W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: Removing trolls and off-topic conversation from Web Security IG? [was Re: A Somewhat Critical View of SOP (Same Origin Policy)]

From: Hadi Nahari <hnahari@nvidia.com>
Date: Wed, 23 Sep 2015 21:28:31 +0000
To: Harry Halpin <hhalpin@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <D228613C.173D8B%hnahari@nvidia.com>

On 9/23/15, 11:08 AM, "Harry Halpin" <hhalpin@w3.org> wrote:

>On 09/23/2015 01:36 PM, Hadi Nahari wrote:
>> On 9/23/15, 9:43 AM, "Harry Halpin" <hhalpin@w3.org> wrote:
>>> On 09/23/2015 12:25 PM, Martin Paljak wrote:
>>>> Hello,
>>>> On 23/09/15 18:45, Harry Halpin wrote:
>>>>> At this point, I think it would be a useful discussion for the Chair
>>>>> the IG to move the IG to member-only in a re-chartering, as it may be
>>>>> the only way to keep the discussion on-topic.
>>>> What exactly is off-topic or trolling?
>>>> It seems to me that people have quite nicely tried to bring up the
>>>> possibility of at least *discussing* security models other than SOP
>>>> certain scnarios, but are being turned down with "you don't seem to
>>>> how the Web works, the Web will not work with that, only SOP is ever
>>>> being discussed, period".
>>>> While SOP is a fundamental principle for web security, I don't think
>>>> is *the* principle everything and anything must comply to. Am I wrong?
>>>> Maybe it makes sense to remind two nice sayings:
>>>> "Browser is supposed to be a User-Agent, not Industry-Agent"
>>>> and
>>>> "If all you have is a hammer, everything starts to look like a nail"
>>>> I don't know what exactly you think by "the Web" but it seems that
>>>> is a fundamental difference in understanding what the user actually
>>>> wants or is supposed to want or is allowed to want.
>>>> Clearly articulating that you don't care and don't want to listen is
>>>> but rejecting meaningful dialogue by masking it as "trolling" is not
>>>> going to lead to fruitful results.
>>>> I think it is obvious that there is a fundamental difference between
>>>> certain groups think or envision "the web" but I see no fundamental
>>>> reason why the two groups can't work together on technical terms,
>>>> finding the balance and compromises between the different approach to
>>>> security, privacy etc.
>>>> Except for "don't want to play together, so no point in trying" is the
>>>> reason, in which case it really makes no sense. That's not the web I'm
>>>> into.
>>> I am bringing up the point that the Web Security Interest Group is
>>> on the "Web", whose only meaningful security boundary is the Same
>>> Policy.
>>> It would of course be within scope on how to tie existing, non-Web
>>> security models to the Web Security Model and to respect the same
>>> policy. I suggested for example, per-origin based key derivation. There
>>> are many other possible routes.
>>> However, throwing Same Origin Policy out would be out of scope and is a
>>> non-starter likely for anything that be implemented. If there are basic
>>> problems understanding the Same Origin Policy, I believe this should be
>>> addressed off-list. For non-Web security standards, there are many
>>> forums to chose from.
>>>   cheers,
>>>       harry
>>>> Martin
>> Harry;
>> I have been following this specific thread with a great deal of interest
>> and haven¹t felt spammed. I think your attempt to shut this down is out
>> line, though I agree that a bit of civility could help. The [non-]
>> argument of ³you don¹t know how [X] works² is not logical reasoning, and
>> does not replace it.
>I believe it should be expected that in addition to civility, folks on
>this list need to have a basic understanding of the Web and security.

Agreed. However, what are the criteria to assess the “basic
understanding”? Certification (which ones, why?)? Experience (eliminates
bright, but new participants)? Board members/you (humans can become
biased)? See where I’m going?

>Thus, a move to an Invited Expert/Member model may be appropriate to the

I’m not getting the “thus” part: how did the former statement logically
lead to the latter? If there’s a bylaw that I’m not aware of, please
provide ref.

>>>> Š ³whose only meaningful security boundary is the Same Origin Policy.
>> I disagree. This is the whole reason that having conversations like this
>> is useful so that we ³evaluate² whether this is true, rather than
>> it.
>> Let¹s, instead, follow and apply rules of civilized argumentation,
>> than just shut things down. Not cool.
>If you have a different security and privacy boundary than SOP, you
>should articulate it.

The point I raised was intended to focus on "the process of dealing with
the issue at hand” rather than “the issue at hand.” I will, of course,
speak up when I think I have something meaningful to contribute to the

>However, Anders and others seem to be insinuating there is a conspiracy
>against them rather than clearly articulating their desired
>security/privacy boundary, when the problem may instead be, as I pointed
>out, the fact that proposals to break SOP have security/privacy problems
>and these should be addressed by adapting these proposals to SOP.
>Greater permissions, access to hardware tokens, user control over
>Javascript, and other useful security/privacy could be accomplished
>without breaking SOP. When arguing to replace SOP, you should first
>prove what you want can't be done within SOP and why.
>Simply throwing out security/privacy boundaries on the Web would make
>things *much* worse for end-users, enable easier-tracking, and open
>whole new attack surfaces. For an example of how 'extension' models that
>don't respect SOP go wrong, browser extensions are a useful example:

>Thus, causing changes in browsers like Mozilla:

>Due to these kinds of attacks, I expect browser extensions to be slowly
>phased out precisely due to their lack of a meaningful security/privacy
>boundary. If one wants to replace or violate SOP, one should be aware of
>how it could be abused.
>             cheers,
>                     harry
>> Regards,
>> -Hadi
>> P.S. Though I don¹t agree with all Mr. Rundgren¹s assertions, but have
>> also seen some vile attacks/responses against him, which I think are
>> unwarranted. D.S.
>> \-------------------------------------
>> Hadi Nahari, Chief Security Architect
>> NVIDIA, +1.408.562.7916
>> --------------------------------------\
>> Dubito ergo mihi licet esse
>> This email message is for the sole use of the intended recipient(s) and
>>may contain
>> confidential information.  Any unauthorized review, use, disclosure or
>> is prohibited.  If you are not the intended recipient, please contact
>>the sender by
>> reply email and destroy all copies of the original message.

Hadi Nahari, Chief Security Architect
NVIDIA, +1.408.562.7916
Dubito ergo mihi licet esse

Received on Wednesday, 23 September 2015 21:29:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC