W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: What is Microsoft's intent with XDR vis--vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 2 Apr 2008 18:37:59 -0700
Cc: Jonas Sicking <jonas@sicking.cc>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Sunava Dutta <sunavad@windows.microsoft.com>, Ian Hickson <ian@hixie.ch>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, David Ross <dross@windows.microsoft.com>, Nikhil Kothari <nikhilko@microsoft.com>
Message-Id: <D845BF7B-3C16-4A21-BEBB-3C4424595656@apple.com>
To: "Close, Tyler J." <tyler.close@hp.com>


Hi Tyler,

On Apr 2, 2008, at 6:08 PM, Close, Tyler J. wrote:

>
> Maciej Stachowiak wrote:
>> On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:
>>
>>>
>>> Sending the user's cookies, as AC4CSR does, is just not a viable
>>> design, since the target resource cannot determine whether or not
>>> the user consented to the request. I've posted several explanations
>>> of the attacks enabled by this use of ambient authority, and, in my
>>> opinion, the issues are still outstanding. The use of ambient
>>> authority in AC4CSR is a show-stopper, as reflected in the decision
>>> Mozilla announced on this mailing list.
>>
>> Can you please post these examples again, or pointers to where you
>> posted them? I believe they have not been previously seen on the Web
>> API list.
>
> I've written several messages to the appformats mailing list. I  
> suggest reading all of them.

W3C's search finds the following 50 messages from you:

http://www.w3.org/Search/Mail/Public/search?hdr-1-name=from&hdr-1-query=tyler.close%40hp.com&index-grp=Public__FULL&index-type=t&type-index=public-appformats&resultsperpage=20&sortby=date&page=2

Can you help me out with finding which contain descriptions of  
security flaws in the spec (which have not yet been addressed through  
spec changes)? The first three I looked at randomly did not contain  
any descriptions of security flaws.

> The most detailed description of the attacks are in the message at:
>
> http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B6507@G6W0269.americas.hpqcorp.net
>
> with a correction at:
>
> http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B650D@G6W0269.americas.hpqcorp.net

Thanks for stepping up with some actual specific attacks. I will read  
them carefully and respond soon with my analysis (also in light of  
Ian's reply to you).

>
>> A number of people have mentioned that the AC approach to
>> cross-site XHR is insecure (or that XDR is somehow more secure),  
>> but I
>> have not yet seen any examples of specific attacks. I would love to
>> see this information. If I do not see a description of a specific
>> attack soon I will assume these claims are just FUD.
>
> I think we've met before at a SHDH event. That was a more pleasant  
> conversation. Hopefully, we'll be able to regain that tone.

Sorry for tossing you in the same bucket as those making (so far)  
unsubstantiated claims. I'm not trying to be unfriendly here, I'm just  
trying to get us to objective facts about security, which so far have  
been lacking in this discussion. This is very frustrating to me,  
because saying a spec is insecure without giving details is just  
yelling fire in a crowded theater. Whereas describing specific attacks  
is very helpful, so thank you for doing so.

>
>> Note also that sending of cookies is not an essential feature of
>> AC4CSR; certainly it could be a viable spec with that feature  
>> removed.
>> Do you believe there are any other showstopper issues?
>
> Possibly. There is a lot of complexity in the AC4CSR proposal. I've  
> been writing about the most severe things as I find them.

Now would be a great time to collapse the wave function on that  
"possibly". I have been trying to think of attack models against both  
AC and XDR myself and so far have not come up with anything that holds  
water (I did mistakenly think AC had a DNS rebinding vulnerability,  
but I was wrong). We must carefully identify the security issues  
(including second-order effects that may result from limiting  
capabilities) to make informed decisions about this technology area.

Regards,
Maciej
Received on Thursday, 3 April 2008 01:38:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 April 2008 01:38:50 GMT