IRC log of webappsec on 2014-01-29

Timestamps are in UTC.

15:56:00 [RRSAgent]
RRSAgent has joined #webappsec
15:56:00 [RRSAgent]
logging to
15:56:01 [trackbot]
RRSAgent, make logs world
15:56:01 [Zakim]
Zakim has joined #webappsec
15:56:03 [trackbot]
Zakim, this will be WASWG
15:56:03 [Zakim]
ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 4 minutes
15:56:04 [trackbot]
Meeting: Web Application Security Working Group Teleconference
15:56:05 [trackbot]
Date: 29 January 2014
15:56:21 [hillbrad]
Chairs: bhill2, ekr
15:56:45 [Zakim]
SEC_WASWG()11:00AM has now started
15:56:52 [Zakim]
15:57:15 [gmaone]
Zanon, i am ??P6
15:57:27 [Zakim]
15:57:33 [freddyb]
freddyb has joined #webappsec
15:57:41 [wseltzer]
zakim, ??p6 is gmaone
15:57:41 [Zakim]
+gmaone; got it
15:58:13 [Zakim]
15:58:15 [hillbrad]
15:58:19 [hillbrad]
hillbrad has changed the topic to:
15:58:52 [Zakim]
15:59:09 [gmaone]
wseltzer, thanks, goddamn virtual kb autocomplete :(
15:59:11 [freddyb]
Zakim: I am ??p10
15:59:23 [freddyb]
The bot wants commas, doesnt it?
15:59:34 [freddyb]
Zakim, ??p10 is freddyb
15:59:34 [Zakim]
+freddyb; got it
15:59:43 [Zakim]
+ +1.650.214.aaaa
16:00:08 [freddyb]
bots should listen to people, not the other way around :-)
16:00:28 [mkwst]
aaaa is mkwst
16:00:36 [wseltzer]
zakim, aaaa is mkwst
16:00:36 [Zakim]
+mkwst; got it
16:00:37 [Zakim]
16:00:44 [mkwst]
Ah, right. I need to talk to Zakim. :)
16:00:57 [terri]
should and will are such different things ;)
16:01:52 [freddyb]
I propose the use of Universal Greeting Time ;)
16:02:09 [neilm]
neilm has joined #webappsec
16:02:20 [hillbrad]
16:03:56 [Zakim]
16:04:19 [neilm]
Zakim, IPcaller is neilm
16:04:19 [Zakim]
+neilm; got it
16:05:23 [hillbrad]
Scribe: Wendy Seltzer
16:05:29 [hillbrad]
ScribeNick: wseltzer
16:05:31 [Zakim]
16:05:42 [ekr]
ekr has joined #webappsec
16:05:52 [ekr]
zakim, who is here?
16:05:53 [Zakim]
On the phone I see gmaone, terri, freddyb, Wendy, mkwst, BHill, neilm, ekr
16:05:53 [Zakim]
On IRC I see ekr, neilm, freddyb, Zakim, RRSAgent, hillbrad, gmaone, terri, glenn, tobie_, timeless, mkwst, wseltzer, trackbot
16:06:40 [hillbrad]
Topic: Minutes Approval
16:06:42 [hillbrad]
16:06:50 [wseltzer]
hillbrad: Any objections?
16:06:59 [wseltzer]
... Approved.
16:06:59 [hillbrad]
Topic: Agenda Bashing
16:07:08 [hillbrad]
16:07:15 [wseltzer]
hillbrad: Any additions to the agenda?
16:07:22 [wseltzer]
@@: Next steps for moving to last call
16:07:40 [mkwst]
wseltzer: that was me
16:07:42 [wseltzer]
hillbrad: That fits into the CfC results, along with formal objection
16:07:47 [wseltzer]
16:07:55 [hillbrad]
Topic: Tracker actions
16:08:02 [hillbrad]
16:08:32 [wseltzer]
hillbrad: Adam has a number of actions, but isn't on the call
16:08:57 [wseltzer]
mkwst: I'll take a look at some of the actions
16:09:25 [wseltzer]
hillbrad: I owe Jonas a note to say we won't do that
16:09:33 [ccarson]
ccarson has joined #webappsec
16:09:58 [wseltzer]
... action-161 will prepare new WD with reduced feature set
16:10:13 [Zakim]
+ +1.425.234.aabb
16:10:18 [hillbrad]
Topic: Integrity and Latency Tradeoffs
16:10:20 [hillbrad]
16:10:23 [ccarson]
zakim, aabb is ccarson
16:10:23 [Zakim]
+ccarson; got it
16:10:59 [wseltzer]
hillbrad: initial proposals for subresource integrity envisioned a single hash function
16:11:10 [wseltzer]
... there was interest in streaming-friendly integrity to reduce latency
16:11:19 [wseltzer]
... agl proposed unbalanced Merkle trees
16:11:44 [wseltzer]
... looks as though list consensus: cool idea but hold off for future version
16:12:11 [wseltzer]
... Anyone think we need stream-friendly integrity in v1?
