How can I convince my client that trying to hide the browser toolbar is a bad idea?

Question

My client has a friend who is doing 'security testing,' and he's telling them that the PHP Zend Framework app I built for them needs to do these things on the browser side:

• hide location bar, toolbar, bookmarks, menu, and the back / forward button
• disable right-clicking

This is obviously a monumentally bad idea. I have pointed out that it hides the fact the site is SSL-secured, that it is optional for browsers to honour these requests, and that real crackers will find a way around it anyway, since it is a client-side hack.

In addition to the badness of the idea, is it even possible? The basic tests I've done show this is only possible in ie before version 7, and not at all in Firefox, Safari, Chrome. The guy insists it is possible in these browsers, I'm still waiting for a proof of concept.

1. Is it possible? Either in a pop-up or in the same window.
2. Any leads for usability studies that reject this approach?
3. Is there any support anywhere for this idea that is less than 5 years old?

Better, though: any really good demolishing of this idea, especially from any source that is a security authority?

My client trusts this guy so I have to find some non-emotive counter-arguments.

Thanks

Answer 1

Point out that

1. Even if the back/forward buttons are gone, almost every GUI browser under the sun still has keyboard shortcuts that can't be removed, e.g. alt-leftarrow/alt-rightarrow for navigation, ctrl-d for bookmarking, etc...
2. Most browsers have a "ignore disable right click" option in their settings. 2a. With the right click menu still available, it's trivial to get the url of the current page, and just copy/paste that into a normal non-gimped window and proceed as usual anyways.

Trying to achieve security by ramming "disabled" windows down peoples' throats is bad design. A good site wouldn't care if you had a file or bookmarks menu, nor would it care if back/forward were available. Removing them simply covers up for bad design decisions.

All he's doing is removing a hammer from the users' tookits, but the users still have lots of rocks lying around.

Answer 2

Not sure how much help this will provide, and I am assuming you have some sort of contract of what work will be provided. Simply refuse to do it. Walk away if you have to. If your client has a friend that is so set on performing such moronic tasks, let the client's friend do it and move on.

Sounds to me like you have come to a situation where you need to walk, or possibly fire your client.

Personally, I would even entertain the idea.

Good Luck!