- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 28 Mar 2007 19:23:33 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes from last week's meeting were approved today.
Online version:
http://www.w3.org/2007/03/20-wsc-minutes
Text version below.
--
Thomas Roessler, W3C <tlr@w3.org>
WSC WG weekly
20 Mar 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
Thomas Roessler
Mary Ellen Zurko
Tyler Close
Hal Lockhart
Maritza Johnson
Bill Doyle
Stuart Schechter
Johnathan Nightingale
Mike Beltzner
Rachna Dhamija
Praveen Alavilli
Paul Hill
Tim Hahn
Serge Egelman
Regrets
Pascal Manzano
Shawn Duffy
Chair
MEZ
Scribe
Maritza
Contents
* [4]Topics
1. [5]Last Meeting's Minutes
2. [6]Threat Trees
* [7]Summary of Action Items
_________________________________________________________________
Last meeting's minutes
[8]Draft minutes
mez: minutes approved
... looking at newly closed action items
tlr: What is about the one about additional references from rachna,
ACTION-108?
rachna: they're in the Wiki
<ses> Stuart would find it helpful if the public action items pages linked
to the login page for the version that you can edit.
<Chuck> Must be too many UIs competing for our attention.
<tlr> ACTION: thomas to put documentation about action item editing
interface on group page [recorded in
[9]http://www.w3.org/2007/03/20-wsc-minutes.html#action02]
<trackbot> Created ACTION-159 - Put documentation about action item editing
interface on group page [on Thomas Roessler - due 2007-03-27].
mez: before we transition to content part of our discussion with stuart,
let's talk about editing of the note usecases
... it would be useful if we had some redundancy for usecases editors
... is someone willing to be second editor?
mez: ok, I'll put it out in email
Threat Trees
<Mez_> [10]http://www.w3.org/2006/WSC/wiki/ThreatTrees
<Mez_>
[11]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0075.html
<Mez_>
[12]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0092.html
mez: ok, now stuart will lead the discussion on threat trees
<ses> [13]http://www.w3.org/2006/WSC/wiki/ThreatTrees
ses: i haven't seen any comments on this, I've seen one change in email,
does anyone need time to look this over?
... can i ask if anyone thinks there's something missing, or if there's
anything that we need to go deeper with
mez: it would be useful to me, if you would give a level set of what you
think the threat tree gives us
... a comprehensive set of threats we'll address?
ses: a set of threats so we can better discuss what's in scope and out of
scope
tlr: i also think it would be important to use this to derive questions
about what context information is useful in what use case
... i think that's the second aspect other than scope
johnathan: If we come up with a great set of UI indicators but we miss
entire branches of the tree, we can't count ourselves as successful.
mez: i agree if we cover all the branches in our charter
<Chuck> What about proxies and MitM attacks? These represent threats that
may not be obvious from this threat tree.
ses: ideally we would have done this before the charter, so we would have
known what we were trying to address
<Tyler> I think we need a way to document in the threat tree itself which
branches are out of scope
<Mez_> I agree Tyler; that's a good point
ses: we need to make sure what we're addressing will make dents in certain
types of problems
<Mez_> ack hal
hal: there appears to me that there is duplication between III and IB
... one B and three
... is the difference interfering with communication instead of
intercepting?
tlr: i read IB as an active attack
ses: that's what was intended
hal: is that really site impersonation?
... I has the potential goals of the attacker, i think that might be useful
elsewhere
<Chuck> What about threats that represent compromises to privacy, but not
necessarily direct intervention in a Web dialog? For example, theft of
cookies, traffic analysis, or tracking of user's surfing.
<jvkrey> Shouldn't each "goal" have it's own attack (threat) tree?
<Tyler> Does the threat tree really mean hostname or URL where it uses
"address"?
<Mez_> Chuck, can you edit the wiki page and put those in?
ses: there's a limit to how you can describe info in wiki, and bullets were
the only thing i could find the show this, we neeede metainformation for
branches in the tree
so bullets are meta-information for the branches?
ses: yeah
hal: i'd like to see more of them, not less. I assume the goals under I
cover both the A and B case
... it's important to keep in mind what the attacker is actually trying to
get at
<Chuck> I try to be careful about editing other people's work until I
understand the scope and context fully.
<johnath> agree with hal's last point
hal: you'll see it at the bottom of the page if you refresh
tyler: still going through and looking at in/out of scope, we don't have
anything in the out of scope section on cross-site scripting, but it's not
clear to me it should be in-scope
... what do people think?
mez: i thought we agreed sandboxing didn't include security context info
hal: i suggested if you had different frames for different sites, that might
be a case when you
<ses> Stuart is at a loss for how representing security context information
can help with cross-site scripting. Not that he thinks it's a problem not
worthy of attention.