16:12:30 [wseltzer]
mkwst: Think it's useful, but pushing off to a later version makes sense
16:12:49 [wseltzer]
... make sure we're not making bad security choices with integrity overall
16:13:10 [wseltzer]
@@: Agree, it sounds neat, but we don't have a good way to serialize trees
16:13:22 [freddyb]
^-- that was me
16:13:24 [wseltzer]
16:13:34 [wseltzer]
ekr: parallel or serial?
16:13:50 [wseltzer]
@@: currently one hash per resource
16:14:06 [freddyb]
^-- that was mkwst
16:14:14 [wseltzer]
ekr: If we supported multiple hash algorithms, it would be simple to add
16:14:19 [wseltzer]
16:15:10 [wseltzer]
mkwst: figure out how to specify multiple integrity checks; should have a syntax for that in v1
16:15:34 [neilm]
(sorry, I need to step out for 5-10 minutes)
16:15:37 [hillbrad]
one more topic:
16:15:54 [wseltzer]
hillbrad: should talk about use cases
16:16:20 [wseltzer]
... stream-friendly opens up some use cases; others don't require streaming, such as content-addressable storage
16:16:36 [wseltzer]
... Concern raised about attacks on content-addressable storage, latency
16:17:11 [wseltzer]
... use-case includes local storage for users on low bandwidth connections
16:17:43 [wseltzer]
mkwst: Don't think that's a crazy use case; but content-addressable storage has properties interesting to attackers
16:17:52 [wseltzer]
... cache poisoning, timing attacks
16:18:37 [wseltzer]
... e.g. create a resource with the same hash as jQuery, then replace it in all webpages
16:19:10 [hillbrad]
if you can get 2nd preimage, all of the software update mechanisms in the world break
16:19:15 [hillbrad]
so your browser gets pwned before jquery
16:19:42 [wseltzer]
freddyb: also assure it aligns with CSP
16:20:15 [wseltzer]
... and other origin-based security
16:20:36 [wseltzer]
mkwst: assure that things introduced into content-addressable storage are public
16:20:59 [wseltzer]
... access via URL
16:21:42 [wseltzer]
freddyb: scripts, distinguish between access-control: allow * and include wherever
16:22:10 [wseltzer]
mkwst: consider how origin-based controls work where origins aren't delivering the resource
16:22:39 [wseltzer]
... we could be draconian, say if you care about origin, verify before looking at the cache
16:22:55 [ccarson]
If the concern is protecting against hash collisions, why not allow webapp to whitelist which hash algorithms are accepted?
16:23:13 [freddyb]
ccarson: I don't think this is a main concern, actually.
16:23:29 [hillbrad]
Topic: Length extension
16:23:30 [hillbrad]
16:23:53 [wseltzer]
freddyb: might be resolved on list from agl
16:24:26 [wseltzer]
hillbrad: since we're not using HMAC, no impact
16:24:44 [hillbrad]
or rather, a concatenated MAC (HMAC is safe, too)
16:24:48 [wseltzer]
mkwst: it would be interesting if length could be added to hash
16:25:27 [wseltzer]
ekr: not sure 2d preimage is substantially harder if lenght is added
16:25:56 [wseltzer]
... if we need to, should respond with new set of hash algorithms with different properties
16:26:41 [wseltzer]
... not sure there's a use for generic inputs of functions
16:27:12 [wseltzer]
mkwst: conversations about ways headers are used; how do we handle mis-matches regarding integrity
16:27:49 [wseltzer]
... holding off posting before we get done with CSP
16:28:06 [wseltzer]
hillbrad: also document in spec what properties of hash fns we're relying on; what happens if they fail
16:29:44 [wseltzer]
terri: describe a plan for how it might work if hash fn is compromised
16:30:16 [hillbrad]
Topic: Beacon and CSP
16:30:17 [hillbrad]
16:30:18 [wseltzer]
hillbrad: section describing how properties relate to security can help to preempt future discussion
16:30:40 [wseltzer]
hillbrad: Beacon is a new spec allowing for triggering of async post
16:30:51 [wseltzer]
... what CSP directives should apply?
