They are reasonably safe, given their size and complexity. They are certainly a lot safer than current widely used operating systems - those aren't designed for running unknown adversarial code at all - something a browser does all the time in typical use.
>For example have a <login> element , browsers will style it the same for all websites and prevent developer to misled the user.
more importantly, display to the user in such a way that no website can spoof it. For instance, it can dim the entire window (eg. like UAC on windows).
This seems like a decent solution s compared to alternatives presented so far in throughout discussion.
Folks who browse in an edge-to-edge maximized window will still be at least somewhat-to-quite vulnerable, especially if less tech-savvy or vision impaired. I generally don't browse this way, mostly due to the relatively insane* width of displays in general these days.
Would mobile users still be vulnerable? Due to:
1. Tiny screen dimensions.
2. No option for "window" resizing. It's not even a thing.
* OT: Displays today are wide to such an extreme they tend to be too wide for my needs and tastes. Eventually it's too much like staring at the bottom 1/5th of a full-sized 4k display, which work sent me but turns out is mostly good for watching Batman, The Matrix, and other ultra-wide theatrical film releases. Granted, at this task, a 34" 1440p widescreen excels marvelously.
Surely you've heard the joke (or is it an adage?):
"With that 34" display, it can [finally] render a Java Class Name and fit it within a single line. But after the IDE and debugger open, you can only see the one line.
- the login popup could integrate with your OS so depending on your options it could pre-fill the username and password or only the username, a faked one will be forced to guess your username.
- the fake stuff always failled for me, I am using Kubuntu and all those fake popups were using a XP theme.
- because some OSs don't give you the option to customize shit anymore , in this case they would make an exception and ask you to personalize the login popup, like ask you to use an avatar img from a big list that is sorted randomly and maybe a color, anyway Apple and Google have the money to pay someone to think more then 5 minutes about this so there could be even more solutions for this permissions popups.
>With that 34" display, it can [finally] render a Java Class Name and fit it within a single line. But after the IDE and debugger open, you can only see the one line.
Don't hate long names, hate bad names.
I found a bug in our project caused by such bad short names, a good,clear name is always clear then some missleading short one or a random short string.
I'm pretty sure I could be fooled by a really good fake HTTP Basic Authentication prompt. Yeah, technically the real one is distinguishable, but it seems like it would be easy not to notice.
Interesting, Firefox made it overlap very slightly with the browser chrome, which I'd never noticed before; is that, perhaps, specifically because of this issue?
The popups to give permissions are already being spoofed by pages. Fake Chrome permissions requests for notifications get around Chrome's detection of sites that request to send push notifications too aggressively. You can't stop this unless you physically take over the full screen for stuff like login, which is extremely disruptive.
Opening the auth window in a tab instead of a window would help. Including an avatar and extensions in the popup window and opening it on top of the chrome on the main browser window would help to differentiate it.
Even if browsers did this, you can still execute this attack. As long as not all of your users know what the expected behavior is, you can trick them with a fake UI as long as it looks believable.
The goal is not to protect 100% of your users, it is to reduce the number of users who are currently vulnerable. One is possible, one is not. If you can significantly reduce the number of users who will fall for an attack, then it is a success, even if not everyone is protected.
"This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain."