Enter Credit Card Number Here? | Hacking for Christ

Neal Turner has a summary of the new features in Firefox since 0.9. He says:

If you’re connected to a secure site, then the address bar will have a padlock by the arrow on the right and the background will turn yellow. The padlock also appears on the status bar as normal. Therefore, if the address bar isn’t yellow, then it’s not safe to give over credit card details.

He’s right, up to a point. If the address bar is not yellow, it’s certainly not safe to put in your credit card details. But a key observation is that if the address bar is yellow, it’s still not safe to put in your credit card details either. All the yellow says is that you are connected over SSL. It doesn’t say who you are connected to. It could easily be https://evilsite.com – or, more practically, https://www.mybank.com.long.domain.name.no-one.reads.these.evilsite.com.

That’s why I continue to insist that we need to display the domain in the status bar next to the lock, for secure sites, and why I hope to get a chance to update my patch to that effect soon, and persuade Ben to include it.

Update: patch updated. Result: no more confusion about the source of pop-up windows.

Screenshot of Firefox browser with anti-spoofing changes to status bar

7 thoughts on “Enter Credit Card Number Here?”

oh, please, do so! :)

Additionally, the form may be from a secure site but not the form submission.

Neal Deakin != Neil Turner

Oops, sorry. Fixed.

It’s also worth noting that if you’re using a theme other than the default, you probably won’t see any yellow at all. I’m using Whiteheart, and my address bar never turns yellow.

If I can make a suggestion, I would suggest using a font that has very distinct characters to ensure that people can’t get around this.

There was a site going around a while ago that had a domain of paypaI.com(uppercase i) which looked like paypal.com in the font in the addressbar. I would really like to see attacks like this stop. :)

AJ: Good idea; there are two concerns. The first is that we would need to be able to specify that font using CSS, from the fonts available on the user’s system. As different users have different fonts, it makes it hard to produce CSS which does the right thing for everyone. The second issue is that font control is a presentational thing.

So I’d say that this would be a job best left to theme authors.

kwanbis on July 14, 2004 at 2:05 PM said:

oh, please, do so! :)
Brant Gurganus on July 14, 2004 at 2:34 PM said:

Additionally, the form may be from a secure site but not the form submission.
Jason on July 14, 2004 at 3:15 PM said:

Neal Deakin != Neil Turner
Gerv on July 14, 2004 at 4:23 PM said:

Oops, sorry. Fixed.
steeef on July 14, 2004 at 5:44 PM said:

It’s also worth noting that if you’re using a theme other than the default, you probably won’t see any yellow at all. I’m using Whiteheart, and my address bar never turns yellow.
AJ on July 15, 2004 at 2:55 PM said:

If I can make a suggestion, I would suggest using a font that has very distinct characters to ensure that people can’t get around this.

There was a site going around a while ago that had a domain of paypaI.com(uppercase i) which looked like paypal.com in the font in the addressbar. I would really like to see attacks like this stop. :)
Gerv on July 15, 2004 at 3:28 PM said:

AJ: Good idea; there are two concerns. The first is that we would need to be able to specify that font using CSS, from the fonts available on the user’s system. As different users have different fonts, it makes it hard to produce CSS which does the right thing for everyone. The second issue is that font control is a presentational thing.

So I’d say that this would be a job best left to theme authors.