|
|
|
|
|
|
by khiqxj
1280 days ago
|
|
|
there absolutely never was a "line of death". one of the major problems with web and OS isolation has always been that they could never make up their mind where to draw the line. i never even knew they have nomenclature for this until now (only closest concept i heard of was secure attention key). > security indicators in the URL bar are misunderstood. it really amazes me how for 10 years we had java applets that can just show an obscure message to the user about "something something signing" and if they press okay they can execute arbitrary code as design (because they consented to running unsigned code which implies that the code can run on your computer with full privileges, and the only way youd know this is if you read about java sandboxing internals for a few hours), and security experts cant find out why the user cant figure out how to be secure. the reason is what people keep saying: everything is broken. all these bullshit HTTPS symbols in the URL bar dont help either, nor does "oh noes self signed blah blah". > New web platform features have introduced new modalities for displaying web content. For example, the Payment Handler API introduced a new type of embedded browser window for completing payment flows. which were absolutely never legit. you should never trust a website that wants you to log in to your bank which shows a bank page ostensibly being served by your bank in their own window. its unfortunate that web devs (predictably) took the path of least resistance but thats how it is. everything is broken. |
|
|