Re: Page Security Score proposal from Thomas Roessler on 2007-07-06 (public-wsc-wg@w3.org from July 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Sat, 7 Jul 2007 00:35:14 +0200
To: michael.mccormick@wellsfargo.com
Cc: johnath@mozilla.com, public-wsc-wg@w3.org, Mary_Ellen_Zurko@notesdev.ibm.com
Message-ID: <20070706223514.GN6561@raktajino.does-not-exist.org>

On 2007-07-06 17:19:12 -0500, michael.mccormick@wellsfargo.com wrote:

> You raise good questions about a couple specific aspects of the
> sample page scoring formula I offered, but please keep in mind it
> was offered as an example.  It definitely needs thorough risk
> analysis, testing, and refinement.  I would not oppose removing
> the local host file element, for example, although it's something
> we should discuss first as a group.

My point wasn't about the specific aspects -- I meant these as
examples of a more generic issue, namely, that such a scoring
mechanism will ideally be whatever is best suited to recognize
attacks.

There is of course a part to that formula which is based on factors
that cannot be triggered by the attacker (assuming, e.g., that an
attacker can't produce an EV certificate with chosen information,
seems safe).

There is, however, another part that relies on information that can
(and will) be tuned by the attacker.  This part will need to be
adapted as attacks evolve -- or might even turn out to be useless in
the end of the day, or best used through an interactive service.

> That said, I do feel WSC should offer a specific formula (while
> opening the door wide to innovation from others) so I would
> oppose "punting". There should be an industry standard default
> scoring formula.  The formula is the missing link between our
> detailed page security info and our primary SCI.

Leaving the concerns as to whether or not these kinds of advanced
heuristics are actually in our scope aside for the moent, I'd say
that the "tuned by the attacker" inputs better shouldn't show up in
that formula.  I'd suspect that it would then turn into a set of
basic profiles of using existing security technology that lead to
certain user communication.

EV certificates and letterheads are actually examples of that
approach.

I wonder if a security score really has much to add over these kinds
of approaches when you leave out the possibly attacker-chosen
inputs...

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Friday, 6 July 2007 22:35:55 UTC