RE: ISSUE-108: Should Safe Browsing mode restrict users to a specific set of sites? [Techniques]

First of all, I feel SBM should be SSL-only (only https allowed,
possible exception for certain MIMEs like GIF) so to me always requiring
a TLS handshake isn't a problem.

I agree a EV cert by itself provides little or no assurance of
trustworthiness or safety, but I didn't think SBM was proposing to use
vanilla EV.  My understanding was that EV communities would be formed
and managed by a central authority that imposes additional controls on
issuing CAs.

For example, a banking community could be managed by an association such
as the ABA, and ABA would require all participating issuers to meet (and
impose) certain criteria that go above & beyond what CAB Forum mandates.
In that scenario, possession of a EV SSL cert with the ABA community
logo seems to me equivalent in every meaningful way to having one's URL
on a ABA managed white list... without all the well-known inherent
disadvantages of white listing (not scalable, not real-time, not secure,
etc.)

Mike

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Johnathan Nightingale
Sent: Wednesday, September 19, 2007 4:54 PM
To: Web Security Context Working Group WG
Subject: Re: ISSUE-108: Should Safe Browsing mode restrict users to a
specific set of sites? [Techniques]


Using EV certs as the stand-in for a whitelist seems wrong, to me.   
EV certs make strong identity claims, but not trustworthiness or safety
claims, which I think SBM envisions.  EV certs in combination with a
whitelist seem like a more natural fit, if we're going to recommend this
at all.

I think the argument has been advanced that we could use the community
logotype field of an EV cert as a proxy for the whitelist, basically
that having (say) the FSTC logo in there acts as de facto whitelist
membership.  One downside I see there is that it still requires the SSL
handshake to take place (in order to acquire the certificate for
inspection) which exposes some, albeit limited, attack surface.  In an
EV+Whitelist world, that initial connection wouldn't occur because the
"Your accounts are being closed" email link would presumably point to
some non-whitelisted domain, and the connection would not be built in
the first place.

I've said in the past that I don't think the maintenance and generation
of these lists can be accurately foreseen, and hence that I don't think
it's really the right kind of thing for our group to mandate, since that
compels us to declare "non-conforming" any  
browser that doesn't think the lists are mature enough.   
Nevertheless, if we *are* to make such a recommendation, it feels like
EVs shouldn't be used as a surrogate for "trustworthiness"  
determinations.

Cheers,

Johnathan

On 18-Sep-07, at 8:59 AM, Web Security Context Working Group Issue  
Tracker wrote:

>
> ISSUE-108: Should Safe Browsing mode restrict users to a specific  
> set of sites? [Techniques]
>
> http://www.w3.org/2006/WSC/track/issues/
>
> Raised by: Thomas Roessler
> On product: Techniques
>
> In the current draft:
>
>   Editor's Draft $Date: 2007/09/18 12:50:20 $
>
> safe browsing mode includes a requirement that Web user agents only  
> be able to access EV (or EV-like) sites when in Safe Browsing  
> Mode.  From discussions, this is one possible approach; the aim  
> seems to be to have some whitelist of truted sites that can be  
> accessed in this mode.
>
> Questions:
>
> - Should such a whitelist exist at all?
> - If it exists, are EV certificates the right criterion?
>
>
>
>
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Thursday, 20 September 2007 22:24:55 UTC