Difference between revisions of "IG/web security model"

From Web Security
< IG
Jump to: navigation, search
(Web Security model)
(Understanding interaction with other technologies)
Line 28: Line 28:
 
* HTTP2 and TLS : read [http://www.mnot.net/blog/2014/01/04/strengthening_http_a_personal_view HTTP2 co-chair status in january 2014] and access [https://github.com/http2/http2-spec/issues?labels=security&page=1&state=open security issues related to HTTP2]
 
* HTTP2 and TLS : read [http://www.mnot.net/blog/2014/01/04/strengthening_http_a_personal_view HTTP2 co-chair status in january 2014] and access [https://github.com/http2/http2-spec/issues?labels=security&page=1&state=open security issues related to HTTP2]
 
* Public Key Pinning extension https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
 
* Public Key Pinning extension https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
 +
An extension to the HTTP protocol allowing web host operators to instruct user agents (UAs) to remember ("pin") the hosts' cryptographic identities for a given period of time.
 
* HTTP Authentication framework http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-25
 
* HTTP Authentication framework http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-25
 
* to be completed
 
* to be completed

Revision as of 15:12, 16 January 2014

Web Security model

The W3C Web Security Interest Group has not yet produced any documentation to detail the security model offered by the web. Nevertheless, some good references can be found on the following resources :

This deliverable reports on the broad web security assessment of STREWS. As part of this report, we provide a clear and understandable overview of the Web ecosystem, and discuss the vulnerability landscape, as well as of the underlying attacker models. In addition, we provide a catalog of best prac- tices with existing countermeasures and mitigation techniques, to guide European industrial players to improve step-by-step the trustworthiness of their IT infrastructures. The report concludes with interesting challenges for securing the Web platform, opportunities for future research and trends in improving web security.

  • The list of W3C specifications dealing with security features are the following ones

- CORS Proposed Recommendation

- CSP 1.0 Candidate Recommendation and CSP 1.1 draft

- User Interface Security Directives for Content Security Policy draft

- XML security set of specifications

- Web Crypto API draft and Web Crypto Key Discovery API draft

- to be completed

Understanding interaction with other technologies

W3C technologies do rely on the internet and interact with web security technologies defined by external standardization bodies. It is of high interest for the W3C Web Security Interest Group to maintain a reasonable knowledge of those technologies, and how they do overlap/interact/bind each other. The following list identifies the technology we should pay attention to :

An extension to the HTTP protocol allowing web host operators to instruct user agents (UAs) to remember ("pin") the hosts' cryptographic identities for a given period of time.