"Secure Introduction of Internet-Connected Things" (was Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT)

Forking the thread, adding felt@ and palmer@, as they will surely have
opinions.

I like the direction, FWIW, but I haven't at all thought through the
problem. Chris has, at least a bit:
http://noncombatant.org/2014/10/12/brainstorming-security-for-the-internet-of-things/
is worth reading.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Oct 20, 2014 at 7:00 PM, Brad Hill <hillbrad@gmail.com> wrote:

> Ah, yes, thank's for reminding me of my own pet idea, Mike.  :)
>
> I was thinking of it something along the lines of "Secure Introduction
> of Internet-Connected Things".  Basic idea is that there are an
> increasing number of devices in people's homes that host web servers,
> and there is no really good way to connect to them securely from a
> browser under existing HTTPS rules.
>
> I think it is a bad idea to have users go through the ordinary
> "untrusted certificate" or "unknown authority" flows in the browser to
> use these devices, because it trains users to ignore these warnings
> and puts back pressure on UA authors who want to make these
> experiences increasingly strict.
>
> The idea I was tossing around would be to have some different kind of
> secure introduction ceremony to replace the untrusted certificate
> dialog *for hosts on the local network only*.  Perhaps something like
> Bluetooth / WPS pairing, where the user could get a page that tells
> them this is a locally connected device and they have to enter a
> pairing code to trust it, with other-than-standard HTTPS UX treatment
> following, but less strict rules about mixed content blocking, etc.
> than an untrusted or HTTP connection would receive.
>
> There are a number of moving parts involved to get this right:
>   - definitely UI, which the W3C doesn't have a great history in, but
> perhaps which we can describe the requirements for without
> prescriptively specifying
>   - thinking about what constitutes a "locally attached network
> device", how to detect and verify that, and how to manage subsequent
> accesses over a WAN
>   - some Fetch rules similar to Mixed Content
>   - perhaps a certificate extension to identify these devices
>
>
>
> On Mon, Oct 20, 2014 at 7:45 AM, Mike West <mkwst@google.com> wrote:
> > On Sun, Oct 19, 2014 at 10:19 PM, Brad Hill <hillbrad@gmail.com> wrote:
> >>
> >> 08:20 - 08:30    TOPIC: [webappsec] Topics for Rechartering
> >>
> >>
> http://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0037.html
> >
> >
> > CSP3. I'd suggest that this work should at least include a Fetch-based
> > rewrite and a DOM-accessible API.
> >
> >> 08:30 - 09:00    TOPIC: AOB
> >
> >
> > * Should we split Mixed Content into a document focusing on "Insecure
> > content (HTTP) in a secure context (HTTPS)", and another focusing on
> > "Intranet content in an extranet context"? Brad(?) suggested this at some
> > point in the past, and the more I think about it, the more it probably
> makes
> > sense. +Brian, who has opinions here, I think.
> >
> > * CSP2 -> CR? After TPAC, I suppose?
> >
> > -mike
> >
> > --
> > Mike West <mkwst@google.com>
> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> >
> > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
> > Geschäftsführer: Graham Law, Christine Elizabeth Flores
> > (Sorry; I'm legally required to add this exciting detail to emails.
> Bleh.)
> >
>