Yes, as long as HotDogL doesn't leak the OS variant via the User-Agent string, JavaScript fingerprinting, or TCP fingerprinting. I believe CloudFlare has already developed and explored all of these paths, obviously to great effect. This means replication of what CF has done is only a matter of pouring resources into it, surely many others have also completed bits and pieces or maybe even superior top-secret proprietary technology.
What's that Ultra-privacy oriented Linux distro which is TOR-centric, with a locked-down-by-default browser config? That beast might be your best bet.
> What's that Ultra-privacy oriented Linux distro which is TOR-centric, with a locked-down-by-default browser config? That beast might be your best bet.
QubesOS never allows true full screen mode to prevent spoofing attacks, the titlebar and taskbar are always visible. It also forces all windows to display a colored border, the color represents the application's security domain. A window in an untrusted VM cannot pretend to be a trusted VM window. A spoofed browser screen won't show the correct titlebar and (user-defined) color.
But what makes this attack frightening is that even such kind of extreme measures only provide limited protections. Spoofing is still possible, you can bet on the default theme with a red border - this is the default for untrusted, disposable VM. I'd say I would totally fall for this.
The only thing that makes it somewhat safe is the impossibility to detect QubesOS reliably. Some heuristics exist: you can detect CPU cores, a low number indicates a potential VM. You can also detect the GPU model, a LLVM software renderer or disabled WebGL is a strong indication of VM or Tor Browser. But none is reliable.
It's actually not about the browser config, its all about the graphics - this reminds me in firefox you could customize the UI easily with an overlay image.
That would defeat this attack, assuming it was random/undetectable. Maybe time to go the other way and never lock down the config...
Or just disable anything resembling a box in the browser, make html strictly hyper text media again, no programming or js.
I love this idea, wish this was a standard feature implemented in many of my applications and operating systems.
Also.. setting a custom UI background image sounds like browser configuration to me :p
Seriously though, the difference with and genius in your idea is essentially applying the "Send my bank a custom secret they then present to me so I know if I'm really speaking with them", except with new twists in:
1. Know if a window belongs to my FF client / OS / whatever needs securing.
2. The absence of further concerns about what OS details get inevitably leaked, at least for protecting against this one class of threat.
What's that Ultra-privacy oriented Linux distro which is TOR-centric, with a locked-down-by-default browser config? That beast might be your best bet.