W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 15 Sep 2015 19:05:15 -0700
Message-ID: <CAHOTMVJwpLOx=-PYfCg2GDn-og0mNEz1uF1zaDkrkeg9rJZV9Q@mail.gmail.com>
To: Henry Story <henry.story@co-operating.systems>
Cc: Rigo Wenning <rigo@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "Mike O'Neill" <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
On Tue, Sep 15, 2015 at 2:27 PM, Henry Story <
henry.story@co-operating.systems> wrote:

> SOP is a technical Principle, which is trumped by the legal principle of
> User Control.

This is a false dichotomy.

Let me also reiterate SOP is the fundamental security principle of the web.
Creating a new web standard involves getting adoption from browser vendors.
The W3C doesn't decide this. The browser vendors do (see also: WHATWG). If
you want to violate the SOP, you better have a concrete plan.

> Current browsers respect user control with regard to certificates - some
> better than others.

Chrome is actively trying to remove <keygen>:


I agree: <keygen> is bad. It has confusing, frustrating UX. It violates
SOP. It should be banished. So let me just point out: you are evoking
arguments based on features that browser vendors are literally trying to
actively eradicate right now. The browser vendors control the future of the
web, not the W3C. I don't know how else to describe this but you are
attempting to tout features browser vendors are trying to remove. If this
is your attitude, you will lose. The features you want will never ship.
This should also be the point at which you consider if your ideas are, in
fact, bad.

> If the user is asked if she wants to authenticate with a global ID to a
> web site, then that is her prerogative.

Users shouldn't have to make choices they don't want to. You seem to want
to encourage users to make choices they're potentially ill-prepared for,
and if they make the wrong decisions, blame the user. This is the best way
to create a bad, insecure user experience. This is the point in the
argument at which some security professionals might question if you are in
fact working for the enemy.

> As long as she can select the identity she wishes to use, and change
> identity when she wants to, or become anonymous: she must be in control.

You're conflating authentication with identity. Repeatedly. As Brad Hill
already called out, but I'll continue calling it out.

Privacy is actually improved in distributed yet connected services.

Absolutely not.

> By having distributed co-operating organisation each in control of their
> information, each can retain their autonomy.

War is peace. Freedom is slavery. Ignorance is strength?

> As an example it should be quite obvious the the police cannot share their
> files with those of the major social networks, nor would those have time to
> build the tools for the health industry, nor would those work for
> universities, etc. etc... The world is a sea of independent agencies that
> need to look after their own data, and share it with others when needed. In
> order to share the data, they need to give other agents access, they need
> to *control* access, which means you need some form of global identities
> that can be as weak as temporary pseudonyms, or stronger. In fact they can
> evolve out of pseudonyms into strong identifiers on which a reputation has
> built itself.

The mechanisms you propose to do this do not provide users with the
requisite context to meaningfully make these decisions for themselves,
saddle users with unnecessary decisions that would be solved automatically
by the SOP, and generally would dramatically weaken the security of the web.

> Here is the picture from the architectural UAF document mentioned above.
> (It fails to mention that in many cases after an OAuth or OpenID the
> Relying Party communicates with the Federation Party until recently called
> the identity provider.)  So really FIDO is just setting a super strong
> cookie with some cryptographic properties which then more and more often
> needs to be bolted onto actual Identity Providers. All of this relies on
> server side cryptographic keys tied to TLS, so that the major parties are
> in effect using certificates for global authentication.

As Brad already pointed out, you're colluding authentication with identity,
which is a fairly common problem, and in fact perhaps the common theme for
why WebCrypto Next Steps failed to produce a solution: because the entire
concept of PKCS#11/PIV/CCID-style identity systems is fundamentally
incompatible with the web.

If you disagree, the answer to this problem *needs* a technical argument.
Among perhaps a couple dozen hardware vendors who attended WebCrypto Next
Steps, *nobody* had a concrete proposal about how to solve this problem. If
you do not have such a proposal, this entire line of reasoning is a
nonstarter which is continuing to waste everybody's time.

Now WebID is not tied logically to TLS

That's bad. For purposes of authentication, I would prefer a solution like
IETF token binding.

This would allow a move to use strong identity in  HTTP/2.0 ( SPDY )

Most of the time we do not need strong identity. Strong identity is at odds
with how the web works. Nor are there concrete proposals for how strong
identity can work on the web.

I know you think otherwise, but to put it bluntly, you're wrong.

So its a bit weird that SOP is invoked to remove functionality that puts
> the user in control in the browser,

The only way anyone would even make this claim is if they are completely
clueless about user experience and user choice.

Let's stop using SOP as a way to shut down intelligent conversation. Let's
> think about user control as the aim.

If we examine the history of this thread, it started out calling SOP a
nonstarter, and attempting to shut down "intelligent conversation" about
why SOP is a good idea.

I feel like I'm bordering on what's allowable in germane conversation here,
but your opinions seem to be lacking context around:

- user experience
- what security decisions users both can and should make
- what browser vendors are willing to implement

I am sure you'll violently attest the contrary, but in my opinion you're
about as close to 180 degrees off the direction you should be pointing
here. You seem to (unwittingly?) want to undermine web security, make
things more complicated and confusing for end users, and suggest web
standards which will never be adopted because the browser vendors will
think you're nuts.

tl;dr: this entire line of reasoning is a complete nonstarter. Please stop.
I don't want to shut down intelligent conversation, but (again to border on
what's allowable in germane converastion) this is not intelligent
conversation. This is how to produce doomed standards nobody wants to
implement or use, and there are enough of those already.

Can we focus on things that are known to work and try to build standards
around those?

Tony Arcieri
Received on Wednesday, 16 September 2015 02:06:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC