- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Mon, 3 Dec 2007 22:59:49 -0500
- To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Hey Folks, My FPWD review comments below. I hope to translate these into actions/ issues soon, but I figured that since I had notes, I might as well send them out before Mail.app decides to eat them, or something. If Mez or Thomas wants to give me an action to transcribe them into issues, I'll gladly take it, otherwise I'll aim to get to them this week. I'll also blog about the FPWD somewhere that is syndicated by the Mozilla community, to solicit any feedback the community wants to offer. Cheers, J Review notes by section: §4.2.2 - s/or by exploiting/by exploiting/ §5.2 - I'm not sure why we think this is appropriate work for us to do, versus leaving to groups more directly focused on cryptography. At very least, it doesn't seem normative, and doesn't contain obviously prescriptive text. §5.3.1 - We are supplying normative language for no-interaction certs which, aiui, are still purely conceptual. That feels like defining new protocols to me, particularly since the definition cites a non- existent reference at the moment. If this is out there in the world and deployed, then I think our language is fine, but I don't think we want to be in the business of defining x509 extensions. §5.5.2 - Should we make an explicit exception for the paypal case here, where typing "paypal.com<enter>" into a location bar causes an immediate redirect to https://www.paypal.com? Treating that as "insecure" feels wrong to me, even though as a matter of general principle, redirecting through http is indeed dangerous. §5.5.3 - As I understand it, this creates an inescapable obligation on user agents to store certificate history. Aside from the challenge that no major browser currently does this (as far as I know), this creates privacy and implementation concerns around data retention. We don't say how long this information must be kept, but we say the browser MUST treat it as a change of security level, which does not seem to leave open the possibility of not storing it. §6.3 - I continue to feel that this isn't a recommendation we should make. It would be interesting fodder for browser extension developers, but even then, our shared bookmarks contain specific research around security scoring in primary UI and have found it to be non-helpful in preventing attack. If the intent of this recommendation is not to prevent attack, then we should be clear about what the intent *is* because I don't think it provides helpful context on its own outside of attack resistance. §7 - This section should use the language seen elsewhere regarding examples, i.e. "This section is normative. Examples are informational." §7.1 - I'm still not sure why we need to specify a matching algorithm here. If a given cert is valid for the site by the rules of TLS in general (and possibly our KCM provisions in particular,) then I think it ought to have access to the PII data regardless. Inventing our own matching rules seems like the wrong approach, and lets us reinvent holes that other protocols have patched (e.g. by my reading, an attacker that obtained a DV cert from a CA that doesn't verify anything except domain control could pass rule 4 by specifying arbitrary content for the Subject field, assuming the legitimate site used the same CA.) Even if none of us can think of plausible attacks, that's still no match for just falling back on matching protocols with longer lifetimes and broader deployment. §7.2 - I don't think the fact that it often happens to work is good justification for MUST language requiring user agents to tinker with the URL to swap from http to https. At most, that seems like MAY, but I would honestly just remove it - the way to find the secure login page is to have the site direct the user there. Swapping to HTTPS could quite plausibly, for instance, render the same insecure page which would then submit insecurely. This appears to be Issue-123. §7.8 - It's not clear to me what the requirement is on the user agent with the text "remains forever the same." One assumes that new installs don't need to preserve this, and also (for browsers that manage things in such ways) not new profiles - what about browser versions? If the rest of the chrome is updated, does altering the UI here render UAs non-conformant? §7.9 - The last SHOULD line here assumes the existence of an alert service which we don't talk about elsewhere. I think we should just drop it, and let the implementers of such a service anticipate the hook into formfiller, rather than the other way around. Overall, my concern with §7 is that I think it will not see a lot of implementation, that browsers will not willingly turn off their form- fillers, which are generally a positive usability-wise, in favour of a more-secure but deliberately less helpful approach. I don't mean that pejoratively, it's deliberate that, for instance, it won't "help" you supply your credit card number to an http form, but nevertheless I suspect it's not a trade-off browsers are likely to make, which could sink conformance rates. §8.1.1 - While I understand the motivation, I would be surprised if many user agents would perform the required user study strictly for the purposes of conformance. §8.1.2, §8.1.3 - I have sent recommendations for alternate text to the group as part of ACTION-346. --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Tuesday, 4 December 2007 04:00:10 UTC