going on in a GtkInfoBar to make it really stand out. I guess
> the goal is to make the chrome distinctive enough that a user stops to
> think "something is not right, don't enter password" when the captive
> portal helper appears and displays google.com.
But that's not even right. Suppose you have a captive portal that
wants you to log in via your Google account. It can send you do
https://accounts.google.com, and your browser can verify the
certificate and show you an indication that the connection is secure.
Then you really can safely enter your password.
With the current gnome-shell-portal-helper, there is no chrome at all,
which means that the captive portal gets to show its own chrome, and
it could, for example, make the login window look exactly like
Firefox. I bet that even the most sophisticated users lose in that
case.
I think the UI should look like a real browser except that it should
clearly indicate that it's a "Log in to wireless network" browser in
addition to showing a standard URL bar.
https://bugzilla.gnome.org/show_bug.cgi?id=749197
>
> FWIW the tech used for GNOME apps that need a web view is WebKitGTK+.
Can that provide real chrome?
--Andy
More information about the devel
mailing list