ISSUE-154: Security approach

Security approach

State:
CLOSED
Product:
Network Service Discovery
Raised by:
Frederick Hirsch
Opened on:
2013-10-02
Description:
on behalf of Youenn Fablet

http://lists.w3.org/Archives/Public/public-device-apis/2013Sep/0029.html

In case the WG is not aware, implementation of the NSD API was discussed on various browser engine mailing lists ([1], [2], [3]).
Interesting feedback related to security issues was brought up.

First, fingerprint issues were raised.
These issues may probably be solved by user permission requests and/or data exposure minimization.
Second, a granted local service is exposed to receiving and processing any kind of data from a given web page.
Local services are often weak in terms of security (not regularly patched for instance, [4]).
This may enable new hacking possibilities through tweaked HTTP requests (XML/SOAP payloads or arbitrary data e.g.).
Solving both kinds of issues through a single user permission UI was perceived as too complex and error-prone.

>From what I know, research has been done on identifying issues related to protocols and implementations like SSDP.
Since the browser engine is handling the discovery part, the NSD API spec is probably safe there.

I do not know much about the possibilities on hacking through tweaked HTTP requests.
This potential threat, especially for legacy devices, weakens the idea of whitelisting granted local services.
Also, getting access to a discovered local service can already be done using existing approaches:

- packaged web applications/extensions may get permissions to do cross-origin requests

- CORS may be implemented in future local network services

The discovery part of the NSD API specification seems already in a pretty good shape.
The access granting part of the NSD API specification may take more time to mature.
Given all of that, would it make sense to split the NSD API specification in two documents?

Regards,
Youenn

[1] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/HT0KZKuTLxM
[2] http://www.mail-archive.com/webkit-dev@lists.webkit.org/msg23727.html
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=914579
[4] http://www.upnp-hacks.org/
Related Actions Items:
No related actions
Related emails:
  1. [admin] Agenda - Distributed Meeting 15 May 2014 (from frederick.hirsch@nokia.com on 2014-05-12)
  2. [admin] Agenda - Distributed Meeting 27 March 2014 (from Frederick.Hirsch@nokia.com on 2014-03-27)
  3. [admin] Agenda - Distributed Meeting 20 March 2014 (from Frederick.Hirsch@nokia.com on 2014-03-19)
  4. [admin] Cancel teleconference 6 March, next call 20 March (from Frederick.Hirsch@nokia.com on 2014-03-05)
  5. Re: [admin] Agenda - Distributed Meeting 27 February 2014 (from dom@w3.org on 2014-02-27)
  6. [admin] Agenda - Distributed Meeting 27 February 2014 (from Frederick.Hirsch@nokia.com on 2014-02-26)
  7. [admin] Agenda - Distributed Meeting 20 February 2014 (from Frederick.Hirsch@nokia.com on 2014-02-18)
  8. [admin] Agenda - Distributed Meeting 13 February 2014 (resend corrected date) (from Frederick.Hirsch@nokia.com on 2014-02-13)
  9. [admin] Agenda - Distributed Meeting 12 February 2014 (from Frederick.Hirsch@nokia.com on 2014-02-13)
  10. Network Service Discovery API (from alexander.adolf@condition-alpha.com on 2014-02-12)
  11. [admin] Agenda - Distributed Meeting 6 February 2014 (from Frederick.Hirsch@nokia.com on 2014-02-05)
  12. Regrets: [admin] Agenda - Distributed Meeting 30 January 2014 (from dom@w3.org on 2014-01-29)
  13. [admin] Agenda - Distributed Meeting 30 January 2014 (from Frederick.Hirsch@nokia.com on 2014-01-28)
  14. [admin] Agenda - Distributed Meeting 16 January 2014 (from Frederick.Hirsch@nokia.com on 2014-01-15)
  15. [admin] Agenda - Distributed Meeting 9 January 2014 (from Frederick.Hirsch@nokia.com on 2014-01-08)
  16. [admin] Agenda - Distributed Meeting 12 December2013 (from Frederick.Hirsch@nokia.com on 2013-12-11)
  17. Re: [admin] Agenda - Distributed Meeting 21 November 2013 (from jean-claude.dufourd@telecom-paristech.fr on 2013-11-21)
  18. [admin] Agenda - Distributed Meeting 21 November 2013 (from Frederick.Hirsch@nokia.com on 2013-11-21)
  19. Agenda - Distributed Meeting 7 November 2013 (Thursday) (from Frederick.Hirsch@nokia.com on 2013-11-05)
  20. Re: Agenda - Distributed Meeting 31 October 2013 (Thursday) (from jean-claude.dufourd@telecom-paristech.fr on 2013-10-29)
  21. Agenda - Distributed Meeting 31 October 2013 (Thursday) (from Frederick.Hirsch@nokia.com on 2013-10-28)
  22. Re: Agenda - Distributed Meeting 17 October 2013 (Thursday) (from jean-claude.dufourd@telecom-paristech.fr on 2013-10-17)
  23. Re: Agenda - Distributed Meeting 17 October 2013 (Thursday) (from dom@w3.org on 2013-10-17)
  24. Agenda - Distributed Meeting 17 October 2013 (Thursday) (from Frederick.Hirsch@nokia.com on 2013-10-17)
  25. Agenda - Distributed Meeting 10 October 2013 (Thursday) (from Frederick.Hirsch@nokia.com on 2013-10-10)
  26. Draft minutes today 3 October 2013 (from Frederick.Hirsch@nokia.com on 2013-10-03)
  27. Agenda - Distributed Meeting 3 October 2013 (Thursday) (from Frederick.Hirsch@nokia.com on 2013-10-02)
  28. DAP-ISSUE-154: Security approach [Network Service Discovery] (from sysbot+tracker@w3.org on 2013-10-02)

Related notes:

Proposal and comment from Rich, http://lists.w3.org/Archives/Public/public-device-apis/2013Sep/0040.html

Support for CORS based approach from Dom, http://lists.w3.org/Archives/Public/public-device-apis/2013Sep/0041.html

http://lists.w3.org/Archives/Public/public-device-apis/2013Sep/0043.html

Making CORS work, Rich, http://lists.w3.org/Archives/Public/public-device-apis/2013Sep/0045.html

more CORS support, Sony/Claes, http://lists.w3.org/Archives/Public/public-device-apis/2013Sep/0059.html

more CORS support, AT&T/Bin http://lists.w3.org/Archives/Public/public-device-apis/2013Sep/0064.html

Frederick Hirsch, 2 Oct 2013, 17:48:39

Display change log ATOM feed

Anssi Kostiainen <anssi.kostiainen@intel.com>, Reilly Grant <reillyg@google.com>, Chairs, Fuqiao Xue <xfq@w3.org>, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 154.html,v 1.1 2019/11/08 08:58:12 carcone Exp $