IG/web security model

From Web Security
< IG
Jump to: navigation, search

Web Security model

The W3C Web Security Interest Group has not yet produced any documentation to detail the security model offered by the web. Nevertheless, some good references can be found on the following resources :

This deliverable reports on the broad web security assessment of STREWS. As part of this report, we provide a clear and understandable overview of the Web ecosystem, and discuss the vulnerability landscape, as well as of the underlying attacker models. In addition, we provide a catalog of best prac- tices with existing countermeasures and mitigation techniques, to guide European industrial players to improve step-by-step the trustworthiness of their IT infrastructures. The report concludes with interesting challenges for securing the Web platform, opportunities for future research and trends in improving web security.

  • The list of W3C specifications dealing with security features are the following ones

- CORS Proposed Recommendation

- CSP 1.0 Candidate Recommendation and CSP 1.1 draft

- User Interface Security Directives for Content Security Policy draft

- XML security set of specifications

- Web Crypto API draft and Web Crypto Key Discovery API draft

- to be completed

Understanding interaction with other technologies

W3C technologies do rely on the internet and interact with web security technologies defined by external standardization bodies. It is of high interest for the W3C Web Security Interest Group to maintain a reasonable knowledge of those technologies, and how they do overlap/interact/bind each other. The following list identifies the technology we should pay attention to :

An extension to the HTTP protocol allowing web host operators to instruct user agents (UAs) to remember ("pin") the hosts' cryptographic identities for a given period of time.

Web Crypto Next Workshop

[1]