IG/W3C security roadmap

From Web Security
< IG
Jump to: navigation, search

In 2013 several discussions related to security happened in W3C area. Here are the major features that were mentioned by different contributors, that the Web Security IG recommends to develop.

Security Enablers

The platforms hosting the open web platform is offering some security features that are not made available yet to the web developers or to the user. It may be worth bringing to the open web platform the following features :

- Protocol

Usage of DANE (DNS-Based Authentication of Named Entities) implies more security in the communication. Read article

- Enabling usage of trusted elements

Platform may embed some trusted elements offering functionality such as trusted storage, trusted execution... Those trusted elements can have different form such as embedded chip (TPM, embedded Secure Element), pluggable chip (SIM card, Smart Card, µSD), integrated Trusted Execution Environment. Read the strawman proposal of 'secure token and other secure services' workshop discussed in web crypto, to be confirmed by W3C here

Securing ressources

Secure iFrame: add some protection layers from compromised client environment. keep the javascript integrity, handle signed/encrypted javascript. Secure Delete: as the privacy browsing mode, allow secure delete after DOM operations finished. clean-up memory even at persistent virtual memory like windows pagefile.sys


Security Indicators

The user gets sometimes lost when trying to audit and understand the security of the communication a web app is having. User interface and information made available to him varies largely from one browser to another. On the other hand, some sensitive services are now deployed over the web (communication via Web RTC, payment ...), for which more control is required. One possible feature to develop could be the standardization of the user interface in order to view or control the security level of the communication a web app is using, including certificate management.