- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Mon, 17 Feb 2014 11:10:12 +0100
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 14-Feb-14 20:02, Daniel Veditz wrote: > On 2/14/2014 12:53 AM, Sigbjørn Vik wrote: >> From: Daniel Veditz <dveditz@mozilla.com> >>> I'm not too concerned about CSP being used to determine if someone is >>> logged in to a particular site or not, because timing attacks are good >>> enough to figure that out for most sites already. >> >> That many sites have an existing security hole is not an argument to >> build this security hole into browsers by default. > > The web is an inconsistent accretive steaming mess and perfect solutions > don't exist. We are not "building a security hole", we are building a > feature to make things in general more secure. It appears we may be > making other things less secure. How much less? How much, and in what > cases, does CSP improve security? Is is worth giving up that security > improvement to avoid causing this "hole"? Is the security problem we're > causing equivalent to existing problems, and if so is there any hope > that those other problems will be solved (that is, even if we're not > really making things worse now, will we be leaving things worse in the > future)? Are there alternative where we can have both the CSP security > improvements and avoid the "hole" altogether, or minimize the damage? I agree that when we are discussing a topic where tradeoffs are required, the negative sides need to be evaluated carefully, and I am happy to see you consider them. We need to take into account that the negative sides might also be bigger than what we are able to understand today. XSS is a serious issue on the web, but it is well known how to fix it. Phishing is an even worse issue on the web, with no simple ways for fixing. Fixing a serious issue at the cost of an even worse one seems like a suboptimal tradeoff, especially when an almost identical solution exists without the tradeoff. -- Sigbjørn Vik Opera Software
Received on Monday, 17 February 2014 10:10:44 UTC