Re: Removing trolls and off-topic conversation from Web Security IG? [was Re: A Somewhat Critical View of SOP (Same Origin Policy)] from Siva Narendra on 2015-09-23 (public-web-security@w3.org from September 2015)

From: Siva Narendra <siva@tyfone.com>
Date: Wed, 23 Sep 2015 11:21:23 -0700
To: Harry Halpin <hhalpin@w3.org>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CAJhTYQwJpZsfcOAoUoCE5sU+ggFTyhecx+ODc-+iNSbb0jktvw@mail.gmail.com>
+1 - Harry's comments. Open but civil and keep implementations relevant.


*--*


*Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
Taipeiwww.tyfone.com <http://www.tyfone.com>*
*Voice: +1.661.412.2233*


On Wed, Sep 23, 2015 at 11:08 AM, Harry Halpin <hhalpin@w3.org> wrote:

> On 09/23/2015 01:36 PM, Hadi Nahari wrote:
> >
> > On 9/23/15, 9:43 AM, "Harry Halpin" <hhalpin@w3.org> wrote:
> >
> >> On 09/23/2015 12:25 PM, Martin Paljak wrote:
> >>> Hello,
> >>>
> >>> On 23/09/15 18:45, Harry Halpin wrote:
> >>>> At this point, I think it would be a useful discussion for the Chair
> of
> >>>> the IG to move the IG to member-only in a re-chartering, as it may be
> >>>> the only way to keep the discussion on-topic.
> >>> What exactly is off-topic or trolling?
> >>>
> >>> It seems to me that people have quite nicely tried to bring up the
> >>> possibility of at least *discussing* security models other than SOP for
> >>> certain scnarios, but are being turned down with "you don't seem to
> know
> >>> how the Web works, the Web will not work with that, only SOP is ever
> >>> being discussed, period".
> >>>
> >>> While SOP is a fundamental principle for web security, I don't think it
> >>> is *the* principle everything and anything must comply to. Am I wrong?
> >>>
> >>> Maybe it makes sense to remind two nice sayings:
> >>>
> >>> "Browser is supposed to be a User-Agent, not Industry-Agent"
> >>> and
> >>> "If all you have is a hammer, everything starts to look like a nail"
> >>>
> >>> I don't know what exactly you think by "the Web" but it seems that
> there
> >>> is a fundamental difference in understanding what the user actually
> >>> wants or is supposed to want or is allowed to want.
> >>>
> >>> Clearly articulating that you don't care and don't want to listen is
> OK,
> >>> but rejecting meaningful dialogue by masking it as "trolling" is not
> >>> going to lead to fruitful results.
> >>>
> >>> I think it is obvious that there is a fundamental difference between
> how
> >>> certain groups think or envision "the web" but I see no fundamental
> >>> reason why the two groups can't work together on technical terms,
> >>> finding the balance and compromises between the different approach to
> >>> security, privacy etc.
> >>>
> >>> Except for "don't want to play together, so no point in trying" is the
> >>> reason, in which case it really makes no sense. That's not the web I'm
> >>> into.
> >> I am bringing up the point that the Web Security Interest Group is based
> >> on the "Web", whose only meaningful security boundary is the Same Origin
> >> Policy.
> >>
> >> It would of course be within scope on how to tie existing, non-Web
> >> security models to the Web Security Model and to respect the same origin
> >> policy. I suggested for example, per-origin based key derivation. There
> >> are many other possible routes.
> >>
> >> However, throwing Same Origin Policy out would be out of scope and is a
> >> non-starter likely for anything that be implemented. If there are basic
> >> problems understanding the Same Origin Policy, I believe this should be
> >> addressed off-list. For non-Web security standards, there are many other
> >> forums to chose from.
> >>
> >>   cheers,
> >>       harry
> >>
> >>
> >>
> >>>
> >>>
> >>> Martin
> >>
> > Harry;
> >
> > I have been following this specific thread with a great deal of interest
> > and haven¹t felt spammed. I think your attempt to shut this down is out
> of
> > line, though I agree that a bit of civility could help. The [non-]
> > argument of ³you don¹t know how [X] works² is not logical reasoning, and
> > does not replace it.
>
> I believe it should be expected that in addition to civility, folks on
> this list need to have a basic understanding of the Web and security.
> Thus, a move to an Invited Expert/Member model may be appropriate to the
> IG.
>
> >
> >>> Š ³whose only meaningful security boundary is the Same Origin Policy.
> > I disagree. This is the whole reason that having conversations like this
> > is useful so that we ³evaluate² whether this is true, rather than
> ³assert²
> > it.
> >
> > Let¹s, instead, follow and apply rules of civilized argumentation, rather
> > than just shut things down. Not cool.
> If you have a different security and privacy boundary than SOP, you
> should articulate it.
>
> However, Anders and others seem to be insinuating there is a conspiracy
> against them rather than clearly articulating their desired
> security/privacy boundary, when the problem may instead be, as I pointed
> out, the fact that proposals to break SOP have security/privacy problems
> and these should be addressed by adapting these proposals to SOP.
> Greater permissions, access to hardware tokens, user control over
> Javascript, and other useful security/privacy could be accomplished
> without breaking SOP. When arguing to replace SOP, you should first
> prove what you want can't be done within SOP and why.
>
> Simply throwing out security/privacy boundaries on the Web would make
> things *much* worse for end-users, enable easier-tracking, and open
> whole new attack surfaces. For an example of how 'extension' models that
> don't respect SOP go wrong, browser extensions are a useful example:
>
> http://www.howtogeek.com/188346/why-browser-extensions-can-be-dangerous-and-how-to-protect-yourself/
>
> Thus, causing changes in browsers like Mozilla:
>
> http://www.scmagazineuk.com/mozilla-changes-security-model-to-bolster-extension-protection/article/434599/
>
> Due to these kinds of attacks, I expect browser extensions to be slowly
> phased out precisely due to their lack of a meaningful security/privacy
> boundary. If one wants to replace or violate SOP, one should be aware of
> how it could be abused.
>
>              cheers,
>                      harry
>
> >
> > Regards,
> > -Hadi
> > P.S. Though I don¹t agree with all Mr. Rundgren¹s assertions, but have
> > also seen some vile attacks/responses against him, which I think are
> > unwarranted. D.S.
> >
> > \-------------------------------------
> > Hadi Nahari, Chief Security Architect
> > NVIDIA, +1.408.562.7916
> > --------------------------------------\
> > Dubito ergo mihi licet esse
> >
> >
> >
> >
> -----------------------------------------------------------------------------------
> > This email message is for the sole use of the intended recipient(s) and
> may contain
> > confidential information.  Any unauthorized review, use, disclosure or
> distribution
> > is prohibited.  If you are not the intended recipient, please contact
> the sender by
> > reply email and destroy all copies of the original message.
> >
> -----------------------------------------------------------------------------------
> >
>
>
>
>
Received on Wednesday, 23 September 2015 18:22:11 UTC