W3C

- DRAFT -

Web Security breakout

13 Nov 2013

See also: IRC log

Attendees

Present
Many
Regrets
Chair
Virginie_Galindo
Scribe
m4nu

Contents

virginie: Chair of Web Crypto

Group doing introductions, probably around 40-50 people in the group

Probably closer to 60 people in the group.

Still doing introductions, lots of people interested in security, etc.

virginie: Lots of people interested in security, that's good to see. There is a security activity in the W3C, led by Wendy Seltzer. It's done by several WGs WebSec, WebCrypto, Web Security IG, open group, and something new. Open item security topic in the TAG.
... What are the programs solved by current activities, Web App Security, Web Crypto WG, XML Security.
... Web Crypto WG is delivering an API to build app security model
... As a security company in Gemalto, we interviewed people to inform us on what should be done in security. The most important is to create a conversation on security.

<wseltzer> Wiki page

virginie: We need a picture on the state of the security model. There is the idea of creating a security community, if each of you are interested, we're off to a good start.
... The question is which pieces of technology should we see implemented in W3C, what are the use cases? problems, questions?

virginia: Ok, open mic - who wants to talk about security.

divi: I live in China, I have a special perspective on this. I don't want to see more binary blobs in the browser. Especially when they're put there by a media company controlled by a government.

<mountie> +1 for no binary bolbs

TimBL: Two things... 1) The idea is to make the web more robust. We need to get people excited about when you link to something, you should take a certain amount of responsibility to help people to get context. If a client gets a TCP error, it should go back to the referrer and ask if they have a copy of it. This is a W3C site, we keep a copy of everything we link to. Or it could be that I

don't have a copy, but there is a P2P group, if you join the bittorrent tracker, sharing copies of data, you could join the P2P community.

TimBL: or if you don't overuse the server too heavily, we can get it from a P2P source. There are lots of ways the way in servers could respond.
... Is a server going down? Is a link going down? Is it by some other authority?

<Zakim> dka, you wanted to suggest we need better UI around security and trust chains, especially in mobile browsers and what about chromeless mobile webapps?

dka: A few years ago, we had a big improvement in the way that security evidences to the user, particularly in the browser, you're presented with more visual queues, it lets you know when you're secure.
... It lets you examine the trust chain of the certificates. When somethings amiss, when somethings being broken, etc.
... With mobile we're starting over again... chromeless web applications, it's hard to tell if they're secure.
... All bets are off, no way to tell if you're in a secure sessions or not. Is there a role for W3C to play? To start or prompt a discussion in the industry... what we should do w/ security UIs. What should we do?

mountie: Mountie from PayGate in Korea. I have discussed at the WebCrypto group. Some parts have a different philosophy, some parties are controlled by the provisioner. Some parties think the Web is controlled by the user, so they have the privilege and the right. By this different philosophy, we need some protection mechanisms to protect client-side security. If a client is compromised,

normally we think that there is no protection. We need more effort. When I see the Web Payments folks talk about Secure Frame, that's very similar to my idea. We should start to consider security when the client environment is compromised

dbaron: How does standardization interact with research and security and the development of new threats we were not aware of. One of the risks we have is that we standardize something and new research comes along to invalidate that.
... There is some amount of resistance to changing stuff that is standardized already, even when we're at a point where all the implementations are about to change. Colon-visited=privacy??? - there were known attacks, we didn't want to take a solution to the WG because we didn't think the CSS WG culture would accept the fix, even though it's something that all browsers were doing.
... We want to exercise some amount of care there, but we need to exercise some amount of care in case we get something wrong.

virginie: To clarify - are you saying that we need to work with new people and be ready to patch the solutions we have today?

dbaron: I think yes, we need to interact with more people here, we need to change things we've done when there are security issues that are found.

jeff: Security is hard, it's hard for lots of reasons. There are a myriad of different use cases, different attacks. It's wack-a-mole, security edition!
... Creating a secure web is protocols, best practices, we have a massively insecure web right now. We don't feel it today, because we're lucky.
... I would propose that we look at the domain that is scariest for the Web. The scariest one is financial services. Everyone does banking on the Web. Everyone puts their credit card on the Web. A couple of well-placed security incidents and there could be massive damages to the financial ecosystem. The financial industry does try to fix this stuff, so it would be interesting to choose one

use case, financial services on the web, make it really secure, then go from there.

<Zakim> m4nu, you wanted to ask about the cerficiate authority issue, to see if anyone is seriously working on it.

