Re: The javascript runtime, XSS, and javascript crypto... from Tom Ritter on 2011-12-13 (public-identity@w3.org from December 2011)

From: Tom Ritter <tom@ritter.vg>
Date: Tue, 13 Dec 2011 12:34:14 -0500
To: David Dahl <ddahl@mozilla.com>
Cc: public-identity@w3.org, Harry Halpin <hhalpin@w3.org>
Message-ID: <CA+cU71n-nQoAxNns1u79HJ04z_e4FuHb0Y05=mF7SjNES_p1cg@mail.gmail.com>

On 13 December 2011 11:29, David Dahl <ddahl@mozilla.com> wrote:
> Upon further reflection on this, perhaps what is needed instead is a browser mode like "Private Browsing Mode" in Firefox that is "Enhanced Security Mode", with certain CSP settings in place, SSL (with pinning required) and other restrictions or enhancements. What else is missing? There will no doubt be a demand for this kind of mode for browsers, in fact, there already must be from business and government.

This idea came up yesterday on an IETF list also:
http://www.ietf.org/mail-archive/web/pkix/current/msg30087.html

> This sort of gets at a different question.  Why does a browser need to
> always operate with a broad trust posture?  Folks know when they are
> banking and could easily indicate that intent to the browser, without
> needing to have the ability to authenticate their favorite shoe shop,
> doctor, etc. during that session.  This selection could be implemented as
> a selection of notary (or a temporary reduction of the TA store, or a
> temporary usage of name constraints, etc.).

I don't think it's very feasible.  Basically: if a site has any
incentive to provide security for the user (as banks do) and it
*works* with any of the myriad security options we have:
 - CSP
 - Key Pinning
 - Strict Transport Security
 - X-Frame-Options
 - X-XSS-Protection
 - X-Content-Type-Options
 - No Caching

Then they're going to enable that option all the time.  If they don't
enable it, they're either not getting audited by competant people
regurally or they don't work with the option.  And switching into a
mode that forces these options on will more likely break the site than
add security the site didn't previously have.

I think the only benefit a browser could add in a "Secure Browsing"
mode would be to try to protect a user from malware present on their
machine or in the network.
 - Disable Add-Ons, Toolbars, Greasemonkey Scripts (Poses a problem
with password managers)
 - Private Browsing Mode: don't cache anything, don't save cookies.
(Exception for saving Pinned Keys and STS.)
 - Perhaps some sort of "The SSL Certificate has changed!" notifications
 - Less Performance, More Security (Specifically around stuff like
javascript JIT optimizations)
 - Fancy-Pants tricks that could try to trick keylogging and
screenscraping malware
 - Disable Imported Root CAs
 - Extra security around traffic middling

I don't work with businesses often to define security policy... but if
they were actually clammering for such a browser mode I think they
would have migrated off IE6/7 and onto a more recent browser.

-tom

Received on Tuesday, 13 December 2011 17:35:07 UTC