W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Martin Paljak <martin.paljak@ria.ee>
Date: Thu, 24 Sep 2015 23:41:23 +0300
To: Harry Halpin <hhalpin@w3.org>, Dave Longley <dlongley@digitalbazaar.com>
CC: <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <56045FF3.5050605@ria.ee>
On 24/09/15 21:50, Harry Halpin wrote:
> Note that use of OAuth does *not* violate SOP because it asks for and
> gets permissions, and the data transfer is done server-to-server.
> Client-based sending of personal data has real difficulty in a
> multi-device world due to issues of syncing and devices being offline.
> However, you can *do* data transfer server-to-server with digital
> signatures and anonymizing property. But building from these kind of
> OAuth data-flows is probably the way to go, where key material can be
> dynamically bound to the session (ala TLS Token Binding) so avoiding
> "one key per user" designs. This slide-deck is a good overview [3].

Maybe this outlines one the problems I'd like to see avoidable as a
required piece of the "web identity" puzzle, if possible: dependence on
central, *on-line* identity providers (what server-to-server
communication depends on). That's a SPOF that has amplification
capability which is not desirable.

Maybe it makes sense to talk about the technical building blocks rather
than a identity solution and provide machinery to build things that
don't screw up the basic constraints "the web" and user agents should
possess and agree upon those constraints. And see if everyone can build
their systems on top of these blocks.

In fact, I don't know why the talk always drifts towards identity. Maybe
identity magnifies the fundamental problem of SOP and non-SOP approach,
but the problem, as Anders has already said, is not unique to identity
but also payments (which I don't know much about, to admit).

As "conspiracy theory" as it sounds there is still in my opinion a
fundamental difference between two camps, the US and EU: one where a
customer database is an asset vs the other where it is a liability. And
mistrust towards different things, eg. there's no "post-Snowden era"
surprise panic among the older population where I come from, because...

Maybe the "require SOP and only SOP, for privacy and security" is
comparable with the "burqa ban" dilemma in some European countries: the
choice should not be to forbid wearing one as option A nor enforcing
everyone to wear one as option B.

But this is exactly what the SOP requirement and super-cookie paranoia
seems to compare to: thinking that one option is "better for everybody,
because ... history and fears and stuff"

I'm not vouching for being forced to choose between option A or option B
with the burqa ban nor in the web space. I believe that "the Web" (and
user-agents) should let the *user choose* what they want. And the Web
should accommodate both.

What I want to say is that whatever the "web platform" will look like
after coming out of W3C or from major browser vendors implementations,
solutions that work for the other camp *will* be implemented. But most
probably with reduced usability and worse security or privacy
properties, if the platform does not facilitate building such things.

And please be confident that it is about clear and articulated user
choice and permissions.

Cybersec R&D
+372 515 6495
Received on Thursday, 24 September 2015 20:41:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC