Re: Remove paths from CSP? from Daniel Veditz on 2014-02-25 (public-webappsec@w3.org from February 2014)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 25 Feb 2014 13:13:56 -0800
To: Sigbjørn Vik <sigbjorn@opera.com>, Mike West <mkwst@google.com>
CC: Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>, Eduardo' Vela <evn@google.com>
Message-ID: <530D0794.9030704@mozilla.com>

On 2/25/2014 7:01 AM, Sigbjørn Vik wrote:
> For services such as gmail and hotmail, the login happens on a
> different domain than the service. This is an extremely common setup,
> including on high value targets

This is NOT common, but unfortunately it is used on some high-traffic
(likely high value) domains.

> Personally, I consider any solution which instantly reveals logged-in
> status on such services to be a security flaw, and a non-starter.

Logged-in status is almost certainly a lost cause on the web but it 
would be nice if we could avoid making the problem worse. Leaking 
identifiable information with paths (user names, OAuth tokens, etc) _is_ 
a new attack and we must absolutely not do that.

> Timing attacks are generally protected against by ensuring
> operations take equally long regardless of the input.

You can't make everything equally fast so you must make things equally 
slow, and these days browsers are competing in part on speed. There's no 
way Mike (Google) or I (Mozilla) could sell that to our respective 
browser engine teams. Not unless the citizens of the web rise up and 
demand it--and I mean lots and lots of them, not just a few of our 
fellow paranoids. As an instructive example look how long it took to get 
the CSS :visited history-sniffing issue fixed, and it was basically the 
same kind of leakage.

> Timing attacks on logged-in vs not-logged-in pages are currently not
> considered very serious in general. It depends on heuristics, many
> retries, and is susceptible to failure due to e.g. noise, background
> processes, user location, etc. An attack requires close statistical
> studies of the target first, and must be updated whenever the target
> changes.

I agree with your first sentence--people in general don't seem too 
worked up about the various demonstrations that have been made. I 
disagree that current state of the art login detection is unreliable. 
It's not perfect, but it's pretty damn good.

-Dan Veditz

Received on Tuesday, 25 February 2014 21:14:14 UTC