W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: Removing trolls and off-topic conversation from Web Security IG? [was Re: A Somewhat Critical View of SOP (Same Origin Policy)]

From: Harry Halpin <hhalpin@w3.org>
Date: Wed, 23 Sep 2015 14:08:52 -0400
Message-ID: <5602EAB4.5000800@w3.org>
To: public-web-security@w3.org
On 09/23/2015 01:36 PM, Hadi Nahari wrote:
>
> On 9/23/15, 9:43 AM, "Harry Halpin" <hhalpin@w3.org> wrote:
>
>> On 09/23/2015 12:25 PM, Martin Paljak wrote:
>>> Hello,
>>>
>>> On 23/09/15 18:45, Harry Halpin wrote:
>>>> At this point, I think it would be a useful discussion for the Chair of
>>>> the IG to move the IG to member-only in a re-chartering, as it may be
>>>> the only way to keep the discussion on-topic.
>>> What exactly is off-topic or trolling?
>>>
>>> It seems to me that people have quite nicely tried to bring up the
>>> possibility of at least *discussing* security models other than SOP for
>>> certain scnarios, but are being turned down with "you don't seem to know
>>> how the Web works, the Web will not work with that, only SOP is ever
>>> being discussed, period".
>>>
>>> While SOP is a fundamental principle for web security, I don't think it
>>> is *the* principle everything and anything must comply to. Am I wrong?
>>>
>>> Maybe it makes sense to remind two nice sayings:
>>>
>>> "Browser is supposed to be a User-Agent, not Industry-Agent"
>>> and
>>> "If all you have is a hammer, everything starts to look like a nail"
>>>
>>> I don't know what exactly you think by "the Web" but it seems that there
>>> is a fundamental difference in understanding what the user actually
>>> wants or is supposed to want or is allowed to want.
>>>
>>> Clearly articulating that you don't care and don't want to listen is OK,
>>> but rejecting meaningful dialogue by masking it as "trolling" is not
>>> going to lead to fruitful results.
>>>
>>> I think it is obvious that there is a fundamental difference between how
>>> certain groups think or envision "the web" but I see no fundamental
>>> reason why the two groups can't work together on technical terms,
>>> finding the balance and compromises between the different approach to
>>> security, privacy etc.
>>>
>>> Except for "don't want to play together, so no point in trying" is the
>>> reason, in which case it really makes no sense. That's not the web I'm
>>> into.
>> I am bringing up the point that the Web Security Interest Group is based
>> on the "Web", whose only meaningful security boundary is the Same Origin
>> Policy.
>>
>> It would of course be within scope on how to tie existing, non-Web
>> security models to the Web Security Model and to respect the same origin
>> policy. I suggested for example, per-origin based key derivation. There
>> are many other possible routes.
>>
>> However, throwing Same Origin Policy out would be out of scope and is a
>> non-starter likely for anything that be implemented. If there are basic
>> problems understanding the Same Origin Policy, I believe this should be
>> addressed off-list. For non-Web security standards, there are many other
>> forums to chose from.
>>
>>   cheers,
>>       harry
>>
>>
>>
>>>
>>>
>>> Martin
>>
> Harry;
>
> I have been following this specific thread with a great deal of interest
> and havenıt felt spammed. I think your attempt to shut this down is out of
> line, though I agree that a bit of civility could help. The [non-]
> argument of ³you donıt know how [X] works² is not logical reasoning, and
> does not replace it.

I believe it should be expected that in addition to civility, folks on
this list need to have a basic understanding of the Web and security.
Thus, a move to an Invited Expert/Member model may be appropriate to the IG.

>
>>> Š ³whose only meaningful security boundary is the Same Origin Policy.
> I disagree. This is the whole reason that having conversations like this
> is useful so that we ³evaluate² whether this is true, rather than ³assert²
> it.
>
> Letıs, instead, follow and apply rules of civilized argumentation, rather
> than just shut things down. Not cool.
If you have a different security and privacy boundary than SOP, you
should articulate it.

However, Anders and others seem to be insinuating there is a conspiracy
against them rather than clearly articulating their desired
security/privacy boundary, when the problem may instead be, as I pointed
out, the fact that proposals to break SOP have security/privacy problems
and these should be addressed by adapting these proposals to SOP.
Greater permissions, access to hardware tokens, user control over
Javascript, and other useful security/privacy could be accomplished
without breaking SOP. When arguing to replace SOP, you should first
prove what you want can't be done within SOP and why.

Simply throwing out security/privacy boundaries on the Web would make
things *much* worse for end-users, enable easier-tracking, and open
whole new attack surfaces. For an example of how 'extension' models that
don't respect SOP go wrong, browser extensions are a useful example:
http://www.howtogeek.com/188346/why-browser-extensions-can-be-dangerous-and-how-to-protect-yourself/

Thus, causing changes in browsers like Mozilla:
http://www.scmagazineuk.com/mozilla-changes-security-model-to-bolster-extension-protection/article/434599/

Due to these kinds of attacks, I expect browser extensions to be slowly
phased out precisely due to their lack of a meaningful security/privacy
boundary. If one wants to replace or violate SOP, one should be aware of
how it could be abused.

             cheers,
                     harry

>
> Regards,
> -Hadi
> P.S. Though I donıt agree with all Mr. Rundgrenıs assertions, but have
> also seen some vile attacks/responses against him, which I think are
> unwarranted. D.S.
>
> \-------------------------------------
> Hadi Nahari, Chief Security Architect
> NVIDIA, +1.408.562.7916
> --------------------------------------\
> Dubito ergo mihi licet esse
>
>
>
> -----------------------------------------------------------------------------------
> This email message is for the sole use of the intended recipient(s) and may contain
> confidential information.  Any unauthorized review, use, disclosure or distribution
> is prohibited.  If you are not the intended recipient, please contact the sender by
> reply email and destroy all copies of the original message.
> -----------------------------------------------------------------------------------
>
Received on Wednesday, 23 September 2015 18:08:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC