Why Favicons must go
Recently I attended two working group meetings at Columbia discussing different aspects of security usability. At both meetings someone made the statement 'user's don't understand what parts of the browser are content and what parts chrome'. That is people who use browsers do not understand which parts of a browser window contain trustworthy information and those which do not.
This should not be a surprise: until this year security concerns were always trumpted by the notion that the content provider should have as much control over the layout of the page as is possible. The fact that there is a problem was only after phishing gangs started to use frameless javascript popup windows to overwrite the address bar and the padlock icon.
IE7 and Firefox 2 both make important progress in preventing the worst type of abuses. IE7 does not allow content to overwrite certain parts of the display deemed to be critical and every popup window has at least a minimal quantity of chrome.
But the legacy of ten years of ill-discipline persist. We still lack a clearly enforced boundary between content supplied by the Web site being visited and trusted metadata supplied by the browser. A clearly defined boundary exists, the problem is that it is not enforced. Little wonder then that users have difficulty determining what they can trust and what they cannot.
The problem is that even in IE7 the content provider can still inject untrustworthy data into several areas of the screen that a user might reasonably assume to be 'secure'. The title of the Web page is writen out to the window frame, the URI of the web site is written out to the address bar and if specified the favorites icon specified by the content provider is written out to the favorites list (the intended use) and the address bar.
Like cookies and Javascript, favicons were the result of unilateral deployment rather than a considered process and like cookies and Javascript the security impact was both profound and entirely ignored by the perpetrators. Displaying the brand of a bank in the chrome area of a Web browser has a profound impact on the user who has been led by ten years experience to expect information in the chrome area of the browser to be trustworthy.
Fortunately there is a positive side to this fiasco. We have identified a powerful means of communicating to the user. The problem is that the data provided is untrustworthy, a problem that we already have the means in hand to fix: SSL plus Extended Validation Certificates with embedded Logotype Extensions, the scheme I call Secure Internet Letterhead.
