Hi Tyler,
On Apr 2, 2008, at 6:08 PM, Close, Tyler J. wrote:
Maciej Stachowiak wrote:
On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:
Sending the user's cookies, as AC4CSR does, is just not a viable
design, since the target resource cannot determine whether or not
the user consented to the request. I've posted several explanations
of the attacks enabled by this use of ambient authority, and, in my
opinion, the issues are still outstanding. The use of ambient
authority in AC4CSR is a show-stopper, as reflected in the decision
Mozilla announced on this mailing list.
Can you please post these examples again, or pointers to where you
posted them? I believe they have not been previously seen on the Web
API list.
I've written several messages to the appformats mailing list. I
suggest reading all of them.
W3C's search finds the following 50 messages from you:
http://www.w3.org/Search/Mail/Public/search?hdr-1-name=from&hdr-1-query=tyler.close%40hp.com&index-grp=Public__FULL&index-type=t&type-index=public-appformats&resultsperpage=20&sortby=date&page=2
Can you help me out with finding which contain descriptions of
security flaws in the spec (which have not yet been addressed through
spec changes)? The first three I looked at randomly did not contain
any descriptions of security flaws.
The most detailed description of the attacks are in the message at:
http://www.w3.org/mid/[EMAIL PROTECTED]
with a correction at:
http://www.w3.org/mid/[EMAIL PROTECTED]
Thanks for stepping up with some actual specific attacks. I will read
them carefully and respond soon with my analysis (also in light of
Ian's reply to you).
A number of people have mentioned that the AC approach to
cross-site XHR is insecure (or that XDR is somehow more secure),
but I
have not yet seen any examples of specific attacks. I would love to
see this information. If I do not see a description of a specific
attack soon I will assume these claims are just FUD.
I think we've met before at a SHDH event. That was a more pleasant
conversation. Hopefully, we'll be able to regain that tone.
Sorry for tossing you in the same bucket as those making (so far)
unsubstantiated claims. I'm not trying to be unfriendly here, I'm just
trying to get us to objective facts about security, which so far have
been lacking in this discussion. This is very frustrating to me,
because saying a spec is insecure without giving details is just
yelling fire in a crowded theater. Whereas describing specific attacks
is very helpful, so thank you for doing so.
Note also that sending of cookies is not an essential feature of
AC4CSR; certainly it could be a viable spec with that feature
removed.
Do you believe there are any other showstopper issues?
Possibly. There is a lot of complexity in the AC4CSR proposal. I've
been writing about the most severe things as I find them.
Now would be a great time to collapse the wave function on that
"possibly". I have been trying to think of attack models against both
AC and XDR myself and so far have not come up with anything that holds
water (I did mistakenly think AC had a DNS rebinding vulnerability,
but I was wrong). We must carefully identify the security issues
(including second-order effects that may result from limiting
capabilities) to make informed decisions about this technology area.
Regards,
Maciej
