Cenzic 232 Patent
Paid Advertising
web application security lab

Minimalistic UI Decisions in Browsers

4 posts left…

I’ve tried to talk about this a few times to people over the last year or so, but I think it’s hard to explain without pictures. So I gathered a bunch of screen shots that should help explain why I’m not a huge fan of the minimalistic browser concept. More browsers are getting on board with this, and while I absolutely do believe it makes people more productive and therefore faster, there are some negatives that are worth pointing out. Frankly, I do believe there is a lot of wasted space in browsers, so at first blush, I’m sure most people would agree that the various browsers are heading into the right direction by emulating Chrome. I actually agree with the basic concept, with the exception that I think there are some gotchas that are worth thinking about before we’re “got”.

I’m certainly not saying there’s no way to fix these issue either, but I don’t think it’s wise to run headlong into a bunch of potentially dangerous problems without knowing that they’re there. So I hope this sheds some light for those people I talked to, and for anyone else who’s interested! :)

9 Responses to “Minimalistic UI Decisions in Browsers”

  1. Wornstrom Says:

    The last example makes a good point, but is really an argument for why GET requests should never trigger actions. Place an image linked to that URL on your page and boom.

  2. Wladimir Palant Says:

    Robert, I think that you are operating under a wrong premise here - namely that this display has security value. I seriously doubt that it does.

    a) Very few users understand URLs. So while seeing the target URL might give a clue to security experts, it doesn’t help “regular” users.

    b) No matter how much space you give to the link target hint, it can still overflow (yes, in Firefox as well). So somebody malicious will simply add a lengthy “session ID” to the URL, that’s common enough to be unsuspicious.

    c) Spoofing link target is still trivial, it’s as simple as changing link target in the mousedown event - or using a click event handler that will direct you to a very different page. Sure, this requires JavaScript, but a malicious or XSS’ed webpage could also use meta refresh for example and you wouldn’t even need to click.

  3. piR Says:

    I’m not sure final users can learn what url means.

    And when they have done that, you will see that they could become paranoid because of the current use.

    My bank uses a weird subdomain when i access my account.
    I bought some concert tickets online and was redirected trough domains and subdomains out of the original website (because there is the artist website, the ticket seller and the bank website), at which point i was wondering if i was victim of a scam.

  4. MrAnderson Says:

    Sorry to say, but ignorance is not an excuse. Infact it’s still the biggest cause of deception. If an user is not minimally aware of how a URL works, or what it is, it’s his own fault to be target of scams. I mean that who is not ignorant should not incurr penalties just because of ignorant people. If “end users” won’t understand URLs it doesn’t mean the browser shouldn’t show them, so that at least the expert users are not falling victim of a scam.

  5. wlet Says:

    Hi,

    IMHO all the points with the “short” Statusbar don’t apply.
    If you can manipulate an GET Request you’re able to insert a whole lot of whitespaces (ok, in 90% of all cases). The result is the same:
    http://img406.imageshack.us/img406/5083/evillink.jpg

    Three small dots indicate that URL is too long to display. IMHO it would be better to display a bunch of “%20″ in the Status bar. And of course this also affects the URL bar. Same problem with reflected XSS, just put enough whitespaces and run it through a URL shortener like bit.ly.
    Example:
    “http://demo.testfire.net/search.aspx?txtSearch=fooo%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cscript%3Ealert%28%22pwn%22%29%3C/script%3E”

    now have a look at this and check the URL Bar:
    http://bit.ly/gV5Jpb

    cheers
    wlet

  6. Maximinus Says:

    Recent versions of Chrome show protocols other than “http://” in the URL hover boxes, and hovering over a URL for about a second causes the hover box to expand to show the full URL.

    The way that the entire title and icon can disappear from tabs when you have a lot of them open does annoy me, though - it’d be nice if it could scroll or spill into a dropdown list or something…

  7. Sri Harsha Says:

    For what it’s worth, if you hover the mouse over a link in chrome for little more than 2 seconds, it’ll show the complete URL.

  8. Patrick W. Barnes Says:

    While URL previews are not entirely reliable, they can provide valuable hints. As this post illustrates, a browser wilfully obfuscating URLs is saving attackers some effort and potentially enabling tricks that more complete URL previews could uncover.

    It’s more than just a security issue, I also find it to be an inconvenience. I often like to see the URL of a link before clicking for reasons other than security.

    With Firefox 4 Beta 7, Mozilla removed the status bar and moved URL previews into the address bar space. This change reduces the space available for URL previews, following the minimalist concept. It would be interesting to see a similar set of tests performed with the latest Firefox beta.

    I would not mind the reduced space afforded to URL previews if browsers provided a quick, easy and reliable way to view the full URL, perhaps by clicking on the URL preview space or a nearby button.

  9. Sasha Says:

    I remember that not too long ago, you could run a scrolling special message in the statusbar. kinda cute. ;)