Re: Remove paths from CSP? from Sigbjørn Vik on 2014-02-19 (public-webappsec@w3.org from February 2014)

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Wed, 19 Feb 2014 10:05:23 +0100
To: public-webappsec@w3.org
Message-ID: <530473D3.8030006@opera.com>

From: Daniel Veditz <dveditz@mozilla.com>
> I think I'm lost... how does this relate to phishing?
Being able to detect which websites a user has visited, which websites a
user is logged in to, and which user name a user has on that website
makes phishing a lot easier and a lot more convincing. This even applies
to spam mail, if a user clicks a link, and the resulting page can know
the user name on a social site, along with any public information, that
resulting page can be tailored to the user.

> I can't agree that that phishing is worse than XSS
There is really no comparison if you look at the statistics, phishing is
a lot worse than XSS. One of the links below states that "91% of
breaches are attributable to spear phishing". Not that you should
believe that number by itself, feel free to do your own research - that
number also includes non web related phishing. If you can provide some
links to research that shows that XSS is a larger threat to companies
than phishing, I'd be happy to reconsider my stance.
>From an earlier post:
[1]
http://www.scmagazine.com/phishing-remains-most-reliable-cyber-fraud-mechanism/article/248998/
[1] http://www.proofpoint.com/uk/topten/index-roi.php
[2]
http://www.invincea.com/wp-content/uploads/Invincea-spear-phishing-watering-hole-drive-by-whitepaper-5.17.13.pdf

> What is the "almost identical solution... without the tradeoff"?
Don't leak information. Remove report-uri, and pretend the resource
loaded as normal. Keep paths, as this thread has shown, they are already
being put to good use.


But you are right, this is a long thread, so let me attempt to summarize:
As currently specced, redirection paths can leak cross domain. This may
leak logged-in status and user names.

There are at least three proposals to fix this:
a) Remove paths.
Pro: This removes the worst offender.
Con: Redirection domains are still leaked. This removes a useful feature.

b) Only consider the first URL, do not block resources based on the
redirected-to URLs.
Pro: Removes all leakage.
Con: Lots of open redirects exist, any such allowed by CSP would render
the protection useless.

c) Don't leak cross domain information to the originator. (Remove
report-uri, and pretend the resource loaded as normal.)
Pro: Removes all leakage.
Con: Removes debugging features. The most complex to implement.

-- 
Sigbjørn Vik
Opera Software

Received on Wednesday, 19 February 2014 09:08:24 UTC