Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01) from Breno de Medeiros on 2009-02-12 (www-talk@w3.org from January to February 2009)

From: Breno de Medeiros <breno@google.com>
Date: Wed, 11 Feb 2009 18:04:23 -0800
To: Ian Hickson <ian@hixie.ch>
Cc: Adam Barth <w3c@adambarth.com>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
Message-ID: <29fb00360902111804n42bd864s9eaf7647645f5770@mail.gmail.com>

So the proposal is for a security considerations section that describes
attending threats and strongly hint that applications will be vulnerable if
they do not adopt techniques to validate the results. It would  suggest the
use of content-type headers and explain what types of threats it protects
against, provided that it includes caveats that this technique may not be
sufficient for some applications and as well as not necessary for others
that use higher-assurance approaches to directly validate the results
discovered through host-meta.

I still do not think this is necessary because the threat model attending
this is much broader than crossdomain.xml and applications that rely on this
will have to understand their own security needs or be necessarily
vulnerable. On the other hand, I will not argue against it either.

On Wed, Feb 11, 2009 at 5:50 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Wed, 11 Feb 2009, Breno de Medeiros wrote:
> >
> > My only concern is that the requirement is construed as reasonably
> > sufficient for security (which is indeed the case of crossdomain.xml,
> > but not for many intended applications). The example Adam just gave,
> > i.e., server-to-server authentication metadata being subverted by
> > uploading a file, is the type of application that I believe should
> > ideally resist full compromise of the server (e.g., by using metadata
> > signed with offline keys). So I am not necessarily opposed to it, but
> > the language needs to make it clear that this strategy serves to
> > mitigate a very specific class of threats.
>
> Agreed. I don't think anyone is saying this is the be-all and end-all of
> security, only that it is one step of many needed to have defence in
> depth.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>

-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

Received on Thursday, 12 February 2009 02:14:52 UTC