[Bug 12272] New: Improve section on DNS spoofing attacks to address user attacks from bugzilla@jessica.w3.org on 2011-03-09 (public-webapps@w3.org from January to March 2011)

From: <bugzilla@jessica.w3.org>
Date: Wed, 09 Mar 2011 17:40:42 +0000
To: public-webapps@w3.org
Message-ID: <bug-12272-2927@http.www.w3.org/Bugs/Public/>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12272

           Summary: Improve section on DNS spoofing attacks to address
                    user attacks
           Product: WebAppsWG
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Storage (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: watsonm@netflix.com
         QAContact: member-webapi-cvs@w3.org
                CC: ian@hixie.ch, mike@w3.org, public-webapps@w3.org


Section 7.1 on DNS spoofing attacks states: "Pages using TLS can be sure that
only pages using TLS that have certificates identifying them as being from the
same domain can access their storage areas."

We could add "This protects against DNS spoofing attacks which do not involve
the user. However, if the user is involved in the attack this protection can be
circumvented by the user installing root certificates for fake certification
authorities and then creating site certificates to be used in conjunction with
DNS spoofing. Therefore a web page author cannot be sure that the information
stored in web storage has not been viewed or modified by or on behalf of the
user."

i.e. page authors should be aware that even with TLS information inside web
storage can be viewed and modified by or on behalf of the user.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Wednesday, 9 March 2011 17:40:44 UTC