W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Jonathan Rees <jar@creativecommons.org>
Date: Fri, 23 Oct 2009 17:04:23 -0400
Message-ID: <760bcb2a0910231404h751fb9f2m5320c4818a4bdbfe@mail.gmail.com>
To: Doug Schepers <schepers@w3.org>
Cc: Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Comments below

On Thu, Oct 22, 2009 at 6:12 PM, Doug Schepers <schepers@w3.org> wrote:

> Let's take it a step further, and propose a worst-case scenario.  Say that
> some undetected hypothetical vulnerability in CORS is discovered some years
> from now, with a degree of severity akin to CSRF.
>
> At that time, we can learn from those new vulnerabilities, and either make
> CORS more secure, or develop a new technology that solves some or all or
> more of the use cases at hand, and discourage the use of CORS (or even block
> the CORS mechanism in servers and clients).
>
> Certainly, some damage will have been done.  Will the damage done be more or
> less than the damage done by less-secure or less-private workaround
> developers employ instead to solve the use cases that CORS is designed for?
>  It's impossible to predict, but it's a real question.
>
> I know that this argument is on the slippery slope towards being a
> slippery-slope argument, but my point is that, through inaction born of
> trepidation toward unknown unknowns, we may cause as much (or more) of a
> security problem than if we act now in a way that seems the most responsible
> course of action, and learn later from our mistakes how to improve the
> situation.
>
> Regards-
> -Doug Schepers
> W3C Team Contact, SVG and WebApps WGs

Thanks for putting the situation in these terms; I like the form of
this analysis, even if am not sure I agree with the conclusion.

The brief summary of the debate is that Mark M is citing Tyler's
argument, and Mark's and Tyler's long experience with this kind of
thing, in predicting that any system with the currently described CORS
architecture will have vulnerabilities. Anne has said, I don't get it,
show me the goods, and rejected a first attempt. It's not clear where
the burden of proof should be; those who care about first about
security will say "convince me the risk is acceptable", while those
who are first trying to get something done will say "convince me that
the risk is unacceptable".

We're not talking about some unknown future vulnerability; we're
talking about a known class of vulnerabilities (CSRF or confused
deputy), and trying to figure out the magnitude of the risk given the
proposed solution. The solution design is untried in distributed
systems and in Javascript, which raises the risk, but there is a
deployed analog, namely the Java security model, that those who like
stack introspection can point to. So the risks are not necessarily
unknowable; it may be that more analytical work is required than
anyone who has been paying attention wants to invest.

It seems OK if the WG's answer is "let's take the risk" as long as
there is a well-articulated rationale similar to the one you give
above. Then the downstream process can sort out whether the W3C brand
should be applied to the solution.

Jonathan
Received on Friday, 23 October 2009 21:04:57 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT