W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2011

fyi: Security on the Web - John Kemp

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Mon, 31 Oct 2011 09:42:59 -0700
Message-ID: <4EAED013.3030006@KingsMountain.com>
To: W3C Web App Security WG <public-webappsec@w3.org>
Security on the Web - John Kemp
http://www.w3.org/2001/tag/2011/02/security-web.html

--
[plain text facsimile]


Security on the Web
John Kemp
4th February 2011


Abstract

This document summarizes the history, and current state of some of the security 
features of the Web, as well as some of the effects on overall Web security of 
(some of) these features.


Introduction

The Web (initially physically implemented as an HTTP server, a Web browser and 
the HTTP protocol) was born with a particular set of properties in mind. 
Initially, security was not one of these properties. As the Web grew, and its 
components were extended to support new models and ideas, it became necessary 
to consider the security properties of the Web, however it was difficult to 
either reliably deploy or enforce security properties broadly because of the 
massive installed-based of Web agent software, so incremental "patches" were 
applied, leading to an arms race between those making the patches, and those 
creating the attacks (particularly in the area of the "same-origin policy").


History

HTTP - the "stateless" protocol

Requirements of the Web (largely from [1])

     Remote access (from one machine or network to another)
     De-centralization (no central control of the overall system)
     Layered protocols (IP, DNS, HTTP et al)

HTTP 0.9 ([2])

     GET method only
     HTML the only response format
     No headers (meaning no fine-grained control by client of server, or 
vice-versa)
     No authentication mechanism defined
     No confidentiality mechanism defined
     Simple entity model (client requests a document of a server, server 
delivers requested document)

HTTP 1.0 ([3])

     Added POST and PUT (among others)
     Added security considerations
     HTTP BASIC authentication defined, with extensibility for other client 
authentication mechanisms
     Added HTTP headers which provided both clients and servers with more 
fine-grained control of the protocol
     Acknowledgement ("Safe methods" section) that software agents may 
"represent" a "user" on the Web
     Redirection is described (including the option for a client to redirect 
without user intervention)


Origin cookies are first baked

Netscape Navigator first implemented support for cookies in its version 2.0 
browser, dating from 1996. Cookies offered a mechanism to allow a server to 
store per-client state, and have the client supply a (server-assigned) pointer 
to its state, automatically (via the client implementation) when sending any 
request to the cookie-specified domain and URL path. Many sites used this 
facility to identify a user session with the site, and then stored 
per-user/session data (such as a shopping cart) related to the cookie identifier.

Cookies became successful because they were more reliable session indicators 
than competing mechanisms (such as putting session state in the URI or body of 
an HTTP request, which require that users don't accidentally drop the session 
part of the URI, for example)

In order to ensure that a cookie was sent only to the originating domain, the 
browser needed to be able to determine the domain associated with a document - 
and thus, the "origin" was born - scheme, host and port defining a unique 
origin. The same-origin policy states that a document from one unique origin 
may only load resources from the origin from which the document was loaded. In 
particular this applies to XMLHttpRequest calls made from within a document. 
Images, CSS and dynamically-loaded scripts are not subject to same-origin policy.


AJAX: The rise of the cross-domain request [5]

In 1999, Microsoft released the second version of its MSXML library, which 
provided access, via ActiveX, to an API for making a direct HTTP request to a 
web server. Other browsers followed, with Mozilla releasing a Javascript 
XMLHttpRequest (XHR) API in its Gecko engine, and later by other browser 
vendors releasing similar APIs.

The "XHR" API was later standardized by W3C [6] and Javascript-based frameworks 
have abstracted the API and popularized its usage by making it even easier to 
make HTTP requests from within Web documents.

Various mechanisms are used to circumvent the same-origin policy enforced by 
XHR, including JSONP [7] and allow cross-domain calls from Web applications.


The rise of Javascript and Web applications

Web browsers have contained a Javascript execution environment since Netscape 
Navigator 2.0. Initially, Javascript was denigrated by "serious" programmers, 
but thanks to the popularity of AJAX, has become one of the most popular 
software development languages in use today.

Exposing APIs from a Web browser, via Javascript and the DOM, allows a 
developer to manipulate client resources in a much more fundamental way than 
simply rendering and viewing a document.

There are several security vulnerabilities related to the use of Javascript in 
browser environments (see [9] for examples)


Security-related issues of Web architecture

     Documents (representations of Web resources) are often formed of content 
acquired from more than one "security domain" (an environment defined by a 
single set of security policies). Interactions between these pieces of content 
must be mediated in a "sandbox" environment on the client to prevent the 
possibility of content from one security domain causing problems with content 
from another security domain.

     Web browser redirects often take place without user input (see 'cookies' 
below) causing unintended user consequences.

     Web browser state management has been based on cookies, which are a shared 
client (browser) resource - one site may cause another's cookie to be sent in a 
request to the site which "owns" the cookie, causing that site to believe that 
the user is making an intentional, and authenticated request, when in fact, 
this may not be true (such as clickjacking attack)

     Identity-spoofing of Web sites on the Web is relatively easy (Referer 
header spoofing, DNS rebinding and cache poisoning, confusing the user with 
content which looks authentic but is controlled and presented by an attacker)

     Servers often depend on a client to "do the right thing" in providing 
security for the server (such as correctly process Web 'origin' and 'referer' 
information in order to allow the server to authenticate a request) but clients 
are open to manipulation by servers, and software defects. Not all clients will 
"do the right thing" -- by design.

     Authenticated protocols are based on un-authenticated protocols (for 
example, no true link between SSL certificate validation and the DNS IP address 
for the common name in the certificate)

     No separate "download", "install" and "execute" steps for a user. Web 
content is often immediately executed by the client, without giving the user a 
chance to approve access to sensitive or limited client resources (such as CPU 
and local storage)

     Documents, or excerpts thereof, are usually not tied to their publisher in 
any way that can be verified across the Web (such as by an interoperable 
cryptographic signature) (see for example "content-centric networking" [8])


Desirable security properties of the Web?

     That one Web agent doesn't have to inordinately trust the correct 
behaviour of a whole class of Web agents when exposing a resource to the Web

     That it is possible to "tie" one layer of Web protocol to other layers 
(DNS IP address should be tied to IP address of SSL cert, SSL cert key used to 
sign token at app layer protocol etc.) so that when necessary they cannot be 
separated.

     That it is possible to load or embed all Web resources from multiple 
security domains in a consistent manner (unlike the current situation where 
images and CSS are not subject to the same-origin policy, and where scripts may 
be dynamically added to a page (via the <script src=.../> tag) without being 
subject to the same-origin policy


Some current Web security-related standards work

     IETF WebSec
     CORS
     UMP
     XHR2
     HTML5 Sandboxed iFrame
     DNSSEC
     ECMAScript Strict Mode

References

     1
     2
     3
     4 (CORS, UMP and XHR2 summary)
     5
     6
     7
     8
     9
     10 (Same-origin policy weaknesses)

Security on the Web, John Kemp, 4th February 2011

---
end
Received on Monday, 31 October 2011 16:50:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 31 October 2011 16:50:19 GMT