RE: ISSUE-108: Should Safe Browsing mode restrict users to a specific set of sites? [Techniques] from Dan Schutzer on 2007-09-20 (public-wsc-wg@w3.org from September 2007)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Thu, 20 Sep 2007 06:42:53 -0400
To: "'Johnathan Nightingale'" <johnath@mozilla.com>, "'Web Security Context Working Group WG'" <public-wsc-wg@w3.org>
Cc: "'Dan Schutzer'" <dan.schutzer@fstc.org>
Message-ID: <010e01c7fb73$00b018e0$6500a8c0@dschutzer>

Johnathan

What other mechanism would you suggest for a browser to clearly distinguish
a white list site from a non-white list site?

Dan

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Johnathan Nightingale
Sent: Wednesday, September 19, 2007 5:54 PM
To: Web Security Context Working Group WG
Subject: Re: ISSUE-108: Should Safe Browsing mode restrict users to a
specific set of sites? [Techniques]

Using EV certs as the stand-in for a whitelist seems wrong, to me.   
EV certs make strong identity claims, but not trustworthiness or  
safety claims, which I think SBM envisions.  EV certs in combination  
with a whitelist seem like a more natural fit, if we're going to  
recommend this at all.

I think the argument has been advanced that we could use the  
community logotype field of an EV cert as a proxy for the whitelist,  
basically that having (say) the FSTC logo in there acts as de facto  
whitelist membership.  One downside I see there is that it still  
requires the SSL handshake to take place (in order to acquire the  
certificate for inspection) which exposes some, albeit limited,  
attack surface.  In an EV+Whitelist world, that initial connection  
wouldn't occur because the "Your accounts are being closed" email  
link would presumably point to some non-whitelisted domain, and the  
connection would not be built in the first place.

I've said in the past that I don't think the maintenance and  
generation of these lists can be accurately foreseen, and hence that  
I don't think it's really the right kind of thing for our group to  
mandate, since that compels us to declare "non-conforming" any  
browser that doesn't think the lists are mature enough.   
Nevertheless, if we *are* to make such a recommendation, it feels  
like EVs shouldn't be used as a surrogate for "trustworthiness"  
determinations.

Cheers,

Johnathan

On 18-Sep-07, at 8:59 AM, Web Security Context Working Group Issue  
Tracker wrote:

>
> ISSUE-108: Should Safe Browsing mode restrict users to a specific  
> set of sites? [Techniques]
>
> http://www.w3.org/2006/WSC/track/issues/
>
> Raised by: Thomas Roessler
> On product: Techniques
>
> In the current draft:
>
>   Editor's Draft $Date: 2007/09/18 12:50:20 $
>
> safe browsing mode includes a requirement that Web user agents only  
> be able to access EV (or EV-like) sites when in Safe Browsing  
> Mode.  From discussions, this is one possible approach; the aim  
> seems to be to have some whitelist of truted sites that can be  
> accessed in this mode.
>
> Questions:
>
> - Should such a whitelist exist at all?
> - If it exists, are EV certificates the right criterion?
>
>
>
>
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Thursday, 20 September 2007 10:43:16 UTC