W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 22 Jan 2015 17:50:11 +0000
Message-ID: <CAEeYn8htD3BFrjfXBQHyM9Os0JOHtwCjoAVvYcPGKpv_KXoOJQ@mail.gmail.com>
To: Tim Berners-Lee <timbl@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
Tim,

  I'd like to return to this, as the group would like to move Mixed-Content
to Candidate Recommendation and want to be sure you feel your concerns have
been substantively addressed.

  Unfortunately, I don't think we've arrived at a solution for your concern
we can add to the spec.  My read of the conversation so far is that we:

*  Don't have techniques to allow inclusion of arbitrary data to be loaded
insecurely into secure contexts without catastrophically damaging the
actual security guarantees users expect from an https resource.  Data is
special, but many examples demonstrate the danger to users of insecure
data, even if treated with proper care to separate it from code. (which
separation is also not mandatory or even typical on the Web platform)

*  Don't have a way to clearly communicate to users who often struggle to
understand a binary secure/insecure distinction a fuzzy state of "maybe
secure if there are no network attackers"

I think it would be more productive to focus on outreach, removing the
obstacles to upgrading to https ( I asked on the LDP mailing list about
this, with no replies yet:
https://lists.w3.org/Archives/Public/public-ldp/2015Jan/0002.html ) and
perhaps on better algorithms in user agents for optimistic upgrade.

That broader discussion is happening over in the TAG currently with their
draft finding on Transitioning the Web to HTTPS.

Are you satisfied that your concerns have been reasonably addressed?  Do
you feel there was an alternate path forward from this thread that I failed
to extract?

Thank you,

Brad Hill
Co-chair, WebAppSec


On Mon Jan 05 2015 at 4:31:30 AM Tim Berners-Lee <timbl@w3.org> wrote:

>
> On 2015-01 -05, at 06:45, Anne van Kesteren <annevk@annevk.nl> wrote:
>
> > On Mon, Jan 5, 2015 at 12:26 PM, Tim Berners-Lee <timbl@w3.org> wrote:
> >> They are not.  Data is special
> >
> > Right. I think you could make your point more clear if rather than
> > talking about scripts (which could themselves create <script> elements
> > and such) you instead focused on the use case you care about, loading
> > some data from another origin.
>
> Indeed .  The example is loading legacy http: data from a secure web app.
>
>
> >
> > There's already a problem with that today, it requires the other
> > origin to use CORS.
>
> CORS does not work with a secure app and a http: data site.
> The wildcard CORS is blocked.
>
> Or you have to put your script on a http: page for it to work.
>
> Hence my suggestion is is broken to have something work from a http page
> but not from an https one.
>
> > If it does not have that you need to use a proxy
>
> This means that the actual application center of mass is moved onto the
> server.
> This makes yet another silo.
> This makes all the user's activity available to the person who runs the
> proxy.
> This makes the user's activity available to anyone who subpoenas or cracks
> the proxy.
>
> > (or indeed a native app).
>
> Yes.
>
> > If you want to authenticate your application it requires the other
> > origin to support TLS (in addition to CORS). Again, you can use a
> > proxy to circumvent this (or indeed a native app).
> >
> > Not having these restrictions in place enables all kinds of attacks
> > and classic bugs ;-)
> >
> >
> > --
> > https://annevankesteren.nl/
> >
>
>
Received on Thursday, 22 January 2015 17:50:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC