W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 20 Oct 2014 10:00:35 -0700
Message-ID: <CAEeYn8h6ew4RtUqn69Wz6_1NsftaApRbr=oUKXF5z=LzW6tC=g@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
Ah, yes, thank's for reminding me of my own pet idea, Mike.  :)

I was thinking of it something along the lines of "Secure Introduction
of Internet-Connected Things".  Basic idea is that there are an
increasing number of devices in people's homes that host web servers,
and there is no really good way to connect to them securely from a
browser under existing HTTPS rules.

I think it is a bad idea to have users go through the ordinary
"untrusted certificate" or "unknown authority" flows in the browser to
use these devices, because it trains users to ignore these warnings
and puts back pressure on UA authors who want to make these
experiences increasingly strict.

The idea I was tossing around would be to have some different kind of
secure introduction ceremony to replace the untrusted certificate
dialog *for hosts on the local network only*.  Perhaps something like
Bluetooth / WPS pairing, where the user could get a page that tells
them this is a locally connected device and they have to enter a
pairing code to trust it, with other-than-standard HTTPS UX treatment
following, but less strict rules about mixed content blocking, etc.
than an untrusted or HTTP connection would receive.

There are a number of moving parts involved to get this right:
  - definitely UI, which the W3C doesn't have a great history in, but
perhaps which we can describe the requirements for without
prescriptively specifying
  - thinking about what constitutes a "locally attached network
device", how to detect and verify that, and how to manage subsequent
accesses over a WAN
  - some Fetch rules similar to Mixed Content
  - perhaps a certificate extension to identify these devices

On Mon, Oct 20, 2014 at 7:45 AM, Mike West <mkwst@google.com> wrote:
> On Sun, Oct 19, 2014 at 10:19 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> 08:20 - 08:30    TOPIC: [webappsec] Topics for Rechartering
>>     http://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0037.html
> CSP3. I'd suggest that this work should at least include a Fetch-based
> rewrite and a DOM-accessible API.
>> 08:30 - 09:00    TOPIC: AOB
> * Should we split Mixed Content into a document focusing on "Insecure
> content (HTTP) in a secure context (HTTPS)", and another focusing on
> "Intranet content in an extranet context"? Brad(?) suggested this at some
> point in the past, and the more I think about it, the more it probably makes
> sense. +Brian, who has opinions here, I think.
> * CSP2 -> CR? After TPAC, I suppose?
> -mike
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 20 October 2014 17:01:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC