Re: [cors] unaddressed security concerns from Kris Zyp on 2009-10-24 (public-webapps@w3.org from October to December 2009)

From: Kris Zyp <kris@sitepen.com>
Date: Sat, 24 Oct 2009 07:33:06 -0600
To: David-Sarah Hopwood <david-sarah@jacaranda.org>
CC: public-webapps@w3.org
Message-ID: <4AE30212.4050708@sitepen.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 


David-Sarah Hopwood wrote:
> Doug Schepers wrote:
>> I'm not at all a security expert, or even particularly
>> well-informed on the topic, but it does occur to me that most of
>> CORS' opponents seem very much in the capability-based security
>> camp [1], and may distrust or dislike something more
>> "authentication-based" like CORS.
>
> The reason for that is that the main issue here is CSRF attacks,
> which are a special case of a class of vulnerabilities (confused
> deputy attacks) that capability systems are known to prevent, but
> that other access control systems are generally vulnerable to. So
> it is not surprising that proponents of capability systems would be
> more likely to recognize the importance of this issue.
If I had to briefly describe CORS it would be a specification for
allowing cross site requests will minimizing the transfer of common
forms of ambient authority. Isn't that exactly what capability theory
would advise?
>
> Indeed the most common -- and arguably most effective -- defence
> against CSRF is to use an unguessable token as an authenticator.
> That token is a sparse capability, used in essentially the same way
> that a capability system would use it.
>
With the current design that of defaulting to not sending headers that
usually supply ambient authority (Cookie, Authorization that would
otherwise be delivered automatically), it seems like we are indeed
pushing developers to use more capability style techniques like
unguessable tokens. I am totally in favor of capability systems, but
the main criticism here seems to be around CORS overall design, and it
seems to me that the overall design is a great fit for capability
based approaches.



- --
Kris Zyp
SitePen
(503) 806-1841
http://sitepen.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iEYEARECAAYFAkrjAhIACgkQ9VpNnHc4zAxupgCdFZdZMUqh2iMu4tJHyFa9RpPQ
U/AAnR97OGcqev31NS0q7iCsmgA9h3U+
=zeXJ
-----END PGP SIGNATURE-----

Received on Saturday, 24 October 2009 13:33:47 UTC