> 1. I'd like to de-emphasize the focus on active vs passive content. We
> should block mixed content when we can, period.
This is certainly my opinion as well. At the very least, insecure
content means insecure cookies. At the worst, "passive" content can be
more effective than phishing because it appears to come from a trusted
source.
> 2. I don't think webfonts have any particularly active characteristics
> that have side effects on anything other than rendering. Fonts can
> certainly be used for all sorts of crazy attacks, but always paired
> with script or style, not on their own (that I know of).
Web fonts and images both lend themselves to a similar attack; that
misleading text can be placed on any page where they are used. It would
take some work with a web font, but it's easiest if it's used in a
heading, for example. If you allow me to control what gets written onto
a page, I can write anything, causing the user to think that another
site can be trusted.
Imagine that your secure page has an insecure image on it. I can change
that image to be an image of the following text:
"If you want to log in faster, head over to our partner site
evil.com
and log in with your
realsite.com password."
I can do the same with a webfont. If a secure page uses it to write
"RealSite" in a heading, I can replace each of those characters with a
rendering of my attack text, so the rendering looks like the complete
attack sentence.
(There are also less severe textual attacks aimed at destroying a
company's reputation, like "We would like to announce that this company
is declaring bankruptcy".)
I have never been comfortable with treating these as not-so-serious.
/Tarquin
--
Tarquin Wilton-Jones
Security Group
Opera Software ASA