'd want to represent things differently
tyler: i don't think you can do a cross-site scripting attack just in frames
... i think you need a code based injection into the page being served on
the site
tlr: plus 1 to tyler, xss means there is a change in control and out of
scope, i'd rather stick with the other stuff here
tyler: i think we should had another item to section 5 in the note
hal: so for the tree, it makes sense not to delete out of scope branches,
but to not expand them and mark them in some way
<tlr> ACTION: tyler to put out-of-scope text on cross-site-scripting into
Note [recorded in
[14]http://www.w3.org/2007/03/20-wsc-minutes.html#action03]
<trackbot> Created ACTION-160 - Put out-of-scope text on
cross-site-scripting into Note [on Tyler Close - due 2007-03-27].
<ses> Agreed with statement regarding keeping branches but not expanding
them.
johnath: i might be revisiting something, xss is largely traceable to a
website not being careful, but i'm weary of this being marked out of scope
<ses> <---changing his mind.
johnath: seems like the user agent knows some stuff it could be
communicating to the user
<ses> <---now wondering if we can know whether any of XSS is out of scope
until we expand the tree.
<Chuck> Perhaps the relevant question regarding XSS is: "Could the user's
agent operate in a mode that would prevent the XSS attack?"
johnath: i'm doing this because i want to steal information, exploit a
cookie, take information and transfer it to myself, the user agent has to go
and make the connection to the rogue site, pages are always cross linking,
if this dicussion already happened, i'm surprised, but it should be relevant
to how the user makes the decision should be in scope?
mez: is there a concrete example of the context info we might consider to be
inscope?
tlr: we need to distinguish, one if a website linking to a strange place
that may not be what the user things it will be, this is in the use cases,
where is this form being submitted to? Does this image come from the russian
mafia or the real guy, what should the user be told about the origin of the
content?
... xss is where the attacker gets questionable content into the legit site
... code injections are out of scope, but dealing with information being
sent by form should be in scope
tyler: comments similar to tlr
... i'm worried that it's not easy for the browser to tell that the content
is injected and not what the provider meant to provide. I think looking at
the url is easy to talk about, but if you were writing code to do this,
would it still be as easy to implement?
johnath: it doesn't have to be just submitting a form to where the user is
expecting, if i can inject a script i can do things without the user taking
an action
... it seems like the kind of content info that is in scope, would be having
something to alert us to when information is sent to someone other than the
original site
<johnath> tlr - I think you're right
bill-d: is this content coming from a poorly regarded source, and we could
report that to the user
<ses> <-- still doesn't know what a user agent or reputation service is --
see [15]http://www.w3.org/2006/WSC/wiki/Glossary
<Mez_> I believe "web user agent" is in fact in our charter.
<Mez_> that doesn't mean it's defined there; that does imply it's thought to
be understood by the sort of people who read w3c charters
chuck: we're having a problem with thinking the browser is the universal
user agent, but we should keep in mind browsers that have a mode with
tigther settings, we should consider a browser being in a mode that might be
legit in other contexts, but in the current context it's not considered safe
or appropriate, this might block XSS or other potential problems
<Zakim> Thomas, you wanted to note that we're solving the halting problem
chuck: it's all relevant to the usability context we're addressing in our
working group
<ses> ACTION: zurko to copy definition of web user agent to glossary
[recorded in [16]http://www.w3.org/2007/03/20-wsc-minutes.html#action04]
<trackbot> Created ACTION-165 - Copy definition of web user agent to
glossary [on Mary Ellen Zurko - due 2007-03-27]
tlr: for the moment we are talking more generally about a browser agent
<Chuck> I am working on AI 150. It's a tricky problem to express in a useful
way.
tlr: i think in terms of scoping, we are having agreement on the basic
points, so i think we should move back to the threat trees
tlr; it might be useful to not try to classify user agents, other groups
have tried and failed
<tlr> ACTION: thomas to send note to chuck on prior art re ACTION-150
[recorded in [17]http://www.w3.org/2007/03/20-wsc-minutes.html#action05]
<trackbot> Created ACTION-161 - Send note to chuck on prior art re
ACTION-150 [on Thomas Roessler - due 2007-03-27].
<Chuck> And worth more that other pennies I've gotten :-)
ses: the people who have come up with objections, i'm still looking for
proposed changes
... if there aren't any, we can talk about how we plan to use this
... i'm not sure if i'm the right person to discuss how this will integrate
with the rest of the document
... anyone else that wants to propose where we'll go to it
<Mez_> hal standing on the shoulders of giants
hal: at a minimum if we have a list of things that we should propose
browsers ought to do, then we can say we have branches of the tree covered
and we can check for holes
... or we can use it to look at and say, If I knew X then I could prevent
this branch
ses: anyone object to having recommendations that address branches of the
tree
beltzner: should be based on the user goals, not on what the attacks are
beltzner: where are we taking into account the user task, it should be the
browser who tells that people are at the right place
<ses> (do we want to take a moment to look at the "use case dimensions" wiki
page?
