Re: UMP / CORS: Implementor Interest from Ian Hickson on 2010-05-13 (public-webapps@w3.org from April to June 2010)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 13 May 2010 01:33:59 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>, Dirk Pranke <dpranke@chromium.org>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.64.1005130108350.8532@ps20323.dreamhostps.com>
On Wed, 12 May 2010, Tyler Close wrote:
> >
> >> It is also not a question of opinion, but fact. CORS uses ambient 
> >> authority for access control in 3 party scenarios. CORS is therefore 
> >> vulnerable to Confused Deputy.
> >
> > That's like saying that HTML uses markup and is therefore vulnerable 
> > to markup injection. It's a vast oversimplification and overstatement 
> > of the problem.
> 
> Is it really? XSS is a major problem. HTML provides no facility for 
> dealing with XSS and practically invites it. It's hard to deal with this 
> situation now since HTML is so widely deployed. CORS invites Confused 
> Deputy problems but is not yet widely deployed. We can still do 
> something about it.

HTML's use of markup is not a vulnerability.
CORS's use of ambient authority is not a vulnerability.

Sure, both can be used in vulnerable ways, but they are not themselves 
vulnerabilities.


> > It is quite possible to write perfectly safe n-party apps.
> 
> It is also quite possible to stand on your head while riding a bicycle. 
> What's your point?

My point is that you are arguing that one design is less good than 
another, but you are using words that make it sound like you are arguing 
that one design is actually intrinsicly vulnerable. It's just as possible 
to make bad designs using UMP than with CORS. (I would argue that UMP 
actually makes it more likely that designs will have poor security 
characteristics since it ends up being easier to ask for the user's 
credentials directly than doing the right thing. With CORS, on the other 
hand, it's easier to use the user's existing session, so it's less likely 
that people will ask for credentials inappropriately.)


> No one has laid out a clear strategy for developers to follow to use 
> CORS safely and shown how to apply it to expected use cases.

What use cases would you like examples for? Let's write them up and give 
them to Anne to the introduction section.


> The CORS spec doesn't even mention Confused Deputy problems.

I'm sure Anne would be happy to include suitable text if you provide it. 
However, such text has to be accurate, and not make false claims like 
saying that there is a security vulnerability where there is only the 
potential for one when the feature is misused.


> >> > It is certainly possible to mis-use CORS in insecure ways, but then 
> >> > it's also possible to mis-use UMP in insecure ways.
> 
> You could justify any kind of security weakness with that kind of logic. 
> Nuclear waste can be used in insecure ways, but then so can hammers.

No. There is a _massive_ difference between features that _may_ be 
misused, and features that _cannot be used safely_. For example, if XHR 
let you read data from any site without any sort of server opt-in, that 
would be a real security vulnerability, and could not be defended by 
saying "it's possible to mis-use it". It is possible to use CORS safely.


> We've gone through several scenarios on this list where this validation 
> is not feasible. On the chromium list, I recently explained how it is 
> not possible to implement a generic AtomPub client that does this 
> validation:
> 
> http://groups.google.com/a/chromium.org/group/chromium-dev/msg/afda9a4d1d1a4fcb

I don't think using AtomPub is necessarily a good idea. AtomPub was not 
designed for use with CORS. If you're going to use technologies 
inappropriately then sure, you'll have security problems.


> Others on this list have agreed that doing this checking is not always 
> possible.

It's possible to design systems that can't be made secure, whether using 
CORS or UMP. But there the vulnerability is with that software, not with 
the underlying technology.


On Wed, 12 May 2010, Dirk Pranke wrote:
> >
> > There's clearly not complete consensus since at least I disagree.
> 
> I'm trying to understand what you mean by this. Are you saying that CORS 
> doesn't ever have Confused Deputy vulnerabilities? Or that it didn't 
> create new ones? Or that the vulnerabilities exist but aren't "subtle 
> but severe"?

I'm saying that CORS doesn't ever have Confused Deputy vulnerabilities, 
it's software that misuses CORS that has them; just like HTML doesn't ever 
have markup injection vulnerabilities, it's the software that embeds user 
content without verifying it that has those.

The guidelines for not falling prey to these attacks with CORS are pretty 
simple: don't do things on behalf of other origins, or include data from 
other origins without verifying the data. It's actually the same 
conceptual problem as markup injection -- you have to validate the data 
that you're given (e.g. escaping it) before infusing it with your 
authority. You have to design your systems from the ground up to be 
secure, but that's nothing new.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 13 May 2010 01:56:42 UTC