Towards a model of web browser security from Nick Doty on 2015-08-17 (public-web-security@w3.org from August 2015)

From: Nick Doty <npdoty@w3.org>
Date: Mon, 17 Aug 2015 10:15:36 -0700
To: public-web-security@w3.org
Message-Id: <6B6922A3-C624-4B5E-B04C-97B4679E02B5@w3.org>

I like seeing exercises to model security explicitly and I'm sure we could use more practice on this for the Web. I would be very curious to hear what you experts have to say as feedback on this particular model (what is it useful for? what would make it more useful?) and what other models might already be out there to look at.

http://emergentchaos.com/archives/2015/08/towards-a-model-of-web-browser-security.html <http://emergentchaos.com/archives/2015/08/towards-a-model-of-web-browser-security.html>

For me, I noticed a couple things missing or different than I would have expected. This might just be a diff of my personal mental model of Web security, but hopefully the feedback is still useful. I'm sending these comments to Adam, and will point him to this thread to see other comments.

* sites are composed of resources from many servers (currently displayed as entirely separate boxes)
Sites often embed other sites (for example, iframes, or script tags), and most of our difficult security questions seem to arise from this fact. Users probably don't understand how web pages are composed and the ability of messaging between origins via iframes and the like is a common cause of security/privacy leakages.

* the network mediates access between browsers and sites (currently displayed as unrelated boxes)
Attacks both of surveillance and of insertion of malicious data/code rely on the network infrastructure being between the browser and the server/site. Passive vs. active attacks, etc. are hard to explain without the network being in between the user and the site.

* certificates and TLS (currently missing)
Certificate authorities seem like an important, distinct entity not marked on the diagram yet. TLS (transport) encryption is a primary method for supporting both confidentiality and integrity. The certificate authority model introduces an important layer of trust: if the CA is breached, what are the implications? etc.

* origins (currently missing)
Security on the Web depends on the concept of origins, which are not described in this model. This matters both because of the composability/embeddedness question above, but also because the same-origin policy expects isolation of data between origins. For example, the local storage container should be kept distinct between origins. http://tools.ietf.org/html/rfc6454 <http://tools.ietf.org/html/rfc6454>

* plugins surround tabs?
In the current diagram, the plugins box surrounds all the tab boxes. It seems that in most browsers, tabs (windows) can talk to the browser without going through a plugin.

Perhaps the broader question is: is this a model of Web browser security or the Web security model? I think the two are closely related anyway, but the current diagram seems more focused on browser security issues rather than Web security issues.

Thanks,
Nick

Received on Monday, 17 August 2015 17:15:44 UTC