RE: iframe tag attack

Also, I there may be something in some of our security indicator proposals 
that would signal the mixed mode page of part 3 in some way, showing that 
a less trustworthy state has been entered. If that's the case (do you 
think it is, people with proposals in that area, like Yngve and Mike M), 
would it be in time for the user to do something about it?

And Mike B, I'm not getting the pony reference...

          Mez





"Dan Schutzer" <dan.schutzer@fstc.org> 
Sent by: public-wsc-wg-request@w3.org
06/20/2007 09:24 AM

To
"'Doyle, Bill'" <wdoyle@mitre.org>, "'Mike Beltzner'" 
<beltzner@mozilla.com>, "'Rachna Dhamija'" <rachna.w3c@gmail.com>
cc
<public-wsc-wg@w3.org>
Subject
RE: iframe tag attack






When in safe mode, this threat scenario should be defeated. The untrusted 
site would be rejected; the trusted site would be audited to ensure there 
is sufficient security built-in that their web site is unlikely to be 
compromised. However, when not in the safe mode a user would be vulnerable 
as they can access any site. However if a user only downloaded from 
trusted sites when in safe mode (a big if, probably not realistic), then 
the scenario would be defeated.
 
Dan 
 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Doyle, Bill
Sent: Wednesday, June 20, 2007 7:15 AM
To: Mike Beltzner; Rachna Dhamija
Cc: public-wsc-wg@w3.org
Subject: RE: iframe tag attack
 
Thanks -- I pulled out part of your text that I want to review against the 
"safe" browsing modes are being discussed
 
iframe is doing things where a site which is trusted/identified in one way 
is loading content form a site that is not trusted
 
Bill D.

 

From: Mike Beltzner [mailto:beltzner@mozilla.com] 
Sent: Wednesday, June 20, 2007 1:54 AM
To: Rachna Dhamija
Cc: public-wsc-wg@w3.org; Doyle, Bill
Subject: Re: iframe tag attack
Using Rachna's unpack (thanks for that!) the way I see it ...

1. is definitely out of scope.

2. is strange - the fact that the site is compromised makes me think this 
is out of scope, but must any identity mechanisms that we do accept as in 
scope protect users from these types of problems?

3. feels in scope to me, especially if the iframe is doing things where a 
site which is trusted/identified in one way is loading content form a site 
that is not trusted, and then presenting it as part of the trusted site. I 
understand that this is a common practice amongst websites, but we need 
some mechanisms for enabling it without enabling this type of compromise 
as a side effect, IMO. Also, we need a pony.

4. the browser exploits that result in downloaded and installed malware 
are in scope, but once infected, the effects of that malware are totally 
out of scope.

imo, fwiw, etc.

cheers,
mike
----- Original Message -----
From: "Rachna Dhamija" <rachna.w3c@gmail.com>
To: "Bill Doyle" <wdoyle@mitre.org>
Cc: public-wsc-wg@w3.org
Sent: Tuesday, June 19, 2007 6:21:18 PM (GMT-0500) America/New_York
Subject: Re: iframe tag attack

On 6/19/07, Doyle, Bill <wdoyle@mitre.org> wrote: 
This enterprising company seems to have improved productivity.
 
New Web Exploit at 10,000 Machines and Growing, Security Company Warns
 
Seems to be a user agent issue, is this in or out of scope?

If we unpack the attack, this question might be easier to answer:
1) Attacker compromises a web server using malware
2) User visits a legitimate, but compromised, website that includes 
malicious iframe 
3) iframe causes browser to be redirected to a site with malicious 
javascript
4) malicious javascript detects the browser type and exploits browser 
vulnerabilities to download code, which then downloads other code 
(keyloggers, proxy, etc...) 

We have ruled 1 out of scope.  How about the rest? 

I am hoping that we can use our list of attacks (i.e., the threat trees) 
to come to a better understanding on what is in and out of scope.

Rachna