- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 20 Jul 2012 08:50:45 -0700
- To: Cameron Jones <cmhjones@gmail.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones <cmhjones@gmail.com> wrote: > On Fri, Jul 20, 2012 at 8:29 AM, Adam Barth <w3c@adambarth.com> wrote: >> On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones <cmhjones@gmail.com> wrote: >>> On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote: >>>> On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote: >>>>> Isn't this mitigated by the Origin header? >>>> >>>> No. >>> >>> Could you expand on this response, please? >>> >>> My understanding is that requests generate from XHR will have Origin >>> applied. This can be used to reject requests from 3rd party websites >>> within browsers. Therefore, intranets have the potential to restrict >>> access from internal user browsing habits. >> >> They have the potential, but existing networks don't do that. We need >> to protect legacy systems that don't understand the Origin header. >> > > Yes, i understand that. When new features are introduced someone's > security policy is impacted, in this case (and by policy always the > case) it is those who provide public services who's security policy is > broken. > > It just depends on who's perspective you look at it from. > > The costs of private security *is* being paid by the public, although > it seems the public has to pay a high price for everything nowadays. I'm not sure I understand the point you're making, but it's doesn't really matter. We're not going to introduce vulnerabilities into legacy systems. >>>>> Also, what about the point that this is unethically pushing the costs >>>>> of securing private resources onto public access providers? >>>> >>>> It is far more unethical to expose a user's private data. >>> >>> Yes, but if no user private data is being exposed then there is cost >>> being paid for no benefit. >> >> I think it's difficult to discuss ethics without agreeing on an >> ethical theory. Let's stick to technical, rather than ethical, >> discussions. > > Yes, but as custodians of a public space there is an ethical duty and > responsibility to represent the interests of all users of that space. > This is why the concerns deserve attention even if they may have been > visited before. I'm sorry, but I'm unable to respond to any ethical arguments. I can only respond to technical arguments. > Given the level of impact affects the entire corpus of global public > data, it is valuable to do a impact and risk assessment to garner > whether the costs are significantly outweighed by either party. > > With some further consideration, i can't see any other way to protect > IP authentication against targeted attacks through to their systems > without the mandatory upgrade of these systems to IP + Origin > Authentication. > > So, this is a non-starter. Thanks for all the fish. That's why we have the current design. Adam
Received on Friday, 20 July 2012 15:51:47 UTC