back to article Chrome dev explains how modern browsers make secure UI just about impossible

Google Chrome engineer Eric Lawrence has described the battle of browser barons against the 'line of death', an ever-diminishing demarcation between trusted content and the no-man's land where phishers dangle their poison. The line, Lawrence (@ericlaw) says, is a conceptual barrier between content that browser developers …

  1. Esme

    HTML5 can do WHAT?!

    I'm not a coder, and on this subject am essentially 100% a user, but - HTML5 can force a browser into full-screen mode? What kind of cretin ever thought THAT was a good idea?! I'm apalled!

    As a user, my attitude is 'my browser, it goes full-screen only if and when I tell it to - which is never, in my case. This may explain a couple of times I've found myself having to reboot due to what seemed to me to be a browser fault. I'd presumed I'd somehow accidentally sent the browser full-screen (everything's so bloody twitchy in feel these days, with umpty-zillion ways of invoking this or that feature you didn't even know existed, much less care about) so a quick F11 - nada. Couldn't get out of fullscreen, couldnt get at my desktop, three-fingered salute didnt work, only option was to power off and reboot. And this on a Linux box.

    Gah. No, I'm not interested in the arguments put foward for websites being enabled to force fullscreen - it's a shitheaded decision, and there's an end to it. It's this kind of fuckwittery that has made what was once an interesting and exciting subject - IT - into a boody awful and tedious consumer of precious hours of my life NOT doing fun things that I won't ever get back on all too many occasions.

    </mardyoldbiddyrantingoffintothesunset>

    1. Charles 9 Silver badge

      Re: HTML5 can do WHAT?!

      Guess you don't like full-screen video-on-demand playback, then. Seems you don't like full-screen ANYTHING, which puts you in the majority that find the browser's UI elements annoying. And they OUTVOTE you.

      So as they say, we just can't have nice things because the things we NEED for security reasons people DON'T WANT because it gets in the way.

      1. Esme

        Re: HTML5 can do WHAT?!

        @Charles9 - no, I said I don't want to browse the internet in full-screen mode is what I said, I didn't say I don't want you to be able to do so should you choose to do so - do try to keep up! (or better yet, try repsonding to what I said, instead of your guess at what I like) I don't mind the option for me to put it full screen being there - but it's an absolutely idiotic idea to allow a website to FORCE fullscreen on people.

        1. stephanh Silver badge

          Re: HTML5 can do WHAT?!

          Well, technically HTML5 can only go full-screen as a result of a user request. However, the "request" may be any UI event, such as moving the mouse. Also, browsers typically show, for a short duration, a message that you can press "Esc" to leave full-screen mode. But you can miss that.

          So my personal feeling is that this "secure UI" horse has already left the stable a long time ago.

          Still, you can train yourself and/or your users to first press "Esc" before trusting the address bar padlock.

        2. Def Silver badge

          Re: HTML5 can do WHAT?!

          I think you're missing his point.

          When you click the fullscreen button in YouTube, for example, it's the fullscreen language feature of HTML5 that performs that operation (I presume). That's why it exists.

          I'm sure it's not easy to determine whether the user explicitly requested fullscreen mode or not when trying to detect such things. It could require confirmation from the user, but that would get annoying quickly and most people would just turn it off.

          What might work is a fullscreen overlay in the corner like a TV network logo that fades out after some seconds if a video is playing (if you can detect that and not be able to fake it by 'playing' a hidden video) or stays visible until the user explicitly dismisses it otherwise.

          Like a lot of UI these days though, it's not a simple problem to solve given the complexity of software these days.

          1. Doctor Syntax Silver badge

            Re: HTML5 can do WHAT?!

            "Like a lot of UI these days though, it's not a simple problem to solve given the complexity of software these days."

            Not so much the complexity as some disastrous design conditions behind it. e.g. "I'm sure it's not easy to determine whether the user explicitly requested fullscreen mode or not when trying to detect such things."

            If you don't make the provision for the user to explicitly indicate this then no, it isn't easy to determine. So the design decision was wrong.

            The root cause of so many security issues is valuing user convenience over security. And you know what? Once the security fails to prevent an attack it suddenly becomes very inconvenient indeed.

      2. Mage Silver badge

        Re: HTML5 can do WHAT?!

        I use my TV set for full screen content.

        1. Charles 9 Silver badge

          Re: HTML5 can do WHAT?!

          And if that content is ONLY available on the web, like say Netflix programs (you DO know Netflix does their own TV shows now)?

          1. tiggity Silver badge

            Re: HTML5 can do WHAT?!

            Netflix to chromecast in TV?

            Use netflix app on a device plugged into TV HDMI slot? (e.g. I have rooted android device connected via ethernet cable to internal router with HDMI connection to (dumb) TV so I can run iPlayer etc )

            Lots of new "smart" TVs (not always a good thing but that's a separate issue) come with netflix apps of their own.

            And doubtless many more ways to watch netflix on a TV (not a netflix user so not an expert on how many different apps they make /OSes they support)

            1. Charles 9 Silver badge

              Re: HTML5 can do WHAT?!

              You still need a browser to Chromecast, so the problem is being deflected.