16:30:59 [Zakim]
+ +1.831.246.aacc
16:31:10 [wseltzer]
... 2 camps: ConnectSource and Form-Action
16:31:42 [hillbrad]
zakim, aacc is dveditz
16:31:42 [Zakim]
+dveditz; got it
16:31:44 [wseltzer]
@@: @@ don't care so long as it's covered by something
16:31:58 [mkwst]
16:32:02 [mkwst]
16:33:23 [wseltzer]
mkwst: it can trigger CORS preflight and push arbitrary data to a POST endpoint
16:33:37 [wseltzer]
... so incline to put it into same camp as XHR. ie ConnectSource
16:33:46 [wseltzer]
16:34:21 [wseltzer]
... if form changes, perhaps make sense to merge form-action with connect-src
16:35:20 [wseltzer]
@@: main reason for including connect-src is because we include data back into document
16:35:49 [wseltzer]
... connect-src could also be used to block data exfiltration
16:36:03 [wseltzer]
hillbrad: interesting argument to include beacon as form-action
16:36:14 [wseltzer]
... only sending data away, not changing document
16:36:35 [freddyb]
16:36:54 [wseltzer]
mkwst: question what you're able to do to external endpoint. Sending to a server that would do interesting things based on your authenticated input
16:37:16 [wseltzer]
dveditz: it would be great if we could address CSRF
16:37:34 [wseltzer]
... but likely take a more unified effort than adding things piecemeal to CSP
16:37:47 [wseltzer]
mkwst: maybe in CSP 1.2
16:38:12 [wseltzer]
mkwst: do we want form-action in 1.1? does it solve a problem we care about?
16:38:23 [wseltzer]
... is it same as connect-src?
16:38:31 [wseltzer]
... I think y, y, no
16:38:58 [wseltzer]
dveditz: I think we care about it, should be distinct from connect-src, but not necessarily in 1.1
16:39:04 [wseltzer]
... don't want to delay 1.1
16:39:46 [wseltzer]
hillbrad: document the difference. form-action is data gets sent away; connect-src includes reference to data in document
16:39:59 [wseltzer]
mkwst: beacon stuff should be included in beacon, not CSP
16:40:05 [hillbrad]
ACTION: bhill2 to propose to list text on form-action vs. connect-src re: sending data vs. receiving it
16:40:05 [trackbot]
Created ACTION-162 - Propose to list text on form-action vs. connect-src re: sending data vs. receiving it [on Brad Hill - due 2014-02-05].
16:40:58 [wseltzer]
@@: Beacon gives a mechanism for async before-unload
16:41:07 [hillbrad]
Topic: CSP and Fetch
16:41:15 [hillbrad]
16:41:31 [wseltzer]
hillbrad: back-and-forth on whether to integrate CSP in fetch mechanism
16:42:13 [wseltzer]
mkwst: concern that fetch isn't part of W3C
16:42:27 [wseltzer]
... makes sense to move some of this processing into fetch spec
16:42:45 [wseltzer]
... but unclear on the politics
16:43:08 [wseltzer]
hillbrad: I tend to say work should be done where the people willing to do the work are
16:43:20 [wseltzer]
... don't lose momentum to fragmentation
16:43:39 [wseltzer]
... keep an eye on it for context and momentum
16:43:53 [wseltzer]
mkwst: for 1.1, don't think it makes a difference
16:44:08 [wseltzer]
... for 1.2, think about organization and structure of spec
16:44:24 [wseltzer]
... to push pieces that make sense to fetch
16:44:59 [wseltzer]
... Believe we'd define what CSP means, push the policy out as an argument to fetch
16:45:14 [wseltzer]
... happening in service worker
16:45:33 [wseltzer]
... we should have more conversations with service worker folks
16:45:57 [hillbrad]
Topic: CfC on new CSP 1.1 WD
16:45:58 [hillbrad]
16:46:11 [wseltzer]
hillbrad: Mike issued a call for consensus
16:46:24 [wseltzer]
... about a week ago. More positive responses than any previous call
16:46:28 [wseltzer]
... and no objections.
16:46:38 [wseltzer]
... Unless we have any objections here.
16:46:50 [wseltzer]
... Unanimous approval to push the WD
16:47:09 [wseltzer]
... I'll work with W3C to publish (tues/thurs)
16:47:24 [wseltzer]
... Next steps for Last Call WD
16:47:42 [wseltzer]
mkwst: I sent a couple emails to the list asking what else we need to do
16:47:54 [wseltzer]
... response makes me believe there's nothing left
16:48:09 [wseltzer]
... I think the spec is relatively stable and agreed upon.
16:48:17 [glenn]
i'm closing, removing Cox' objection
16:48:17 [wseltzer]
... the one formal objection aside
16:48:38 [wseltzer]
[Here's the W3C process:]
16:48:38 [glenn]
we are satisfied with the resolution; thanks mike
16:48:43 [mkwst]
glenn: thanks.
