Security Considerations (Re: Current state of editor's draft / IdentitySignal) from Thomas Roessler on 2007-08-25 (public-wsc-wg@w3.org from August 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Sat, 25 Aug 2007 12:53:29 +0200
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: public-wsc-wg@w3.org
Message-ID: <20070825105329.GM28658@raktajino.does-not-exist.org>

http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#security-considerations

On 2007-08-24 14:00:49 -0400, Mary Ellen Zurko wrote:

> "except for the absence of a possibly positive indicator "

> That was not at all my reading, and everything we know says that's a 
> terrible idea. I had read the following lines as requiring some sort of 
> indicator at all times in primary UI if any indicator was ever shown in 
> primary UI: 

> "User interactions to access this identity signal MUST be consistent 
> across all Web interactions, including interactions during which the Web 
> user agent has no trustworthy information about the [[ identity ]] of the 
> Web site that a user interacts with. In this case, user agents SHOULD 
> indicate that no information is available. "

It's (mostly) my bad wording in the security considerations section.

Yet, the only protection the current approach leaves in place during
the first interaction with a TLS site is indeed the user noticing
that the identity signal looks fishy -- as there is not enough
information to trigger a change of security level at this point, and
an active attacker could show a self-signed certificate.

That might be slightly worse than the current approach that would
show an idiot box.

For subsequent interactions, we're better than the current approach,
since the attacker, if he hasn't broken the initial interaction,
would indeed cause a hard stop.

To mitigate the attack surface during the first interaction, there
might be ways to transmit the information that a certain site really
thinks it has a good certificate out of band -- e.g., through DNS,
leveraging DNSSEC, or perhaps through some centralized information
service.  The current spec language leaves the door open for that;
"change of security level" is deliberately phrased to be a
non-exhaustive list of circumstances.

Ozment, Schechter and Dhamija had a proposal like that at the 2006
workshop which, while (IMHO) out of scope for this Working Group,
would complement the current approach in an interesting way (and
might be worth taking up elsewhere):

  http://www.w3.org/2005/Security/usability-ws/papers/24-ozment-dont-rely

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Saturday, 25 August 2007 10:53:39 UTC