W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: ACTION-243 Propose link from note to threat trees (ISSUE-77)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 11 Jul 2007 14:18:15 +0200
To: Mary Ellen Zurko <mzurko@us.ibm.com>
Cc: W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <20070711121815.GE8439@raktajino.does-not-exist.org>

I see ISSUE-77 is open against the note and deals with how we
reference the threat trees.  Not having seen any disagreement with
the proposed text below, I wonder if we can take it as a resolution
for ISSUE-77, incorporate it, and close that issue?

Thanks,
-- 
Thomas Roessler, W3C  <tlr@w3.org>






On 2007-06-27 16:08:22 -0400, Johnathan Nightingale wrote:
> From: Johnathan Nightingale <johnath@mozilla.com>
> To: Thomas Roessler <tlr@w3.org>
> Cc: W3C WSC Public <public-wsc-wg@w3.org>
> Date: Wed, 27 Jun 2007 16:08:22 -0400
> Subject: Re: ACTION-243  Propose link from note to threat trees
> X-Archived-At: http://www.w3.org/mid/87465A3C-C5B9-44BE-8266-1CD2934BD66C@mozilla.com
> 
>
> +1 to your duly-constrained suggestion.  Maybe people have 
> additions/subtractions from the actual list of threats but the idea, for me, 
> is right.
>
> Amending the note in this way gives rec authors something in the note to 
> point to when they are answering specific (classes of) threats, and leaves 
> the door open to more exhaustive/elaborate information in downstream 
> publications.
>
> Cheers,
>
> J
>
>
> On 27-Jun-07, at 12:36 PM, Thomas Roessler wrote:
>
>>
>> On 2007-06-25 09:12:42 -0400, Mary Ellen Zurko wrote:
>>
>>> We distinguish a number of properties in the basic use cases that we
>>> address. We will be looking towards adding attack information as well,
>>> potentially in the form of threat trees [ref
>>> http://www.w3.org/2006/WSC/wiki/ThreatTrees].
>>
>> Here's an alternative proposal; note that this is not intended to
>> reopen the "put in the threat trees or not" part.
>>
>> 	The use cases presented in this section can be organized by
>> 	a number of properties.  Based on these use cases, there is
>> 	work in progress to develop formal Threat Trees [REF], which
>> 	is expected to be published formally along with the group's
>> 	Recommendation Track deliverables.
>> 	
>> 	6.1 Use case properties
>> 	
>> 	[insert current 6.1-6.4 here as a numbered list, without
>> 	second-level headings]
>> 	
>> 	6.2 Threat dimensions
>>
>> 	The following high-level threats will be considered in the
>> 	Group's work.
>>
>> 	1. Luring Attacks - luring a user to the wrong site so that
>> 	he connects to an address not owned by theparty he believes
>> 	it to be owned by.
>> 	
>> 	2. Site Impersonation Attacks - an attack in which the
>> 	attacker attempts to mimic someone else's website. Potential
>> 	goals include credential theft (e.g. password theft), theft
>> 	of other private information from user (bank account and
>> 	routing numbers), or forging information sent to user (e.g.
>> 	fake news story that will cause user to buy or sell stock).
>> 	
>> 	3. Cross-site request forgery - causing a user to
>> 	unwittingly send, to a legitimate site, a request containing
>> 	data that he/she would not otherwise intend to send (e.g. to
>> 	perform an action that he/she did not intend to take).
>> 	
>> 	4. Network-based eavesdropping- a passive attack in which
>> 	the attacker collects network traffic and reads the data
>> 	sent between the client and the website. Potential goals
>> 	include session hijacking (e.g. stealing a session cookie),
>> 	credential theft (e.g. password theft), theft of other
>> 	private information from user (bank account and routing
>> 	numbers)
>> 	
>> 	6.3 Scenarios
>> 	
>> 	[current 6.5]
>>
>> Attentive readers will notice that this enumeration leaves out
>> cross-site-scripting, per section 5.9 of the note.
>>
>>
>> -- 
>> Thomas Roessler, W3C  <tlr@w3.org>
>>
>
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>
Received on Wednesday, 11 July 2007 12:18:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:49 GMT