- From: Cameron Jones <cmhjones@gmail.com>
- Date: Fri, 20 Jul 2012 12:37:49 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Fri, Jul 20, 2012 at 8:29 AM, Adam Barth <w3c@adambarth.com> wrote: > On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones <cmhjones@gmail.com> wrote: >> On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote: >>> On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote: >>>> Isn't this mitigated by the Origin header? >>> >>> No. >> >> Could you expand on this response, please? >> >> My understanding is that requests generate from XHR will have Origin >> applied. This can be used to reject requests from 3rd party websites >> within browsers. Therefore, intranets have the potential to restrict >> access from internal user browsing habits. > > They have the potential, but existing networks don't do that. We need > to protect legacy systems that don't understand the Origin header. > Yes, i understand that. When new features are introduced someone's security policy is impacted, in this case (and by policy always the case) it is those who provide public services who's security policy is broken. It just depends on who's perspective you look at it from. The costs of private security *is* being paid by the public, although it seems the public has to pay a high price for everything nowadays. >>>> Also, what about the point that this is unethically pushing the costs >>>> of securing private resources onto public access providers? >>> >>> It is far more unethical to expose a user's private data. >> >> Yes, but if no user private data is being exposed then there is cost >> being paid for no benefit. > > I think it's difficult to discuss ethics without agreeing on an > ethical theory. Let's stick to technical, rather than ethical, > discussions. > Yes, but as custodians of a public space there is an ethical duty and responsibility to represent the interests of all users of that space. This is why the concerns deserve attention even if they may have been visited before. Given the level of impact affects the entire corpus of global public data, it is valuable to do a impact and risk assessment to garner whether the costs are significantly outweighed by either party. With some further consideration, i can't see any other way to protect IP authentication against targeted attacks through to their systems without the mandatory upgrade of these systems to IP + Origin Authentication. So, this is a non-starter. Thanks for all the fish. > Adam Thanks, Cameron Jones
Received on Friday, 20 July 2012 11:38:18 UTC