- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 22 Jun 2007 21:49:15 +0200
- To: "Doyle, Bill" <wdoyle@mitre.org>
- Cc: Dan Schutzer <dan.schutzer@fstc.org>, Mike Beltzner <beltzner@mozilla.com>, Rachna Dhamija <rachna.w3c@gmail.com>, public-wsc-wg@w3.org
redirecting again. Please make sure you copy public-wsc-wg@w3.org. DO NOT copy public-wsc-wg-request@w3.org. Thanks all, -- Thomas Roessler, W3C <tlr@w3.org> On 2007-06-22 19:47:16 +0000, Doyle, Bill wrote: > From: "Doyle, Bill" <wdoyle@mitre.org> > To: Dan Schutzer <dan.schutzer@fstc.org>, > Mike Beltzner <beltzner@mozilla.com>, > Rachna Dhamija <rachna.w3c@gmail.com> > Cc: public-wsc-wg-request@w3.org > Date: Fri, 22 Jun 2007 19:47:16 +0000 > Subject: RE: iframe tag attack > X-Spam-Level: > Old-Date: Fri, 22 Jun 2007 15:47:08 -0400 > X-Diagnostic: Already on the subscriber list > X-Diagnostic: 38 wdoyle@mitre.org 32760 wdoyle@mitre.org > X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.5 > > Understand current environment and that OS, network is out and > compromise of user agent is out for normal tasks. > > I would like to see additional user agent checks and controls when a > user agent task is declared "safe" given that user agents operate in a > less than secure environment. > > Stated as safe, user expects safe. > > B > > > > > > ________________________________ > > From: Dan Schutzer [mailto:dan.schutzer@fstc.org] > Sent: Friday, June 22, 2007 3:34 PM > To: Doyle, Bill; 'Mike Beltzner'; 'Rachna Dhamija'; > dan.schutzer@fstc.org > Cc: public-wsc-wg-request@w3.org > Subject: RE: iframe tag attack > > > > Per my draft. This is an issue, but keeping a PC clean of bots > and other malware is out-of-scope, although I provided some examples of > things we could do to help defeat this use case. > > > > > ________________________________ > > > From: Doyle, Bill [mailto:wdoyle@mitre.org] > Sent: Wednesday, June 20, 2007 4:10 PM > To: Dan Schutzer; Mike Beltzner; Rachna Dhamija > Cc: public-wsc-wg-request@w3.org > Subject: RE: iframe tag attack > > > > More thoughts. > > > > "However if a user only downloaded from trusted sites when in > safe mode (a big if, probably not realistic), then the scenario would > be defeated" > > > > User goes out, compromises browser, goes into safe mode, thinks > they are secure and gives up the farm. > > > > Looks like it gets back to the expectations that the user agent > is functioning correctly and not compromised. > > > > Does "safe" mode also need a user agent provided by a trusted > source that is restricted to only go to sites that are "trusted" > > > > Bill > > > > > > > > > > > > > > > > > > > ________________________________ > > > From: Dan Schutzer [mailto:dan.schutzer@fstc.org] > Sent: Wednesday, June 20, 2007 9:24 AM > To: Doyle, Bill; 'Mike Beltzner'; 'Rachna Dhamija' > Cc: public-wsc-wg@w3.org > Subject: RE: iframe tag attack > > When in safe mode, this threat scenario should be > defeated. The untrusted site would be rejected; the trusted site would > be audited to ensure there is sufficient security built-in that their > web site is unlikely to be compromised. However, when not in the safe > mode a user would be vulnerable as they can access any site. However if > a user only downloaded from trusted sites when in safe mode (a big if, > probably not realistic), then the scenario would be defeated. > > > > Dan > > > > > ________________________________ > > > From: public-wsc-wg-request@w3.org > [mailto:public-wsc-wg-request@w3.org] On Behalf Of Doyle, Bill > Sent: Wednesday, June 20, 2007 7:15 AM > To: Mike Beltzner; Rachna Dhamija > Cc: public-wsc-wg@w3.org > Subject: RE: iframe tag attack > > > > Thanks -- I pulled out part of your text that I want to > review against the "safe" browsing modes are being discussed > > > > iframe is doing things where a site which is > trusted/identified in one way is loading content form a site that is > not trusted > > > > Bill D. > > > > > > ________________________________ > > > From: Mike Beltzner > [mailto:beltzner@mozilla.com] > Sent: Wednesday, June 20, 2007 1:54 AM > To: Rachna Dhamija > Cc: public-wsc-wg@w3.org; Doyle, Bill > Subject: Re: iframe tag attack > > Using Rachna's unpack (thanks for that!) the > way I see it ... > > 1. is definitely out of scope. > > 2. is strange - the fact that the site is > compromised makes me think this is out of scope, but must any identity > mechanisms that we do accept as in scope protect users from these types > of problems? > > 3. feels in scope to me, especially if the > iframe is doing things where a site which is trusted/identified in one > way is loading content form a site that is not trusted, and then > presenting it as part of the trusted site. I understand that this is a > common practice amongst websites, but we need some mechanisms for > enabling it without enabling this type of compromise as a side effect, > IMO. Also, we need a pony. > > 4. the browser exploits that result in > downloaded and installed malware are in scope, but once infected, the > effects of that malware are totally out of scope. > > imo, fwiw, etc. > > cheers, > mike > ----- Original Message ----- > From: "Rachna Dhamija" <rachna.w3c@gmail.com> > To: "Bill Doyle" <wdoyle@mitre.org> > Cc: public-wsc-wg@w3.org > Sent: Tuesday, June 19, 2007 6:21:18 PM > (GMT-0500) America/New_York > Subject: Re: iframe tag attack > > On 6/19/07, Doyle, Bill <wdoyle@mitre.org> > wrote: > > This enterprising company seems to have > improved productivity. > > > > New Web Exploit at 10,000 Machines and > Growing, Security Company Warns > > > > Seems to be a user agent issue, is this > in or out of scope? > > > If we unpack the attack, this question might be > easier to answer: > 1) Attacker compromises a web server using > malware > > 2) User visits a legitimate, but compromised, > website that includes malicious iframe > 3) iframe causes browser to be redirected to a > site with malicious javascript > 4) malicious javascript detects the browser > type and exploits browser vulnerabilities to download code, which then > downloads other code (keyloggers, proxy, etc...) > > We have ruled 1 out of scope. How about the > rest? > > I am hoping that we can use our list of attacks > (i.e., the threat trees) to come to a better understanding on what is > in and out of scope. > > Rachna > > >
Received on Friday, 22 June 2007 19:49:32 UTC