Re: [W3C security] Proposal: Prefer secure origins for powerful new web platform features

On Saturday 28 June 2014 05:36:24 GALINDO Virginie wrote:
> Granting permissions to unauthenticated origins is, in the presence of
> a network attacker, equivalent to granting the permissions to any
> origin. The state of the internet is such that we must indeed assume
> that a network attacker is present.

The error here is that we assume the service/origin to be trustworthy 
and the attacker to be malicious. But in case of tracking, the 
authentication actually harms. So having more authentication isn't 
providing more security for the end user in general. In tracking, the 
service you're interacting with is the attacker. How does your model 
cope with this and how is it avoiding to switch from tracking to 
authenticated tracking? 

Now if we want to talk about origins and trustworthiness of code, how 
does your work relate to the Trusted Computing platform? Is it just 
basing itself on TLS or is it going further? Or is it just a list of 
partial URI-strings that will trigger better permissions? Have you 
thought about integrating provenance into the model?


Received on Sunday, 29 June 2014 11:44:42 UTC