Will you miss the favicons in Firefox 3.0?

[polonus]

Hi malware fighters,

There is a proposal to ban favicons from appearing in the URL bar and tabs coming with the Firefox browser version 3.0.
Read: http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/FavIcon
Spoofing a favicon or even a padlock is a security risk, and there are enough users not giving attention to the fact that they are not at the site they intended to be.
Some consider favicons essential to their browser experience they would swap browsers to keep the insecure feature, others say malcreants do not play nice anymore. So isn't there a secure way to be able to keep on to them at least in the tabs? What do the forum members think of this security issue?

polonus

[DavidR]

The fact remains with or without a favicon, people still be in the same position, clueless.

Spoofing a favicon or even a padlock is a security risk, and there are enough users not giving attention to the fact that they are not at the site they intended to be.

So unless there is some underlying security to stop the arrival at an unintended site does it matter is there is a favicon or not.

[polonus]

Hi DavidR,

When I try to follow your thinking pattern here, and while the essence of it seems quite obvious, we can ask ourselves the question what do we have here? A symptom of the problem, and the proposal will not mean the solution of the problem, just adding somewhat more security through obscurity (favicon gone).
Am I right or did you come to the same conclusion. What are these experts talking about, why they like to apply this? Read about the FF 3.0 location bar: http://wiki.mozilla.org/Firefox3/Location_Bar

polonus

[RejZoR]

It's kinda lame if you think i have a list of bookmarks with 30 forums. All without favicons are hard to distinguish. But if most of them have favicons i can quickly sort them just by looking at favicons.
So yeah, i hate the thouht of not having favicons. I hope it will just be disabld by default but be possible to enable it manually. I like it and it doesn't compromise my seciroty at all.

[DavidR]

<snip>
What are these experts talking about, why they like to apply this? Read about the FF 3.0 location bar: http://wiki.mozilla.org/Firefox3/Location_Bar

polonus

Essentially it is a possible symptom of a possible (I know too many possibilities) problem and yes we should treat the disease.

It isn't the favicons that are dangerous, it is the subterfuge/phishing in getting you to a different site than you believe your on and that won't change just because there is no favicon to potentially mislead the user into thinking they are at the correct site or not. If there is a favicon, this can be faked just the same as the web page, remove the favicon and the web page still looks like the correct one.

However, these so called experts are also saying the favicon, somehow gives control over chrome and that is what is dangerous, well all I can say to that is fix it so that favicons/web sites don't have control without having to remove the favicons. Surely that shouldn't be beyond the collective whit of all those application programmers out there.

Favicons in the URL bar are dangerous, because they represent the website having some control over what's in the chrome. This danger is why we turned off website access to the status bar.

So basically I'm saying there is absolutely no benefit in not displaying the favicon as your average user will be no better equipped to decide if the site is bogus or not and we have survived this far with favicons with supposed control over chrome.

As RejZoR said the bookmarks would be indistinguishable with the icons not to mention bland and butt ugly, so you can add me to the list of leave it alone or allow user selection.

[Zagor]

Security issue or not, as RejZor said, they are quite usefull.

[polonus]

Hi Zagor,

It is as with a lot of things that go wrong in windows because of leaving consequent rules. This is the case with rights policy  (the one program can be installed with, the other more dangerous and nefarious  one without or even hidden automatically). Same story here with a complicated but very essential part of the Windows structure "trust", what trusts what? and in what hierarchy? And here also. Basic problem too many rules are just bended and tweaked to give 100% "dumbo" features and compatibility. To-day the malcreant does not mean fun anymore, and what looses out in the end? Security, and who "the end-user".. This is why windows is broken, this is why protection is so very difficult to achieve.
If you want to adjust to the future situation try locationbar 2:
http://en.design-noir.de/mozilla/locationbar2/
For security implications read here:
http://www.mozilla.org/security/announce/2007/mfsa2007-17.html


polonus

[polonus]

Hi Zagor and RejZoR,

Making these favicons is as easy as pie, you can even do it online:
http://www.html-kit.com/e/favicon.cgi
It can be used for good and bad purposes off course.
I added a superfavicon double size preview made with the toolkit, see under as preview.

pozdravi

polonus

[polonus]

Hello Zagor and RejZor,

Want to check up on the flavicon (remember to use notificationbar2), then go here for the online validator: http://www.html-kit.com/favicon/validator/

enjoy,

polonus