<Daniel_Austin> +1 @ JeffJ

m4nu: Asks question about the Certificate Authority chain, spoofability, why we're not moving toward those solution.
... Why are we doing Network Perspectives?

DanD: We need to make sure we have the information captured, we can't make things secure if people don't participate in helping. Make education a bigger priority in the user community with simple messages. Not 100 page documents on threats/countermeasures. Let's involve the users more.

fan: As far as content protection is concerned, software security is important to us.
... We do software security before, we would like W3C we would like to focus on Web Crypto, we want to talk more about Content Protection and contribute more.

sangrae: I'd like a Security Interest Group on Certificate-based functionality. There are many apps that need certificate-based signatures. There is some work in that area, but not enough.

<Jirka> sangrae +1 on browser API for doing crypto operations

sangrae: Security protocol should be provided in the browser, such as SAMR? SAML? It needs to be in the browser, useful for many web apps.

mnot: I want to agree with Manu that PKIX is a big problem, as we encourage more use of encryption on the Web, it's going to incentivize some groups to try and break SSL more.
... There are products that break SSL. There are solutions, DNSSec, Keypinning, Network Perspectives, Sunlight, in all of those discussions, I've been poking people, the pattern that I've observed.. people that know about this are the browser vendors. However, browser vendors think behind closed doors, I understand why they do that. However, we need to have these discussions in public more.

<fan> like to see obfuscation on security agenda

mnot: The browser vendors tend to say "We can't do that", but they can do that in groups and we've seen that happen in HTTP/2.0 work.

<Zakim> timbl, you wanted to ask about better UI for cert management as a subset maybe of dan's point.

<mountie> +1 "we need to have these discussions in public more"

timbl: There is a big social problem about employee/employer relationship wrt. man-in-the-middle attack. What world do we want? You need to ask that question. What sort of Web do we want?

<kodonog> +q

timbl: Certificates... I've always been depressed by how little we use PKI. Certificate management on the browser is pretty bad experience.
... When I'm asked to select a client certificate, I get a fairly horrible experience in the browser.
... It shows me expired certificates, it's in a tiny area of the screen, it's a bad experience. Just improve the interface to do management.
... I commend the browser manufacturers wrt. self-signed certificate warnings and adding them. The dialog doesn't make it clear whether or not I'm trusting the certificate/signer. "Trust Forever" is a big statement. So, we need to do a big push for UI.
... I think we need to use more client certificates.
... For example, many of the security questions I'm asked on websites are data that is found in Wikipedia.
... Secret questions need to move more to cryptography mechanisms, specifically giving me a client-side cert..

Daniel_Austin: Dan Austin from eBay and PayPal.
... We care quite a bit about security since we deal w/ payments.
... We're talking about wiring devices like airplane tvs, cars, electricity grid, etc. We need to keep those devices in our focus.

MoZ: Mohamed Zergaoui from Innovimax
... I'm sad that XML Security is on hold. I'm a bit concerned that this group is labeled Security instead of Trust. This has more to do w/ Trust than Security. Security people tend to have a extreme approach to implementations.
... Facebook had more than 800 million users before switching to HTTPS. I don't think things like that can be handled by standards. Part of the vendor, part of the time, Security as an excuse to not implement features. MathML was in Chrome, then out. They were still saying that MathML was a security issue... what's the security issue? That's the problem w/ working behind closed doors.

<wseltzer> later

MoZ: This is a mentality switch that we need to consider.

<DV> mnot: if we could get HTTP2 use encryption on by default (when possible)

wseltzer: I've been trying to note down some of the things I'm hearing. It's great to go around and get some of these suggestions into the room. We have lots of people in the room, a lot of the security challenges that we face are the issues between applications and parties. As W3C can help convene to identify problems, we need to solve those in ways that are consistent w/ the users.
... We need to take their security understanding from one device to another. Can we build up some of those intuitions and patterns for the general public?

rniwa: There are social hacks that work as well. For example, the like button... cross origin content. This is problematic because there are a lot of people using them.
... For example, if CDNs get compromised, there are huge security implications. Those affect tens of thousands of websites.

mnot: The managed laptop/company laptop issue is a problem.
... I don't use company laptops anymore, they get soebpoenaed. We don't have to solve everything. My iOS device has no access to the trust store on the device. I don't even know that it's happening. We can make small improvements even if we don't get the whole solution. We can solve this better at W3C rather than the IETF.

