- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Fri, 29 Jun 2007 13:25:44 -0400
- To: "Doyle, Bill" <wdoyle@mitre.org>
- CC: Rachna Dhamija <rachna.w3c@gmail.com>, public-wsc-wg@w3.org
Well, the common theme here is that the user visits a page that they think is another page. So I think all of these attacks would fall under "site impersonation," that or maybe something like "semantic attacks." serge Doyle, Bill wrote: > Sorry, I read that wrong. > > I was concentrating on just getting rid of attacks. I don't see much > good in luring user to a legitimate site for our purposes. Ideas for > combined heading? > > Thx > Bill > > > > > -----Original Message----- > From: Serge Egelman [mailto:egelman@cs.cmu.edu] > Sent: Thursday, June 28, 2007 3:35 PM > To: Doyle, Bill > Cc: Rachna Dhamija; public-wsc-wg@w3.org > Subject: Re: Review of threat trees > > Huh? I'm talking about combining these two threat trees. That's > something that we *are* empowered to fix. > > serge > > Doyle, Bill wrote: >> Millions of ways to break use agents and new ones each day. >> Don't talk about or loose time with items that we are not empowered > to >> fix. Concentrate on the ones we are. >> >> Bill >> >> >> -----Original Message----- >> From: Serge Egelman [mailto:egelman@cs.cmu.edu] >> Sent: Thursday, June 28, 2007 1:23 PM >> To: Doyle, Bill >> Cc: Rachna Dhamija; public-wsc-wg@w3.org >> Subject: Re: Review of threat trees >> >> Maybe this has already been discussed, but from the user's > perspective, >> how do the luring attacks differ from site impersonation? In both >> cases >> the user thinks they are going to a trusted site, but end up at a >> different untrusted site. In terms of recommendations for security >> indicators, I'm not sure we need to differentiate here. >> >> serge >> >> Doyle, Bill wrote: >>> Tyler, started a review - stopped in item 4, will get back to it. >>> >>> Seems like we have some issues with threat trees. >>> >>> I noted items that I thought had scope issues >>> >>> 1. luring attacks >>> D. all >>> E all >>> F all >>> >>> 2.Site impersonation >>> A. ii. >>> >>> 4. Cross-site scripting - only interested in is how the user agent >>> responds to certain attacks in this class. >>> >>> From text, the pretense of the attack is injection of cone into >>> vulnerable web applications, server side processing is out of scope >> and >>> attacking the server is out of scope. >>> >>> Thought - Restructure section to note user agent actions and ability >> to >>> retain secure posture in the face of Cross-site scripting threats. >>> Server sends data that does X. Leave out how / why this occurs, it >> just >>> does. >>> >>> B >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> > ----------------------------------------------------------------------- >> - >>> *From:* public-wsc-wg-request@w3.org >>> [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Doyle, Bill >>> *Sent:* Wednesday, June 27, 2007 6:46 AM >>> *To:* Rachna Dhamija >>> *Cc:* public-wsc-wg@w3.org >>> *Subject:* RE: Public comments on threat trees >>> >>> Thanks - was wondering what was up. >>> >>> Will take a look at it. Usually the MITRE infosec group does not >>> hold back much, depends on who gets a hold of it. >>> >>> Bill >>> >>> >>> > ----------------------------------------------------------------------- >> - >>> *From:* Rachna Dhamija [mailto:rachna.w3c@gmail.com] >>> *Sent:* Tuesday, June 26, 2007 8:52 PM >>> *To:* Doyle, Bill >>> *Cc:* public-wsc-wg@w3.org >>> *Subject:* Re: Public comments on threat trees >>> >>> Bill, >>> >>> There is currently no "owner" (Stuart S is transitioning >> jobs, >>> and I don't know if he is still participating in the >>> workgroup). I've been adding attacks as I think of them > and >>> have flattened it out to be more of an outline, rather than > a >>> "tree". We still need to add links to examples and to >> identify >>> which branches are in and out of scope. >>> >>> I'm not sure that we'll ever be "done" with adding new >> attacks, >>> so this is a good time as any to get comments and find > things >> we >>> have missed. Perhaps you and Stephen F might like to make >> one >>> pass through it first. >>> >>> http://www.w3.org/2006/WSC/wiki/ThreatTrees >>> >>> Rachna >>> >>> On 6/25/07, *Doyle, Bill* < wdoyle@mitre.org >>> <mailto:wdoyle@mitre.org>> wrote: >>> >>> Are threat trees ready for public comments? If so I will >>> send the a wiki link out to MITRE infosec list. >>> >>> If threat tree owner can respond and provide any intro >> and >>> link it would be appreciated. >>> >>> Regards >>> Bill Doyle >>> wdoyle@mitre.org <mailto:wdoyle@mitre.org> >>> >>> >>> >>> >>> > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Friday, 29 June 2007 17:26:14 UTC