Re: WebAppSec re-charter status from Brad Hill on 2015-02-13 (public-webappsec@w3.org from February 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 13 Feb 2015 03:07:33 +0000
To: Bjoern Hoehrmann <derhoermi@gmx.net>, David Ross <drx@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8hBkf+Oyd=bufinfRPk7cdpS1=G=pa4m9yOCgnjYB=Rhw@mail.gmail.com>

Manageability of security and attack surface reduction for web applications
are the top-line charter goals for this WG and have been since its
inception.

It has, for example, always been possible to write applications without XSS
vulnerabilities, even before CSP.   To paraphrase Mike West - writing a
secure application is easy: you just have to be perfect.  Don't make a
mistake, ever.

We would like to provide tools which make authoring and operating secure
applications more practical.  Experience has shown that declarative policy
mechanisms which reduce attack surface are among the most useful tools we
can offer in this respect.  EPR has the particular benefit of being simple
and low-risk to apply to legacy applications, an area where experience has
shown CSP to be somewhat lacking.

I don't think EPR is more important than preserving linking on the web, but
I don't think it's useless, either.  I guess I feel like the things driving
each are different.  If sites think that deep linking is economically
harmful to them, they are already motivated to  aggressively deploy
existing tools and techniques to attack it.  Adding a slightly cheaper way
to accomplish some of the same goals won't change the outcomes much for
that population.  But security budgets are more limited, and have to be
spent defending against threats which may not materialize, the costs of
which cannot be easily measured.  It's much more important that tools for
legitimate defense be affordable and manageable.

On Thu Feb 12 2015 at 5:16:07 PM Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * David Ross wrote:
> >That being said, I think the criticism is a bit unfair.  EPR is an opt-in
> >feature with an intended audience largely separate from those who might
> >wish to prevent deep linking on their web sites.  I don't see any reason
> to
> >believe that we will see excessive and inconsiderate application of EPR
> >leading to linkability issues on the web at large.  If a publisher is
> >determined to prevent deep linking there are plenty of ways for them to do
> >that today, whether they choose to make use of the web platform or not.
>
> If "EPR" is redundant with existing features, why is it being proposed?
> --
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
>  Available for hire in Berlin (early 2015)  · http://www.websitedev.de/
>
>

Received on Friday, 13 February 2015 03:08:04 UTC