<Daniel_Austin> +1 on user access to 'trusted enclaves' on devices

kodonog: I do want to go back to the security discussion. There is a preliminary draft out there. This is a conversation that has a lot of key players. We need help to get critical mass. There are a number of key parties that could help in this space. Let's have an open conversation.

btoews: Ben from Github. Sessions are pretty ubiquitous on the Web, typically done via a cookie. If you have a client certificate, we could tie the session to the user agent. You don't need to worry about MiTM, you don't need to worry about session being compromised. JavaScript API to do CSR would be nice. Some of which is being covered in WebCrypto.

timbl: What is CSR?

<kodonog> clarification on my comments... I was going back to the certificate discussion... and I was referencing the IAB Security program and the very preliminary draft... https://datatracker.ietf.org/doc/draft-tschofenig-iab-webpki-evolution/

btoews: CSR is certificate signing request.

<mnot> +1 for having access to TLS cert details in JS (if that's what I understood)

btoews: One certificate per domain by default.

<mete> +1 for JS access to TLS cert details

<mete> +1 for JS access to TLS cert details

Larry: The organizational issue is big. When you are designing some function, it's nice that you can rely on the rest of the stack working. You don't have to know much about them. Security exploits typically cross the boundaries.

<mountie> use Client Cert at OSI Application Layer.

Larry: The security considerations that you don't have to think about because the lower level protects you is good.
... When you ask for a safe/secure Internet, they're asking for something higher in the protocol stack than W3C typically works on. We are trying to build security for people that think the Internet is made of cats.

CATS!

Larry: You have to understand too much to understand the issues. This is about trust, but we've really far away from understanding the usability problem w/ the Web. Let's not solve the problem for us, let's solve the problem for those that are not technically adept.

virginie: Removing my WebCrypto hat, from a Gemalto perspective: Everything related to identity is a use case that's improtant.
... We should put some effort into identity.

Mark: Just one more thing about the difference between different countries. For US, it's based on something you know. Elsewhere, it's based on something you have.

<dka> +1 to the role of a trusted component on the client side for high-value transactions...

<dka> (or at least multi-factor authentication)

<Zakim> m4nu, you wanted to talk about identity.

m4nu: So, we are working on identity stuff in Mozilla Persona and Web Payments, government identifiers, age verification, crypto-based... but we don't have enough participation now. We need more.

<timbl> US banks do use a cellphone SMS message - that is a client side thing i gues

<Daniel_Austin> THe FIDO Alliance is also addressing security, as well as Persona

wseltzer: This work will be wrapped up into building the roadmap for security.

<Daniel_Austin> (and identity!)

wseltzer: What can we do uniquely with the participants and expertise that we have.

Daniel_Austin: We need more hardware people. If you have a Samsung phone, they're going to be a part of the solution.

virginie: Summarizing: We want to protect the client side, fix the certificate authority problem, share knowledge w/ organizations, educate the users, we need to focus on new usages like mobile, power, airlines, and new areas like payment, social network environments, identity.
... That gives us some material to work on in the Web Security IG. We have good input.

<dezell> We have few security experts at W3C because there is no security work.

<dezell> It's "chicken and egg"

virginie: Just to emphasize, the Web Security IG is only as good as the participants. We need the folks in this circle to join the work.
... Ok, we'll see all of you in the Web Security IG! :P
... We want to work on mobile security.
... We need to do more security reviews on specs.
... In terms of process, no one is taking care of that.
... Wendy and I can support you in any of your security related questions/activities.

rigo: As Wendy said, we need an analysis on the Web Platform... where is it lax? The W3C is part of a research project called STREWS. We analyzed security threats, we're going to publish that security report to the IG list.

Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013/11/13 09:50:56 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/mechanisms/mechanisms, specifically giving me a client-side cert./
Succeeded: s/???/Innovimax/
Succeeded: s/Mozzie/Mohamed Zergaoui/
Succeeded: s/MathML was used/Security/
Succeeded: s/?aaaa?/Mark/
Succeeded: s/STROOS?/STREWS./
No ScribeNick specified.  Guessing ScribeNick: m4nu
Inferring Scribes: m4nu

WARNING: No "Topic:" lines found.

Present: Many

WARNING: Fewer than 3 people found for Present list!

Got date from IRC log name: 13 Nov 2013
Guessing minutes URL: http://www.w3.org/2013/11/13-security-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report
[End of scribe.perl diagnostic output]