16:49:01 [wseltzer]
hillbrad: I'd like to be sure we've closed the open issues, even if that's a matter of moving them to 1.2
16:49:14 [wseltzer]
... we need to formally respond to all comments in LC period
16:49:32 [hillbrad]
ACTION: bhill2 give language on how frame-ancestors interacts with XFO
16:49:33 [trackbot]
Created ACTION-163 - Give language on how frame-ancestors interacts with xfo [on Brad Hill - due 2014-02-05].
16:49:36 [wseltzer]
... so it's best resolve the discussions in the group first
16:50:03 [wseltzer]
hillbrad: Ask everyone here to review doc as though it were Last Call doc
16:50:13 [wseltzer]
... and prepare to move forward within a monht
16:50:17 [wseltzer]
16:50:32 [wseltzer]
mkwst: working to set up a call with Adam on his actions
16:50:38 [wseltzer]
... most can be moved to 1.2
16:50:53 [wseltzer]
... want to look at error-handling on blocked resources
16:51:04 [wseltzer]
... also 149, talking about blob data
16:51:57 [wseltzer]
... rest seem push-able to 1.2
16:52:38 [wseltzer]
hillbrad: that matches reasonably with approach to working with Fetch
16:52:57 [wseltzer]
mkwst: assume we'll be able to close or push these items relatively quickly
16:53:07 [terri_]
terri_ has joined #webappsec
16:53:20 [hillbrad]
Topic: Formal Objection re: user extensions and CSP
16:53:21 [hillbrad]
16:53:40 [wseltzer]
hillbrad: I see in irc that glenn has closed the bug and removed the formal objection
16:53:54 [wseltzer]
... sounds as though everyone could live with removing the language
16:54:03 [wseltzer]
... leaving it to browsers to handle extensions
16:54:47 [wseltzer]
mkwst: some argument from Anne and others that we shouldn't have language that's vendor-specific
16:55:06 [wseltzer]
... if others aren't happy, we can have more discussion
16:55:16 [wseltzer]
hillbrad: Can everybody live with that?
16:55:18 [wseltzer]
... Great
16:55:22 [glenn]
16:55:34 [wseltzer]
... Can everyone live with making that change to CSP 1.0, currently in CR?
16:55:50 [wseltzer]
... because working on test-suite for script-src, haven't been able to write tests
16:56:27 [neilm]
16:56:40 [wseltzer]
... you can make small edits for things at-risk, or that don't pass conformance
16:57:06 [wseltzer]
mkwst: perfectly happy removing it
16:57:12 [wseltzer]
hillbrad: I'll make those edits
16:57:27 [wseltzer]
hillbrad: AOB?
16:57:37 [wseltzer]
16:57:46 [Zakim]
16:57:48 [hillbrad]
rrsagent, make minutes
16:57:48 [RRSAgent]
I have made the request to generate hillbrad
16:57:49 [Zakim]
16:57:52 [neilm]
sorry for the keyboard :(
16:57:57 [hillbrad]
zakim, list attendees
16:57:57 [Zakim]
As of this point the attendees have been terri, gmaone, Wendy, freddyb, +1.650.214.aaaa, mkwst, BHill, neilm, ekr, +1.425.234.aabb, ccarson, +1.831.246.aacc, dveditz
16:58:00 [Zakim]
16:58:00 [Zakim]
16:58:02 [Zakim]
16:58:02 [wseltzer]
trackbot, end teleconf
16:58:02 [trackbot]
Zakim, list attendees
16:58:03 [Zakim]
16:58:03 [Zakim]
As of this point the attendees have been terri, gmaone, Wendy, freddyb, +1.650.214.aaaa, mkwst, BHill, neilm, ekr, +1.425.234.aabb, ccarson, +1.831.246.aacc, dveditz
16:58:05 [Zakim]
16:58:05 [hillbrad]
rrsagent, make minutes
16:58:05 [RRSAgent]
I have made the request to generate hillbrad
16:58:05 [Zakim]
16:58:06 [Zakim]
16:58:10 [trackbot]
RRSAgent, please draft minutes
16:58:10 [RRSAgent]
I have made the request to generate trackbot
16:58:11 [trackbot]
RRSAgent, bye
16:58:11 [RRSAgent]
I see 2 open action items saved in :
16:58:11 [RRSAgent]
ACTION: bhill2 to propose to list text on form-action vs. connect-src re: sending data vs. receiving it [1]
16:58:11 [RRSAgent]
recorded in
16:58:11 [RRSAgent]
ACTION: bhill2 give language on how frame-ancestors interacts with XFO [2]
16:58:11 [RRSAgent]
recorded in
16:58:14 [hillbrad]
rrsagent, set logs public-visible
16:58:16 [freddyb]
freddyb has left #webappsec