RE: Page Security Score proposal from michael.mccormick@wellsfargo.com on 2007-07-06 (public-wsc-wg@w3.org from July 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Fri, 6 Jul 2007 17:19:12 -0500
To: <tlr@w3.org>
Cc: <johnath@mozilla.com>, <public-wsc-wg@w3.org>, <Mary_Ellen_Zurko@notesdev.ibm.com>
Message-ID: <8A794A6D6932D146B2949441ECFC9D680420D915@msgswbmnmsp17.wellsfargo.com>

Thomas,

You raise good questions about a couple specific aspects of the sample
page scoring formula I offered, but please keep in mind it was offered
as an example.  It definitely needs thorough risk analysis, testing, and
refinement.  I would not oppose removing the local host file element,
for example, although it's something we should discuss first as a group.

That said, I do feel WSC should offer a specific formula (while opening
the door wide to innovation from others) so I would oppose "punting".
There should be an industry standard default scoring formula.  The
formula is the missing link between our detailed page security info and
our primary SCI.

Thanks, Mike

-----Original Message-----
From: Thomas Roessler [mailto:tlr@w3.org] 
Sent: Friday, July 06, 2007 11:42 AM
To: McCormick, Mike
Cc: johnath@mozilla.com; public-wsc-wg@w3.org;
Mary_Ellen_Zurko@notesdev.ibm.com
Subject: Re: Page Security Score proposal

On 2007-06-18 17:43:52 -0500, michael.mccormick@wellsfargo.com wrote:

> Your point about brittleness is well taken.  I agree the scoring 
> formula will have to adapt occasionally to changing technologies as 
> new security indicators become available, etc.

More importantly, I also the score factor in certain attack vectors.
For instance, you essentially take hosts.txt as an indicator for an
attack.  That might be true on an average windows system; on my system,
it might actually mean that I found some associations so important that
I don't want hotspots or hotel networks to tamper with them.

In a way, this very much looks like the kinds of tables that are
configured into spam filters.  And while it's a neat idea from the
usability perspective (similar to a spam filter, there are only two or
three possible courses of action, so somebody MUST actually compress all
that information down), there's some challenges as
well:

- How do we make sure that an interaction with, say, a legit EV
  certificate-secured banking site always gets the full score --
  despite hosts.txt maybe being involved, for example?

- How does attacker behavior change?  E.g., an attacker can get 15
  score points for free by just faking a root certificate for
  TLS....  That suggests that, in some near future after deploying
  your formula, it might actually be more useful to score an unknown
  root CA with a -20.  (And this demonstrates a generic issue.)

Of course, we could also punt all this, and just define how a browser
should display such a score when obtained form a service somewhere --
thereby also accomodating Tim Hahn's remark about using social networks
to compare scores and scoring rules.

In that case, I'd actually love to see the requisite browser plugins and
web services set up.  Could be an interesting extension to the current
anti-phishing services.

--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Friday, 6 July 2007 22:19:47 UTC