Re: Summary of "What is a secure page?" discussion, first draft from Yngve Nysaeter Pettersen on 2007-04-25 (public-wsc-wg@w3.org from April 2007)

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Wed, 25 Apr 2007 16:02:06 +0200
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <op.trcelstovqd7e2@killashandra-ii.oslo.opera.com>

On Wed, 25 Apr 2007 15:19:53 +0200, Mary Ellen Zurko  
<Mary_Ellen_Zurko@notesdev.ibm.com> wrote:

> Hi Yngve,
>
>> Criteria currently used by clients (clients may use a selection)
>>
>>     - Symmetric encryption strength used by the connection
>>     - Strength of authentication used by server (such as public key
> length
>> and certificate chain)
>>     - Security of the protocol
>>     - Sequence of redirects used to get to the document
>>     - The security of documents loaded as part of the document
>>     - The security of resources loaded by external software (plugins,
> Java)
>> through the client
>
> How does this last item work in current security display criteria? What's
> taken into consideration?

Opera takes the security level of all requests into consideration, so that  
if a flash applet with a https URL (for example the beatport.com case)  
includes an image from an unsecure server the entire document view no  
longer shows the padlock. We also give a warning about POSTing from such  
applets to an unsecure server.

I have an impression that at least some other clients does not implement  
either of these checks, which is probably why we get reports like the ones  
about beatport.

>> Criteria some think should be included
>>
>>     - Information about the service's reputation
>>     - Previously registered information about the server
>>     - Is the document using content from third party services?
>
> How would that last one get taken into account? What data is available on
> that today? Or is that a pure futures statement?

The thirdparty criteria suggestion came up during the discussion. I think  
the general idea is that a good secure service should not need to include  
elements from another website, in particular one operated by another  
organization.

It is, however, a very difficult one to implement, at least based on  
domain name checks, a problem I am working at with respect to cookies. See  
<URL:  http://my.opera.com/yngve/blog/show.dml/267415 > and <URL:  
http://my.opera.com/yngve/blog/2006/10/23/updated-internet-drafts-about-http-cooki  
> for more about that.


-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer		             Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Wednesday, 25 April 2007 14:06:18 UTC