- From: Amir Herzberg <herzbea@macs.biu.ac.il>
- Date: Thu, 07 Dec 2006 09:42:02 +0200
- To: "Close, Tyler J." <tyler.close@hp.com>
- CC: W3 Work Group <public-wsc-wg@w3.org>
Close, Tyler J. wrote: > Amir Herzberg wrote: > >> I agree. But more: the reality is that most web pages are >> not SSL/TLS protected. In such cases, the domain names >> provides the only (very limited) mechanism of >> identification. It is secure against weak attackers, not >> against DNS controlling or MITM attackers, of course, and >> only to the extent that users can validate the URL/domain. >> So I agree it is very weak protection. Still, as long as >> most sites are not using SSL, I find it very hard to give >> up on this limited identification mechanism. >> > > So what are the risks? Since we agree that the current URL display for > non-SSL sites is "very weak protection", really the only thing > preventing attack is lack of interest from attackers. Removing the "very > weak protection" is not going to increase the value of the 'protected' > assets. > This is incorrect. The protection is very weak, compared to (proper) cryptographic protection such as TLS, but not negligible. In fact, there are many scenarios and systems built on such weak security assumptions, using adversary models such as `blind adversary` or `insert-only adversary`. In particular, this is currently the only realistic attack model for DoS attacks. Another example: the current email authentication systems/proposals (SPF, DKIM, SenderID) all fail if the attacker can do DNS spoofing (and certainly against MITM!). So I don't think we can simply ignore the defense offered by this (weak) protection mechanism. > I also argue that "very weak protection" is too high praise for the > display of http:// URLs. I think the display actually works in the > attacker's favor. Since the display is easily subverted by the DNS > tricks of a rogue wireless access point, a user who is accustomed to > relying on the URL display is easy prey. The truth is that when talking > http: over a wireless network, you should assume you are talking to a > stranger. If we ease the user into acting otherwise, we're helping the > phisher. > Of course, this is a valid risk. It is even worse, since the problem is not limited to the value of the `served resources`. If the user trusts the site owner, e.g. Yahoo! or Google (or any other site, really), they are likely to trust many `offers` from that source - e.g., of a `plugin to better view new features`. So the current situation is bad. But not displaying the location bar will not help us, if the user will install this nice new helper application, would it? Ultimately, I believe that eventually all web sites should use cryptographic protection (e.g. TLS, but there are some efficiency savings possible which may help in this process - again, this imho is beyond the scope of this WG). Once that happens, we may be able to give up on the location bar as a (weak) defense mechanism, although usability concerns may remain. Best, Amir > So, if the host web site doesn't think the served resources are worth > protecting, we don't need to pretend to protect them. Further, such make > believe can deceive the user and undermine our protection of more highly > valued assets. > > Tyler > > > > > . > >
Received on Thursday, 7 December 2006 07:42:49 UTC