Re: ISSUE-108: Should Safe Browsing mode restrict users to a specific set of sites? [Techniques] from Johnathan Nightingale on 2007-09-20 (public-wsc-wg@w3.org from September 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Thu, 20 Sep 2007 08:48:20 -0400
To: "Dan Schutzer" <dan.schutzer@fstc.org>
Cc: "'Web Security Context Working Group WG'" <public-wsc-wg@w3.org>
Message-Id: <71C16632-AA27-4479-8B73-FAC00A4EF302@mozilla.com>
Hey Dan,

I guess my point was that if we imagine that there's an actual  
whitelist, as a standalone document, which I think you were  
envisioning at one point if not now, then it would certainly be  
appropriate to use attested SSL certs (DV/OV/EV would all work here,  
I imagine) to confirm that you were indeed visiting the intended  
domain.  So that the sequence of actions would be:

1) User attempts to visit www.bank.com while in SBM
2) Before connecting, user agent checks "known banks" whitelist,  
confirms that www.bank.com is on it, allows SSL handshake to commence
3) SSL handshake completes, with a valid cert for www.bank.com, we  
can reasonably assume we are on the right site.

Whereas what I'm hearing now sounds more like:

1) User attempts to visit www.bank.com while in SBM
2) User agent performs SSL handshake regardless of URL
3) After the handshake, inspect the cert and based on some aspect of  
its contents, decide whether it's a known bank.

I think that if the aspect of the cert that is being inspected is  
rigorously verified, then you end up with the same result either way,  
except that, for one thing, there isn't such an aspect in current  
cert standards (including EV) which is presently being verified with  
this in mind, to my knowledge.  And for another, as mentioned, it  
means that even in SBM, the "safe sites only" mode, user agents are  
still connecting to arbitrary URLs, at least initially, which is more  
exposure than one would ideally like to see, from such a locked-down  
mode.

I don't have an alternative, really.  When it was an idea based on  
known-whitelists produced by particular groups, I thought it made a  
lot of sense as an add-on for experimentation, though not necessarily  
for a conformance recommendation from the W3C.  When it's an idea  
without a whitelist - a "connect first and ask questions later"  
approach, particularly one that envisions EV filling a verification  
role that it currently does not - it feels even less like something  
we should insist that conformant browsers implement.

Cheers,

J

On 20-Sep-07, at 6:42 AM, Dan Schutzer wrote:

> Johnathan
>
> What other mechanism would you suggest for a browser to clearly  
> distinguish
> a white list site from a non-white list site?
>
> Dan
>
> -----Original Message-----
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg- 
> request@w3.org] On
> Behalf Of Johnathan Nightingale
> Sent: Wednesday, September 19, 2007 5:54 PM
> To: Web Security Context Working Group WG
> Subject: Re: ISSUE-108: Should Safe Browsing mode restrict users to a
> specific set of sites? [Techniques]
>
>
> Using EV certs as the stand-in for a whitelist seems wrong, to me.
> EV certs make strong identity claims, but not trustworthiness or
> safety claims, which I think SBM envisions.  EV certs in combination
> with a whitelist seem like a more natural fit, if we're going to
> recommend this at all.
>
> I think the argument has been advanced that we could use the
> community logotype field of an EV cert as a proxy for the whitelist,
> basically that having (say) the FSTC logo in there acts as de facto
> whitelist membership.  One downside I see there is that it still
> requires the SSL handshake to take place (in order to acquire the
> certificate for inspection) which exposes some, albeit limited,
> attack surface.  In an EV+Whitelist world, that initial connection
> wouldn't occur because the "Your accounts are being closed" email
> link would presumably point to some non-whitelisted domain, and the
> connection would not be built in the first place.
>
> I've said in the past that I don't think the maintenance and
> generation of these lists can be accurately foreseen, and hence that
> I don't think it's really the right kind of thing for our group to
> mandate, since that compels us to declare "non-conforming" any
> browser that doesn't think the lists are mature enough.
> Nevertheless, if we *are* to make such a recommendation, it feels
> like EVs shouldn't be used as a surrogate for "trustworthiness"
> determinations.
>
> Cheers,
>
> Johnathan
>
> On 18-Sep-07, at 8:59 AM, Web Security Context Working Group Issue
> Tracker wrote:
>
>>
>> ISSUE-108: Should Safe Browsing mode restrict users to a specific
>> set of sites? [Techniques]
>>
>> http://www.w3.org/2006/WSC/track/issues/
>>
>> Raised by: Thomas Roessler
>> On product: Techniques
>>
>> In the current draft:
>>
>>   Editor's Draft $Date: 2007/09/18 12:50:20 $
>>
>> safe browsing mode includes a requirement that Web user agents only
>> be able to access EV (or EV-like) sites when in Safe Browsing
>> Mode.  From discussions, this is one possible approach; the aim
>> seems to be to have some whitelist of truted sites that can be
>> accessed in this mode.
>>
>> Questions:
>>
>> - Should such a whitelist exist at all?
>> - If it exists, are EV certificates the right criterion?
>>
>>
>>
>>
>>
>>
>
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>
>
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Thursday, 20 September 2007 12:48:41 UTC