Re: Available security information section clarification from Mary Ellen Zurko on 2007-04-09 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Mon, 9 Apr 2007 11:44:21 -0400
To: "Serge Egelman <egelman" <egelman@cs.cmu.edu>
Cc: public-wsc-wg@w3.org
Message-ID: <OF305678CE.5873C3E7-ON852572B8.0052508F-852572B8.00567706@LocalDomain>

How interesting. This begins to get us into the realm of what I'd call 
secondary security context information. Not the information that's 
available in the protocols and pages whose job is (at least partly) to 
communicate security context, or the information that provides some 
security context that users can understand, but information that is 
manipulated to attack the tools that are trying to create or display 
security context information. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Serge Egelman <egelman@cs.cmu.edu> 
Sent by: public-wsc-wg-request@w3.org
04/09/2007 09:44 AM

To
"Close, Tyler J." <tyler.close@hp.com>, public-wsc-wg@w3.org
cc

Subject
Re: Available security information section clarification







There's another attack that has to do with whether the page has finished 
rendering:

A lot of anti-phishing tools won't examine the page until it has 
completed rendering.  This leads to an attack where the phisher can 
include code to force the page to take an infinite time to load, thus 
causing the indicator to fail.  I wrote about this here:
http://lorrie.cranor.org/pubs/toolbars.html

serge

Thomas Roessler wrote:
> On 2007-04-05 00:34:00 -0000, Close, Tyler J. wrote:
> 
>> I've edited the "Available security information" section in
>> accordance with the discussion that generated ACTION-157. In
>> particular, I've added some preamble text describing the
>> structure of the section and broadened the "Provided by HTML"
>> section into "Provided by web content". I've also added an entry
>> to "Provided by user agent" for "Has the page completed
>> rendering?" This last item comes out of the white text on a white
>> background case that results from failing to fetch a stylesheet.
> 
> That's a fascinating attack vector.  But consider what happens if a
> user stylesheet is in place that sets the text color to white,
> globally, and with an "!important" declaration...
> 
> I guess what all this boils down to is the question whether a page
> as rendered to a particular user "looks" the way it was intended.
> And that, in turn, leads us directly here:
> 
>   http://www.w3.org/TR/webarch/#pci
> 
> I wonder if we really want to go down that particular direction of
> discussion...
> 
> Coming back to the "has page complete rendering" piece of context, I
> wonder if there is a security-related motivation for looking at it
> that is different from the issues that you get when content can be
> presented in multiple ways, possibly by way of multiple modalities.
> 
> If there is no such motivation, then I'd respectfully suggest we
> drop it.
> 

-- 
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Monday, 9 April 2007 15:45:06 UTC