W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Henry Story <henry.story@co-operating.systems>
Date: Wed, 23 Sep 2015 20:56:53 +0100
Cc: Dave Longley Longley <dlongley@digitalbazaar.com>, Halpin Harry <hhalpin@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
Message-Id: <7DF60755-067D-45A9-A1DD-1E98F4790B8D@co-operating.systems>
To: Jeffrey Yasskin <jyasskin@google.com>

> On 23 Sep 2015, at 20:18, Jeffrey Yasskin <jyasskin@google.com> wrote:
> On Wed, Sep 23, 2015 at 9:04 AM, Dave Longley
> <dlongley@digitalbazaar.com> wrote:
>> On 09/23/2015 09:57 AM, Harry Halpin wrote:
>>> On 09/23/2015 03:42 AM, Anders Rundgren wrote:
>>>> In my opinion the #1 problem with this discussion is that when you
>>>> mention
>>>> things that doesn't match the SOP vision like the fact that Android-,
>>>> Apple-,
>>>> and Samsung-Pay doesn't work on the Web, dead silence is all you get.
>>> Since the same origin policy is the primary meaningful security boundary
>>> on the Web, I expect for most people interested in security and privacy
>>> that emails that dismiss SOP are generally put in the spam folder.
>>> I do understand some people are interested in creating, for example,
>>> 'unique identifier' across all websites such as in the form of a X.509
>>> certificate. These sort of  totalitarian identity scheme...
>> "dismissing"? "totalitarian"? These words have meanings that don't seem to
>> line up with their usage here, but their connotations do yield negative
>> visceral reactions. Is the goal discord or understanding?
>> I've really only been following this thread from the sidelines, but who has
>> dismissed SOP? Who has shown interest in creating a 'unique identifier'
>> across all websites? Are you referencing a different discussion?
> He might be referring to
> https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/JN-v2FEmBgAJ,
> which expresses a goal to "allow[] you to use one certificate to
> authenticate to all servers".

That was a very early thread in the discussion and my views have evolved 
since then.

For example I was mistaken there. WebCrypto does as Ryan Sleevi pointed out, 
in allow the JS that created a public/private key (stored in local 
web storage) to use that to authenticate across any origin. It can very simply use 
the public key as a global identifier. Or the origin of the JS could publish 
the public key at that origin, and then use that identifier to authenticate 
across web sites, by signing some token if requested by a web site. This is 
inevitable as WebCrypto is a low level crypto framework and can be used to 
sign and encrypt pretty much anything.

I am just about to try to see if I can implement something along 
the lines of "Signing HTTP Messages" [1] using Web Crypto and 
ServiceWorkers in Scala and Scala-JS. I'll report back on that later.

The "Signing HTTP Messages" protocol could be a lot better than TLS client
certificate authentication for HTTP and especially for HTTP/2.0 - it will
certainly be a lot more flexible. 

If I get this to work then we'll have an interesting situation:
 a. we'll have web crypto that can do x-origin authentication
 b. we can do that with X509+TLS in the browser too ( here the 
user gets a certificate selection box that allows him to be in 
control of when the certificate is used )

What I would like the group to think about is the difference between
these two. 

In a. the user has control over which Single Page Application (SPA)
he uses by selecting the origin he goes to. After that is the Origin 
that controls all interactions. It is understaood that a well behaved
SPA though should allow the user to control what identity he is using
across sites. ( perhaps select an authentication policy of some sort )

In b. the user has control over which browser he uses ( which also 
has an origin btw ) after that the browser has control over which 
origins to use a certificate for. But it is understood that good 
browser behavior is to put the user in control of the identity he uses 
across sites. ( and that is my experience of current browsers )

So the difference between the two is not that great. Is this actually
a problem? Is it not? Should the brower perhaps now or in the future
help put the user in control of usage of the private key? Why
is the x-origin authentication ok for WebCrypto but not for 
the browser?

These are important questions to answer. At present I am not sure
if actually using WebCrypto to authenticate cross origins is 
a good thing.


[1] https://tools.ietf.org/html/draft-cavage-http-signatures-04

> Jeffrey
Received on Wednesday, 23 September 2015 19:57:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC