Douglas Crockford




2024 Appearances






Electric Communities


Flickr Photo Album



Pronouns: pe/per


Secure Colors

The web accidentally introduced the idea of a distributed program that represented the interests of multiple parties cooperatively serving a human. The obvious security problem is that those parties should not fully trust each other, and the human should not fully trust them either. All should be suspicious of each other, protecting their own interests. To do this successfully, we rely on containment, isolation, and strong interfaces.

As we transition to actor systems, the benefits of cooperation under mutual suspicion will increase, and it remains important to protect the human. One of the most menacing attacks is for a party to visually impersonate the browser or the operating system in order to trick the human into giving up critical information. The attacker will try very hard to spoof. We want to help the human recognize the spoof.

The operating system should, in some conspicuous corner, display a color cycling region: . By convention, any dialog representing the operating system will display the same color cycle in synchronization. There will be rules that prohibit guest code from sampling pixels outside of its assigned region. The color cycling is driven by a random number generator. The spoofer can know the algorithm, but can not know what the random colors are.

In this demonstration there are two dialogs requesting the human's super password. Only one is legit.

File Edit Doom Despair Agony
Please enter your super password:
Please enter your super password:

The idea is that the system can present some information that allows the user to easily determine if a widget is real or if it is a spoof. This is done with a pattern of changing colors. The theory is that a human can quickly distinguish between and . With experience, humans will grow to always look for the colors.

A nagging problem is full screen mode. In full screen mode, a bad actor can easily impersonate anything that can be displayed. Current systems try to mitigate this by warning the human that the display is going into full screen mode. A more effective mitigation is to sharply reduce the capability to receive input events. In full screen mode, guest actors can receive play, pause, and so forth. Most other events will be suppressed. Some events, such as select and enter, will kick the actor out of full screen mode.

Tangential aside: The browser's interests are not necessarily the same as yours, nor are the operating system's. The operating system used to be concerned with the reliable execution of programs. Over the years, it has taken on other missions, such as monetizing your activities.