              Not everyone can root their devices, plus doesn't Netflix now balk in the presence of root since this provides a recording avenue?

              Most smart TVs have outdated Netflix apps that'll never be updated again.

              Plus what if ALL you have is a laptop (quite possible if on the go)?

            2. Mage Silver badge

              Re: HTML5 can do WHAT?!

              PS4 does Netflix.

              Or Phone with HMDI cable.

              Chromecast is overhyped piece of spyware, but so is "Android TV" to enable "smart TV" functionality.

        2. Doctor Syntax Silver badge

          Re: HTML5 can do WHAT?!

          "I use my TV set for full screen content."

          So do I. But it's not via a browser.

      3. Doctor Syntax Silver badge

        Re: HTML5 can do WHAT?!

        "Seems you don't like full-screen ANYTHING"

        Maybe you missed the significance of "when I tell it to". If the user controls full screen full screen is not forbidden.

        " Seems you don't like full-screen ANYTHING, which puts you in the majority that find the browser's UI elements annoying. And they OUTVOTE you."

        ??????

        1. bombastic bob Silver badge
          Meh

          Re: HTML5 can do WHAT?!

          "Seems you don't like full-screen ANYTHING"

          I know that _I_ do *NOT* like 'full screen'. Except for movies. And I normally use an EXTERNAL player after downloading videos via "some plugin on Firefox" anyway, so I can download the HD version with my pathetic bandwidth and still view it without skipping.

      4. dajames Silver badge

        Re: HTML5 can do WHAT?!

        Guess you don't like full-screen video-on-demand playback, then.

        There's nothing wrong with full-screen video playback, but full-screen anything is something that the user should select -- or not select, according to taste -- and not something that should be selectable by software without the user's consent.

        The security/usability balance isn't all about absolutes.

      5. Adrian 4 Silver badge

        Re: HTML5 can do WHAT?!

        "Guess you don't like full-screen video-on-demand playback, then."

        I do, sometimes. But why should it need to be under site control ? What's wrong with a full-browser window that increases to full-screen when I press a button ?

    2. Voland's right hand Silver badge

      Re: HTML5 can do WHAT?!

      That is only one of the issues. HTML5 can do most things one has come to associate with a local GUI toolkit. In fact, it is a replacement for a local GUI, multimedia and communications toolkit. That by itself is all right, it is better than executing foreign code... Or is it? All ads are effectively foreign code - they come and go via javascript insertion. Most websites also use tons of 3rd party code. More insertion. And more, and more and more. Each and every one of them becomes a part of the document and is nearly impossible to isolate in its own security domain.

      That part of html has had practically zero thought about it and is not likely to be fixed in a subrelease like let's say HTML5.1 either. It is hear to stay and be beaten on the head with large and blunt instruments called noscript and adblock.

      1. Charles 9 Silver badge

        Re: HTML5 can do WHAT?!

        Until they find ways to BEAT NoScript by using proxies, inline domains, and other things that make the cruft part-and-parcel with the content. ALL content. And no, nice guys won't get a chance here. Soon as they appear, the sharks will chomp them up. It's why you can't even go to an official driver website (one of the few EXCLUSIVE sources on the Internet; if you can't trust the manufacturer, you can't trust ANYONE) without leaving holier than a wheel of Emmentaler. Faced with that, your only options are to finally bend over or to leave the Internet and go back to the real world of untraceable cold calls, billboards, and junk mail.

    3. LDS Silver badge

      The whole web technology is now designed by marketing depts.

      What did you expect? And Google has been one of the major driver in this - because each native application means Google can't see your data.

    4. 2+2=5 Silver badge
      Linux

      Re: HTML5 can do WHAT?!

      @Esme

      I suggest you migrate over to Qubes OS. The window title bars are immutable, full screen or not, so two title bars is a sure sign that the web page is faking one of them.

      1. Destroy All Monsters Silver badge

        Re: HTML5 can do WHAT?!

        Trying this now...

    5. Aodhhan Bronze badge

      Re: HTML5 can do WHAT?!

      Did someone forget to take their manic medicine? ...relax, the sun will rise again tomorrow. With the amount of odd-ball things which are developed and used in this world (on and off computer systems), losing your mind to a browser idiocy isn't worth it.

      Think about this fact, nearly anytime you use an application you're forced unwillingly to comply with something, you just don't realize it or you go along with it; and yet, here you are using your computer over and over again.

      Hmmm... on second thought, don't think about this... it just may send you over the edge.

    6. Anonymous Coward
      Anonymous Coward

      Re: HTML5 can do WHAT?!

      > What kind of cretin ever thought THAT was a good idea?! I'm apalled!

      "This standard is written by Anne van Kesteren (Mozilla)" for one. He (Dutch name?) has done so much to promote this hipster shit.

      Not to single him out. Everyone involved at the W3C, Google, Mozilla, Microsoft, Apple.. should have put the brakes on it. The security risk was obvious, and I vaguely recall people pointing it out, but the hype train rolled right over them.

    7. bombastic bob Silver badge
      Unhappy

      Re: HTML5 can do WHAT?!