<Mez_> ses, put in url; I don't know what you're saying
<ses> [18]http://www.w3.org/2006/WSC/wiki/Use_Case_Dimensions
ses: are we getting to a halting problem, asking the browser to make the
call of user intent and where they think they should be
johnath: i agree our recommendations should be driven by the user
expectations, the threat tree isn't that, but complements it, the tree makes
sense as a sanity check to say what the potential attacks are, because we're
not thinking of ways to attack the system. So the threat tree should be the
attacker's model, not the user's model. Using the tree as a check.
tyler: having the browser make a decision about where the user thinks they
are doesn't need to be as scary a problem as people are making it, for
example if you're typing in a password, then the browser just needs to know
the user is about to send something sensitive to a remote site
hal: i agree it's annoying when a browser tells you you're about to send
sensitive info when all you did was click
chuck: i also think we need to come back to the mutual aspect of this, it's
the user and the webstie
... what are the constraints that the site should have, how can the site
stipulate that the user's agent should be in a restricted moed
<Mez_> I think Chuck's statement implies new protocols, which are out of
charter
chuck: a mechanism like this that would tell the user that they'e in this
mode would help, we need to look at it from both the user and browser point
of view
<beltzner> mez_, not neccessarily ... a simple tag is all that's needed, no
need to go through any protocol or standards group, just start telling
people that it'll work and start supporting it and then let the standard
emerge
<Mez_> where is the sensitive field markup going on?
<ses> <---agrees with Chuck---but doesn't think it goes in HTML
<Chuck> But how does that new mode get communicated to the user???
tlr: getting back to tyler's question, i think there is a point around
getting mark-up for sensitive form fields or something, it's in scope for
what's going on elsewhere and we're free to suggest recommendations in that
direction
... i'm encouraging people to write up these proposals as recommendations
for what the browser should implement
tyler: tlr has the right approach, let's clarify, i don't think this info is
something we can get from html, we can't trust the site to say this is or
isn't a sensitive field
<ses> (I'm pretty sure users will can be convinced not to activate the bit.)
<Chuck> I agree with Tyler's comment. This is a problem that can only be
addressed by working both ends simultaneously.
<Mez_> give tyler an action. The worst he can do is ignore it :-)
bill-d: we also have that the server could raise the bar and the user could
say these are the sites that i want to be secure. there could be a type of
exchange to raise the level of security within a session
mez: do we have a number of proposals that merit follow-up?
<Chuck> Rather than comparing this to the "halting problem" (which it's
not), this is closer to one of the various "voting problems."
<tlr> ACTION: tyler to draft "sensitive piece of information" proposal
[recorded in [19]http://www.w3.org/2007/03/20-wsc-minutes.html#action06]
<trackbot> Created ACTION-162 - Draft \"sensitive piece of information\"
proposal [on Tyler Close - due 2007-03-27].
rachna: i've been testing does the user think they're sending sensitive
info, and does the user know where they are
<tlr> ACTION: rdhamija2 to draft "where am I" outline due 2007-03-28
[recorded in [20]http://www.w3.org/2007/03/20-wsc-minutes.html#action08]
<trackbot> Created ACTION-163 - to draft \"where am I\" outline due
2007-03-28 [on Rachna Dhamija - due 2007-03-27].
rachna: we're doing some early prototyping
tyler: could you tell us more about the second one
rachna: we dont know that yet
mez: what are the next steps with the threat trees
ses: i'd like a volunteer who understands xss well to expand the branch
... if we expand it we might find something that's in scope
johnath: i can take an action to add some detail for discussion
ses: my guess is that expanding this branch will show there are a bunch of
attacks that fall into the xss category, you might end up with things that
look like major branches that are under II
<tlr> ACTION: johnathan to elaborate cross-site-scripting branch of threat
tree with view toward user understandable context information - due next
2007-03-28 [recorded in
[21]http://www.w3.org/2007/03/20-wsc-minutes.html#action09]
<trackbot> Created ACTION-164 - elaborate cross-site-scripting branch of
threat tree with view toward user understandable context information [on
Johnathan Nightingale - due 2007-03-28].
ses: i'd also like to make a proposal that we have a reward for someone who
finds holes in the threat tree
mez: tell me how to judge that one
tyler: for builiding the xss branch, if we come up with html additions, can
we pass them off to the other working group
tlr: sure
hal: is there another group for forms and security
tlr: that group did not happen, but the charter got dropped into the forms
group short description from that charter, which is now with the html group,
but they need technical input - possibly from our members
mez: stuart, any quick wrap-ups
... all members are presumed to have read the use-case notes
... everyone should have comments by april 4th, even if it's just i read it
and i don't have comments
tlr: if the threat tree is stable should be drop it into a draft of the
note?
