Re: ISSUE-38: no safe haven in presentation space (from public comments) from Mary Ellen Zurko on 2007-04-18 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 18 Apr 2007 10:03:36 -0400
To: Web Security Context WG <public-wsc-wg@w3.org>
Message-ID: <OF59DAF950.AE319783-ON852572C1.0045941E-852572C1.004D3ECB@LocalDomain>
We've discussed some of the issues around scoping of security indicators 
when the information presented is from multiple sources, or has different 
security context. I think it is a problem with the status quo, and is not 
currently reflected in that section.  Given the structure, I propose 
adding an item to 9.4, poor usability of the chrome:

9.4.n One chrome, multiple security contexts

It's no longer "your mother's web", where all user agents are browsers, 
and a single page from a single server is displayed alone, because the 
user took a specific action to GET it. From included content, through 
IFrames, portlets, and asynchronous web calls, parts of what's presented 
may have security context that is different from or lacking from other 
parts. Warning the user tends to be confusing for them, or ignored. 

New security information is out of scope, so the suggestions on new 
interactional protocols to request signed content is out of scope. 

The Best practices for other media goal is meant to be clear that we 
recognize the fact that user behavior is a result of all interactions. 
Ignoring that would create recommendations that cannot be realistically 
and successfully, securely deployed. I propose we add the word realistic 
to that goal, producing:

The Working Group will provide realistic best practice guidelines for
   other media to follow so as not to undermine the presentation of
   security information on the web.


          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Web Security Context Issue Tracker <dean+cgi@w3.org> 
Sent by: public-wsc-wg-request@w3.org
04/15/2007 10:50 AM
Please respond to
Web Security Context WG <public-wsc-wg@w3.org>


To
public-wsc-wg@w3.org
cc

Subject
ISSUE-38: no safe haven in presentation space (from public comments)








ISSUE-38: no safe haven in presentation space (from public comments)

http://www.w3.org/2006/WSC/Group/track/issues/38

Raised by: Bill Doyle
On product: Note: use cases etc.

>From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org

http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html

no safe haven in presentation space
where it says, in 2.5 Reliable presentation of security information
   The Working Group will recommend presentation techniques that
   mitigate deceptive imitation, or hiding, of the user agent's
   presentation of security information.
where it says, in 2.7 Best practices for other media
   The Working Group will provide best practice guidelines for
   other media to follow so as not to undermine the presentation of
   security information on the web.
please consider
This part of the strategy seems particularly weak.  Techniques to 
ascertain 
the actual presentation of [e.g. DOM objects] is sought by the WAI. 
Techniques to query the delivery context are under development by the 
Device 
Independence [now Ubiquitous Web Applications] Working Group.  You should 
think of querying the delivery context for evidence of spoofing 'security 
indicating' presentation as one of the tools in your deployment strategy. 
Likewise, making it easy for the user to exercise a faint twitch of 
skepticism 
with what seems to them a lightweight gesture, but raises the sensitivity 
of 
security-information-filtering -- that is a closed-loop, mixed-initiative 
way 
to move the performance curve of security failures vs. user nuisance. 
Also, 
you should consider introducing practices which are not widely used now 
but 
are up and running and working in practice. What if the user gets a page 
with 
some protected content and some that was transmitted in unprotected HTTP. 
The 
user doesn't know what in the page is of what category.  Suppose at this 
point 
they could by a flick of the hotkey send the challenge "can you send me 
that 
offer in a signed document?"  This relies on PKI that is somewhere in the 
SSL 
stack, and the server won't have to bear the burden all the time.  When a 
user 
is at all concerned, the ethical merchant could want to invest the extra 
cycles for the cryptography.  In other words, readily achievable changes 
in 
technology deployment should not be altogether off the table.
Why? 
It seems unlikely that you can limit yourselves to currently-widely 
adopted 
technology and not find that any presentation-property syndrome that you 
select (whether of placement, coloration or language) is vulnerable to 
highly 
effective spoofing attacks.  Likewise the appeal to other media to stay 
out of 
your protected zone is not likely to be successful unless a duly 
constituted 
panel representing all stakeholders decides the allocated reserved 
presentations.
Received on Wednesday, 18 April 2007 14:03:53 UTC