      "TML5 can force a browser into full-screen mode?"

      sounds like a need for:

      a) a plugin like 'noscript' to block all of that by default;

      b) user-configurable settings for the same thing (i.e. "never full-screen the browser" just like "never open popup windows")

  2. GrapeBunch Bronze badge

    I wonder what Tor browser does

    Some years ago, Opera dined out on being standards-compliant. First, they were not really that compliant, as some features (I guess it was HTML 4 at the time) were not implemented, even after months and months. Second, as we see here, standards-compliant does not mean secure. When in doubt, do as the Tor browser?

  3. jake Silver badge

    The problem isn't the UI ...

    ... Rather, the problem is only half of the UI. Specifically, the "U" half.

    Users are, as a class, ineducable when it comes to personal security. Like it or not, this is a fact, and one that the designers of the interface portion would do well to accept as reality.

    This also applies to InternetOfTat, and other marketing-driven memes.

    1. Charles 9 Silver badge

      Re: The problem isn't the UI ...

      But as a comedian once said, "You can't fix Stupid," and Douglas Adams once wrote on the sheer ingenuity of complete fools when it comes to "foolproof" designs. Combine the two, and you end up with scenarios like what Terry Pratchett once wrote, about the paint for the sign for the End of the World Button not having time to dry.

      This is the kind of world we live in. Now how do we solve for that without Stupid taking the rest of world with him?

  4. Anonymous Coward
    Anonymous Coward

    Symbian's "Trusted UI" capability was intended to remedy this

    The plan was that some clear element, such as a dedicated LED or reserved space on the screen would only be activated by the holiest of software. But AFAIK no phones ever did this; pixels are precious, extra indicators cost, there was no single standard for web pages to make requests for special privileges like payment info, and of course phone makers periodically borked security anyway, eg by shipping with a guest-accessible debugger driver. Pleasant dream while it lasted...

    1. Dan 55 Silver badge
      Megaphone

      Re: Symbian's "Trusted UI" capability was intended to remedy this

      Symbian, still solving today's problems 10 years ago. Either Symbian was ahead of its time or today's mobile OSes are still way behind.

  5. John Smith 19 Gold badge
    WTF?

    "picture-in-picture attacks"

    Or the "Dummy log in screen" of mainframe and mini hacks.

    But now you've got the whole terminal browser that can be duplicated.

    1. bombastic bob Silver badge
      Joke

      Re: "picture-in-picture attacks"

      "But now you've got the whole terminal browser that can be duplicated."

      how about a fake 2D FLATSO FLUGLY interface that looks like it' running Edge, with a fake dialog box saying "Welcome to Windows 10!". It would be a way of trolling people into throwing their computers out of a window or something...

  6. Destroy All Monsters Silver badge
    Facepalm

    The world is crazy

    "Security UI is hard," Lawrence says.

    More like

    "Security UI swimming in an acid bath of:

    1) marketing types and psycho execs looking for the "next great thing" to befuddle the public

    2) bright & eager & young & unladen-by-prior-knowledge developers/designers

    3) the bizarre idea of "one tool for anything from online gaming to online banking"

    4) persistent crappiness/crabbyness of the underlying OS and hardware

    is hard

  7. DropBear Silver badge

    Hahahahaha... well, my address bar sits right below the menu, so any "mini-windows" displayed by "chevrons" need to span right across both my bookmark bar and tab bar - I'd like to see a webpage fake that convincingly. As for the fullscreen thing, that should never have been allowed. Most stuff I watch in a small in-page window, I can press F11 if I want, and I'm fine with launching a dedicated player on my PC (if only HTML would let me do that), but page content really shouldn't be able to just commandeer my screen, warnings or no warnings.

  8. benderama

    Interestingly, I'm not automagically switched to https:// when on The Reg. I should stop signing in

  9. Novex

    "Security UI is hard" - not. It's all this mucking around trying to take over our devices and make things full screen all the effing time and trying not to have any 'chrome' that's causing the problem. Leave users to decide whether they want full screen or not, and never force them to accept popups or full screen views. Oh, and let them have at least some 'chrome' around a window to keep things a bit more sane.

    1. Charles 9 Silver badge

      "Leave users to decide whether they want full screen or not, and never force them to accept popups or full screen views."

      Everyone here's forgetting that we're not the average user. The average users doesn't want to decide. This is why they demand turnkey solutions.

      1. Doctor Syntax Silver badge

        "The average users doesn't want to decide."

        Fine. Make the decisions for them. And make those decisions sane.

        1. Charles 9 Silver badge

          But if it's not what the customers actually want, then you're in a bind. What do you do when the customers demand unicorns and will happily pay for the first horn glued to a horse to come along? And you can't say let them suffer because their actions usually come with collateral damage for the rest of us. When everyone is plunking down for fakes, nothing goes into the real stuff, and everyone loses.

  10. Anonymous Coward
    Anonymous Coward

    F11

    I just hit F11 when I want fullscreen. Works in several programs including browsers.

    The standard is ass backwards. Instead of the website calling requestFullscreen() to initiate fullscreen, the browser should TELL the site when it's fullscreen.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019