- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Thu, 28 Jun 2007 15:34:30 -0400
- To: "Doyle, Bill" <wdoyle@mitre.org>
- CC: Rachna Dhamija <rachna.w3c@gmail.com>, public-wsc-wg@w3.org
Huh? I'm talking about combining these two threat trees. That's something that we *are* empowered to fix. serge Doyle, Bill wrote: > > Millions of ways to break use agents and new ones each day. > Don't talk about or loose time with items that we are not empowered to > fix. Concentrate on the ones we are. > > Bill > > > -----Original Message----- > From: Serge Egelman [mailto:egelman@cs.cmu.edu] > Sent: Thursday, June 28, 2007 1:23 PM > To: Doyle, Bill > Cc: Rachna Dhamija; public-wsc-wg@w3.org > Subject: Re: Review of threat trees > > Maybe this has already been discussed, but from the user's perspective, > how do the luring attacks differ from site impersonation? In both > cases > the user thinks they are going to a trusted site, but end up at a > different untrusted site. In terms of recommendations for security > indicators, I'm not sure we need to differentiate here. > > serge > > Doyle, Bill wrote: >> Tyler, started a review - stopped in item 4, will get back to it. >> >> Seems like we have some issues with threat trees. >> >> I noted items that I thought had scope issues >> >> 1. luring attacks >> D. all >> E all >> F all >> >> 2.Site impersonation >> A. ii. >> >> 4. Cross-site scripting - only interested in is how the user agent >> responds to certain attacks in this class. >> >> From text, the pretense of the attack is injection of cone into >> vulnerable web applications, server side processing is out of scope > and >> attacking the server is out of scope. >> >> Thought - Restructure section to note user agent actions and ability > to >> retain secure posture in the face of Cross-site scripting threats. >> Server sends data that does X. Leave out how / why this occurs, it > just >> does. >> >> B >> >> >> >> >> >> >> >> >> >> > ----------------------------------------------------------------------- > - >> *From:* public-wsc-wg-request@w3.org >> [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Doyle, Bill >> *Sent:* Wednesday, June 27, 2007 6:46 AM >> *To:* Rachna Dhamija >> *Cc:* public-wsc-wg@w3.org >> *Subject:* RE: Public comments on threat trees >> >> Thanks - was wondering what was up. >> >> Will take a look at it. Usually the MITRE infosec group does not >> hold back much, depends on who gets a hold of it. >> >> Bill >> >> >> > ----------------------------------------------------------------------- > - >> *From:* Rachna Dhamija [mailto:rachna.w3c@gmail.com] >> *Sent:* Tuesday, June 26, 2007 8:52 PM >> *To:* Doyle, Bill >> *Cc:* public-wsc-wg@w3.org >> *Subject:* Re: Public comments on threat trees >> >> Bill, >> >> There is currently no "owner" (Stuart S is transitioning > jobs, >> and I don't know if he is still participating in the >> workgroup). I've been adding attacks as I think of them and >> have flattened it out to be more of an outline, rather than a >> "tree". We still need to add links to examples and to > identify >> which branches are in and out of scope. >> >> I'm not sure that we'll ever be "done" with adding new > attacks, >> so this is a good time as any to get comments and find things > we >> have missed. Perhaps you and Stephen F might like to make > one >> pass through it first. >> >> http://www.w3.org/2006/WSC/wiki/ThreatTrees >> >> Rachna >> >> On 6/25/07, *Doyle, Bill* < wdoyle@mitre.org >> <mailto:wdoyle@mitre.org>> wrote: >> >> Are threat trees ready for public comments? If so I will >> send the a wiki link out to MITRE infosec list. >> >> If threat tree owner can respond and provide any intro > and >> link it would be appreciated. >> >> Regards >> Bill Doyle >> wdoyle@mitre.org <mailto:wdoyle@mitre.org> >> >> >> >> >> > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Thursday, 28 June 2007 19:34:47 UTC