... if we don't touch this for a few weeks we should add it
mez: reminder for the new meeting time and date
... wednesday march 28th at 11 am est
tlr: also we're joining the US in with daylight savings
<beltzner> mez_, I have a process question for you, if you can hang on for a
few minutes after the call
<Mez_> sure
Summary of Action Items
[NEW] ACTION: johnathan to elaborate cross-site-scripting branch of threat
tree with view toward user understandable context information - due next
2007-03-28 [recorded in
[22]http://www.w3.org/2007/03/20-wsc-minutes.html#action09]
[NEW] ACTION: mez to copy definition of web user agent to glossary [recorded
in [23]http://www.w3.org/2007/03/20-wsc-minutes.html#action04]
[NEW] ACTION: rdhamija2 to draft "where am I" outline due 2007-03-28
[recorded in [24]http://www.w3.org/2007/03/20-wsc-minutes.html#action08]
[NEW] ACTION: thomas needs to explain to Stuart how to create action items
so he can DOS people. [recorded in
[25]http://www.w3.org/2007/03/20-wsc-minutes.html#action01]
[NEW] ACTION: thomas to put documentation about action item editing
interface on group page [recorded in
[26]http://www.w3.org/2007/03/20-wsc-minutes.html#action02]
[NEW] ACTION: thomas to send note to chuck on prior art re ACTION-150
[recorded in [27]http://www.w3.org/2007/03/20-wsc-minutes.html#action05]
[NEW] ACTION: tyler to draft "sensitive piece of information" proposal
[recorded in [28]http://www.w3.org/2007/03/20-wsc-minutes.html#action06]
[NEW] ACTION: tyler to put out-of-scope text on cross-site-scripting into
Note [recorded in
[29]http://www.w3.org/2007/03/20-wsc-minutes.html#action03]
[End of minutes]
_________________________________________________________________
Minutes formatted by David Booth's [30]scribe.perl version 1.128 ([31]CVS
log)
$Date: 2007/03/28 17:22:20 $
References
1. http://www.w3.org/
2. http://www.w3.org/mid/OF67AE7B1D.3D99B41A-ON852572A0.0044E978-852572A0.005FDD25@LocalDomain
3. http://www.w3.org/2007/03/20-wsc-irc
4. file://localhost/home/roessler/W3C/WWW/2007/03/20-wsc-minutes.html#agenda
5. file://localhost/home/roessler/W3C/WWW/2007/03/20-wsc-minutes.html#Last
6. file://localhost/home/roessler/W3C/WWW/2007/03/20-wsc-minutes.html#Threat_Trees
7. file://localhost/home/roessler/W3C/WWW/2007/03/20-wsc-minutes.html#ActionSummary
8. http://www.w3.org/2007/03/13-wsc-minutes
9. http://www.w3.org/2007/03/20-wsc-minutes.html#action02
10. http://www.w3.org/2006/WSC/wiki/ThreatTrees
11. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0075.html
12. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0092.html
13. http://www.w3.org/2006/WSC/wiki/ThreatTrees
14. http://www.w3.org/2007/03/20-wsc-minutes.html#action03
15. http://www.w3.org/2006/WSC/wiki/Glossary
16. http://www.w3.org/2007/03/20-wsc-minutes.html#action04
17. http://www.w3.org/2007/03/20-wsc-minutes.html#action05
18. http://www.w3.org/2006/WSC/wiki/Use_Case_Dimensions
19. http://www.w3.org/2007/03/20-wsc-minutes.html#action06
20. http://www.w3.org/2007/03/20-wsc-minutes.html#action08
21. http://www.w3.org/2007/03/20-wsc-minutes.html#action09
22. http://www.w3.org/2007/03/20-wsc-minutes.html#action09
23. http://www.w3.org/2007/03/20-wsc-minutes.html#action04
24. http://www.w3.org/2007/03/20-wsc-minutes.html#action08
25. http://www.w3.org/2007/03/20-wsc-minutes.html#action01
26. http://www.w3.org/2007/03/20-wsc-minutes.html#action02
27. http://www.w3.org/2007/03/20-wsc-minutes.html#action05
28. http://www.w3.org/2007/03/20-wsc-minutes.html#action06
29. http://www.w3.org/2007/03/20-wsc-minutes.html#action03
30. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
31. http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 28 March 2007 17:24:08 UTC