W3C home > Mailing lists > Public > public-device-apis@w3.org > October 2013

Re: NSD API security

From: <Frederick.Hirsch@nokia.com>
Date: Thu, 3 Oct 2013 10:43:04 +0000
To: <dom@w3.org>
CC: <Frederick.Hirsch@nokia.com>, <Youenn.Fablet@crf.canon.fr>, <bh526r@att.com>, <richt@opera.com>, <giuseppep@opera.com>, <public-device-apis@w3.org>, <public-web-and-tv@w3.org>
Message-ID: <30FAFED4-F562-43B3-BBF0-C52E4C794601@nokia.com>
agreed, my point is that if the security flaw in the benign  service allows an attack on the sensitive one then the only real solution is not to enable that device in our scenario (or to fix the underlying issue of course)

I like the phrasing, should be good for the  security considerations section :)
 
regards, Frederick

Frederick Hirsch
Nokia



On Oct 3, 2013, at 2:50 AM, ext Dominique Hazael-Massieux wrote:

> Le jeudi 03 octobre 2013  01:28 +0000, Frederick.Hirsch@nokia.com a
> crit :
>> The fundamental flaw is that one device has two purposes  allowing
>> flaws from one to affect the other, yet this is also why it is sold
>> and valued - the convenience, cost reduction, lower hardware
>> footprint, easier management etc are also benefits.
> 
> One simple (but of course not 100% effective) solution would be for such
> a dual serviced device to expose CORS headers only on the benign
> service, and not on the security-sensitive one.
> 
> (if a bug in the benign service lets attack the sensitive one, of
> course, this won't be of much use)
> 
> Dom
> 
Received on Thursday, 3 October 2013 10:47:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:33:01 UTC