- From: Hadi Nahari <hnahari@nvidia.com>
- Date: Wed, 23 Sep 2015 21:28:31 +0000
- To: Harry Halpin <hhalpin@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>
On 9/23/15, 11:08 AM, "Harry Halpin" <hhalpin@w3.org> wrote: >On 09/23/2015 01:36 PM, Hadi Nahari wrote: >> >> On 9/23/15, 9:43 AM, "Harry Halpin" <hhalpin@w3.org> wrote: >> >>> On 09/23/2015 12:25 PM, Martin Paljak wrote: >>>> Hello, >>>> >>>> On 23/09/15 18:45, Harry Halpin wrote: >>>>> At this point, I think it would be a useful discussion for the Chair >>>>>of >>>>> the IG to move the IG to member-only in a re-chartering, as it may be >>>>> the only way to keep the discussion on-topic. >>>> What exactly is off-topic or trolling? >>>> >>>> It seems to me that people have quite nicely tried to bring up the >>>> possibility of at least *discussing* security models other than SOP >>>>for >>>> certain scnarios, but are being turned down with "you don't seem to >>>>know >>>> how the Web works, the Web will not work with that, only SOP is ever >>>> being discussed, period". >>>> >>>> While SOP is a fundamental principle for web security, I don't think >>>>it >>>> is *the* principle everything and anything must comply to. Am I wrong? >>>> >>>> Maybe it makes sense to remind two nice sayings: >>>> >>>> "Browser is supposed to be a User-Agent, not Industry-Agent" >>>> and >>>> "If all you have is a hammer, everything starts to look like a nail" >>>> >>>> I don't know what exactly you think by "the Web" but it seems that >>>>there >>>> is a fundamental difference in understanding what the user actually >>>> wants or is supposed to want or is allowed to want. >>>> >>>> Clearly articulating that you don't care and don't want to listen is >>>>OK, >>>> but rejecting meaningful dialogue by masking it as "trolling" is not >>>> going to lead to fruitful results. >>>> >>>> I think it is obvious that there is a fundamental difference between >>>>how >>>> certain groups think or envision "the web" but I see no fundamental >>>> reason why the two groups can't work together on technical terms, >>>> finding the balance and compromises between the different approach to >>>> security, privacy etc. >>>> >>>> Except for "don't want to play together, so no point in trying" is the >>>> reason, in which case it really makes no sense. That's not the web I'm >>>> into. >>> I am bringing up the point that the Web Security Interest Group is >>>based >>> on the "Web", whose only meaningful security boundary is the Same >>>Origin >>> Policy. >>> >>> It would of course be within scope on how to tie existing, non-Web >>> security models to the Web Security Model and to respect the same >>>origin >>> policy. I suggested for example, per-origin based key derivation. There >>> are many other possible routes. >>> >>> However, throwing Same Origin Policy out would be out of scope and is a >>> non-starter likely for anything that be implemented. If there are basic >>> problems understanding the Same Origin Policy, I believe this should be >>> addressed off-list. For non-Web security standards, there are many >>>other >>> forums to chose from. >>> >>> cheers, >>> harry >>> >>> >>> >>>> >>>> >>>> Martin >>> >> Harry; >> >> I have been following this specific thread with a great deal of interest >> and haven¹t felt spammed. I think your attempt to shut this down is out >>of >> line, though I agree that a bit of civility could help. The [non-] >> argument of ³you don¹t know how [X] works² is not logical reasoning, and >> does not replace it. > >I believe it should be expected that in addition to civility, folks on >this list need to have a basic understanding of the Web and security. Agreed. However, what are the criteria to assess the “basic understanding”? Certification (which ones, why?)? Experience (eliminates bright, but new participants)? Board members/you (humans can become biased)? See where I’m going? >Thus, a move to an Invited Expert/Member model may be appropriate to the >IG. I’m not getting the “thus” part: how did the former statement logically lead to the latter? If there’s a bylaw that I’m not aware of, please provide ref. > >> >>>> Š ³whose only meaningful security boundary is the Same Origin Policy. >> I disagree. This is the whole reason that having conversations like this >> is useful so that we ³evaluate² whether this is true, rather than >>³assert² >> it. >> >> Let¹s, instead, follow and apply rules of civilized argumentation, >>rather >> than just shut things down. Not cool. >If you have a different security and privacy boundary than SOP, you >should articulate it. The point I raised was intended to focus on "the process of dealing with the issue at hand” rather than “the issue at hand.” I will, of course, speak up when I think I have something meaningful to contribute to the issue. > >However, Anders and others seem to be insinuating there is a conspiracy >against them rather than clearly articulating their desired >security/privacy boundary, when the problem may instead be, as I pointed >out, the fact that proposals to break SOP have security/privacy problems >and these should be addressed by adapting these proposals to SOP. >Greater permissions, access to hardware tokens, user control over >Javascript, and other useful security/privacy could be accomplished >without breaking SOP. When arguing to replace SOP, you should first >prove what you want can't be done within SOP and why. > >Simply throwing out security/privacy boundaries on the Web would make >things *much* worse for end-users, enable easier-tracking, and open >whole new attack surfaces. For an example of how 'extension' models that >don't respect SOP go wrong, browser extensions are a useful example: >http://www.howtogeek.com/188346/why-browser-extensions-can-be-dangerous-an >d-how-to-protect-yourself/ > >Thus, causing changes in browsers like Mozilla: >http://www.scmagazineuk.com/mozilla-changes-security-model-to-bolster-exte >nsion-protection/article/434599/ > >Due to these kinds of attacks, I expect browser extensions to be slowly >phased out precisely due to their lack of a meaningful security/privacy >boundary. If one wants to replace or violate SOP, one should be aware of >how it could be abused. > > cheers, > harry > >> >> Regards, >> -Hadi >> P.S. Though I don¹t agree with all Mr. Rundgren¹s assertions, but have >> also seen some vile attacks/responses against him, which I think are >> unwarranted. D.S. >> >> \------------------------------------- >> Hadi Nahari, Chief Security Architect >> NVIDIA, +1.408.562.7916 >> --------------------------------------\ >> Dubito ergo mihi licet esse >> >> >> >> >>------------------------------------------------------------------------- >>---------- >> This email message is for the sole use of the intended recipient(s) and >>may contain >> confidential information. Any unauthorized review, use, disclosure or >>distribution >> is prohibited. If you are not the intended recipient, please contact >>the sender by >> reply email and destroy all copies of the original message. >> >>------------------------------------------------------------------------- >>---------- >> Regards, -Hadi \------------------------------------- Hadi Nahari, Chief Security Architect NVIDIA, +1.408.562.7916 --------------------------------------\ Dubito ergo mihi licet esse
Received on Wednesday, 23 September 2015 21:29:00 UTC