Unfortunately I fear this is not possible based on the sheer momentum that this ball of sticky tape and string has.
I think the sheer number of articles that paper HN all the time over browser and protocol vulnerabilities, leaks and problems back up my assertion.
EDIT: just to add, my frustrations are based on having to spend 5 hours porting some JS code so it works properly on all browsers.
The key thing you need to wrap your head around is that software ecosystems are not designed; they accrete and evolve organically, and no one has any power to change that.
Consequentially, they're all as bad as each other.
"More secure" is subjective i.e. it's more secure to us public but who the hell knows there aren't 100 zero day's out there in the wild changing hands for thousands of dollars.
It's not momentum, the browser is essentially a universal OS, the holes would still be there if you started again from scratch.
Actually the browser is a non-universal OS which has several vendor extensions and incompatibilities which poke you in the eye day after day.
It's like the UNIX fragmentation in the 90's (OSF/1=Firefox, HPUX=Chrome, Solaris=IE, UNICOS=Opera).
It's possible to build something without holes. You just have to hire the right people and actually think about it before adding shitty features.
Once that one is out, you're screwed.
That applies to most of computer science ironically.
1) Don't have a computer
2) Don't turn one on
3) For goodness' sake, don't connect one to a network.
The simple fact is that there is a high demand for interactive applications. One of the best ways to distribute these applications is the web using JavaScript. If, for some reason, this distribution channel were removed (let's say it was removed by law) the demand would still be there, and the 'older' channel still remains - native apps. If the average person uses, say, 20 webapps heavily and a few hundred glancingly, and let's say that 10% of these survive the transition (probably a high figure) that's still a good handful of new native apps, each of them with their own security issues.
Sure, it sucks to develop for. But it's not fundamentally impossible to make it secure and private.
Many "browser vulnerabilities" (esp. non-IE) are actually vulnerabilities of Flash, an entirely different [and dying] platform.
Tells nothing more than someone has written shitty code in the beginning.
I agree fully. So do the people working on Algol-68, PL/I, Multics, the Canon Cat, Plan 9, and, perhaps most relevant to this, Project Xanadu.
(Esperanto probably deserves a mention here, but it's duking it out somewhere with Volapük, Ido, Interlingua, Loglan, and Lojban.)
The problem that has shot us as a race is that in the 1990s, technology became suddenly ubiquitous and whatever was lying around was glued together to fill a niche which took off before people had a chance to think about it and engineer something sound. An analogy perhaps:
What are you even doing these days that requires "porting JS code"? I haven't had to do that for ages and it was on poorly written JS to begin with.
This code has to work right down to ie6.
In order to get any meaningful information from this attack, you would need to know what application/website the user is currently using (or send them to it), where it's positioned on the screen and the exact layout of the subject. The interface would also have to be either mouse- or meta-key driven, which isn't a common facet for sensitive inputs (passwords, bank transfers, and private messages off the top of my head).
My bank on their online site asks for my account number, a memorable piece of data and a 6 digit passnumber that they generate (and I can't change). The passnumber is entered using pull-down menus for each digit, always ordered 0-9.
So, no, an attacker wouldn't have access to all the information they need, but they'd certainly have access to more than they should, in this case, if they're able to take advantage of this, that is.
And it's not just for general users, some sites do often additional functionality in this field for users with accessibility requirements (large on-screen number pads, etc).
So, yes, I'm sure the % of affected sites is low, but just 1 bank whose online system is comprised by this is 1 bank too many.
Even if mouse position tracking is permitted, it should clearly be limited to the current tab. Cross-tab, and certainly, cross-application is just clearly wrong.
Who are these companies?
It's a symbolic flag to respect users preferences or browser vendors are going to make ad-block standard by default just like pop-up blockers.
If ad companies ignore DNT they are digging their own graves.
It's not about protecting users. It's about heading off an arms race to help protect the ad industry.
It seems to me that the harm is greater not naming names - reputation is important and if you take steps to invade user's privacy then your reputation can and should suffer for it.
We might learn a lot about how people use computers and UIs with such data.
Would provide lots of info without compromising much details.
Off the top of my head I know ingdirect had a virtual pinpad. Combine this with a XSS vulnerability Icould easily send you a link to login to your bank website. The link would then load this type of mouse tracking data.
Any reputable bank will give you a small external card reader with a keypad where you have to insert your smartcard, enter your pin and a punch in the challenge-response code from the website. 2-factor authentication is a solved problem, plus no risk of keyloggers since the device is disconnected from the computer. (Most come with the option of connecting to the computer via usb to save you from manually entering the challenge-response but your pin is always entered on the external keypad.)
The pad can be anywhere on the screen, and it can be in a different place each time, but you'd be able to capture repeated patterns of clicks.
Then of course, it is just like Flash, it can track your mouse.
Edit: I am one of the authors of the demo code included in the disclosure.
Damn, this is FUBAR!
It seems far fetched. And if your using a virtual keyboard for security... you'd be using IE? C'mon now.
You know why? because I use Chrome.
