Back to the story Real-name-behind-gmail-users discussed in July http://blogoscoped.com/forum/135954.html
link: http://blogs.securiteam.com/index.php/archives/1144 with screenshots included |
The markets with Google are still expanding and the top priority of Google is to occupy markets. Security and privacy is not yet a big concern to Google yet. A past example was Microsoft.
DOS, Windows 3.2, Win95/98 had little effective security mechanism, while Unix at early stage had implemented security. But Microsoft sold the easiness of Windows well, while security always has conflicts with easiness. |
"This is all a Chrome desktop app will show you – do you know at which domain you’re currently entering your Google password?" ==> that is really a wrong idea from Google, I do not like that. Just as the missing statusbar, you have to use your mouse (and not the keyboard) to roll over links to discover their target... FAILED! |
IE has a similar feature called kiosk, but it's not accessible from the UI. Edit a IE shortcut and append -k mail.google.com or type in Start/Run: iexplore -k mail.google.com
To exit the kiosk mode, press Alt+F4. |
The fact how this will help phishing gangs has not been discussed yet |
> The fact how this will help phishing gangs > has not been discussed yet
You mean in the thread, in the post, or ...? |
Google Lively now has adjusted the way it lets people enter their Google Account password to join a gadget room, perhaps in reaction to the phishing problem mentioned: they will now pop up a new window which shows the address bar. That's much better than before.
I wonder though, is it possible in today's browsers to pop up a window (on click) which then contains no address bar (which would allow you to add a HTML/CSS-faked address bar)? I just tried
var winRef = window.open('http: //example.com', 'somename', 'location=0');
which still showed the URL in several browsers but I'm not sure that's the right way. (I guess if it would be possible, it would be a browser issue, for starters.)
PS: The new login method is still not as good as using the same window would be. The site could still pop up a DHTML window that looks at least somewhat similar in some browsers to a regular new window. |
Philipp, I think most, if not all, modern browsers always show the address bar in popups as a security feature even if it's switched off using JavaScript (unless the site is trusted) but there would be nothing stopping someone detecting which browser you were using an mimicking the browser window using DHTML and JavaScript to popup some kind of fake modal window with a fake URL. (It wouldn't appear in your task bar but how many would notice that?)
Then again, how many people even check URLs in their address bar before signing into their Google Account anyway. If you see a link on a website saying "Try this new service from Google" I bet many would just sign in without even checking the address bar... |
Here's Google's official announcement, I just got an alert:
http://groups.google.com/group/lively-help-announcements--alerts/browse_thread/thread/cac41ef5731666d3?hl=en&pli=1
<<One of the main benefits of this version is a streamlined sign-in process, which should help with repeated sign-in problems, as well as alleviating phishing risks.>> |
Philipp: Yes, I mean in this thread. |