W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: Available security information section clarification

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Mon, 9 Apr 2007 11:44:21 -0400
Cc: public-wsc-wg@w3.org
Message-ID: <OF305678CE.5873C3E7-ON852572B8.0052508F-852572B8.00567706@LocalDomain>
To: "Serge Egelman <egelman" <egelman@cs.cmu.edu>
How interesting. This begins to get us into the realm of what I'd call 
secondary security context information. Not the information that's 
available in the protocols and pages whose job is (at least partly) to 
communicate security context, or the information that provides some 
security context that users can understand, but information that is 
manipulated to attack the tools that are trying to create or display 
security context information. 


Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Serge Egelman <egelman@cs.cmu.edu> 
Sent by: public-wsc-wg-request@w3.org
04/09/2007 09:44 AM

"Close, Tyler J." <tyler.close@hp.com>, public-wsc-wg@w3.org

Re: Available security information section clarification

There's another attack that has to do with whether the page has finished 

A lot of anti-phishing tools won't examine the page until it has 
completed rendering.  This leads to an attack where the phisher can 
include code to force the page to take an infinite time to load, thus 
causing the indicator to fail.  I wrote about this here:


Thomas Roessler wrote:
> On 2007-04-05 00:34:00 -0000, Close, Tyler J. wrote:
>> I've edited the "Available security information" section in
>> accordance with the discussion that generated ACTION-157. In
>> particular, I've added some preamble text describing the
>> structure of the section and broadened the "Provided by HTML"
>> section into "Provided by web content". I've also added an entry
>> to "Provided by user agent" for "Has the page completed
>> rendering?" This last item comes out of the white text on a white
>> background case that results from failing to fetch a stylesheet.
> That's a fascinating attack vector.  But consider what happens if a
> user stylesheet is in place that sets the text color to white,
> globally, and with an "!important" declaration...
> I guess what all this boils down to is the question whether a page
> as rendered to a particular user "looks" the way it was intended.
> And that, in turn, leads us directly here:
>   http://www.w3.org/TR/webarch/#pci
> I wonder if we really want to go down that particular direction of
> discussion...
> Coming back to the "has page complete rendering" piece of context, I
> wonder if there is a security-related motivation for looking at it
> that is different from the issues that you get when content can be
> presented in multiple ways, possibly by way of multiple modalities.
> If there is no such motivation, then I'd respectfully suggest we
> drop it.

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
Received on Monday, 9 April 2007 15:45:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:15 UTC