This section now appears in the draft Note Available security information section.
(A sub-section of the NoteIndex)
Bill Doyle will be filling out this section according to ACTION-58
This section should also include the data from ContextPresentation.
Security context is available from a number of sources, for this document sources of security context have been identified as Protocol/Service, API/Application and User Data (eg: history, bookmarks and stored identifiers)
Security Context Available
Protocols/Services
Protocols and services used in a web session that operate in a predictable method according to a defined standard (e.g. NIST, IETF and W3C).
- HTTP
- Header with secured credentials (password hash)
- Encryption of entire packet header and payload (TLS/SSL)
- Response headers
- split headers
- PKIX - X.509 certificates, protocols, services and infrastructure
- Certificate signature (3rd Party Commercial CA, Local Authority and self signed)
- OCSP
- CRL
- CA/Browser Forum Extended Validation Certificates (EV SSL Certificates)
- DNSSEC (Domain Name System Security Extensions)
- Cryptography (Ciphers, Hashes and robustness of Cryptography)
- TLS/SSL
- Confidentiality – Encryption
- Integrity – CRL checks
- Trust - Digital Signature
- Server authentication (Verification that the name field in X.509 certificate matches servers internet name)
- Type/Strength of Cryptography
- Synchronous (Shared Key e.g. 3DES, AES, RC4, RC6)
- Asynchronous (Public Key e.g. RSA, Diffie-Hellman)
- Hash (eg: MD5, SHA-1, SHA-2)
- Key length used to create ciphertext
- The TLS/SSL Cipher suite that is negotiated between client and server
- TLS/SSL
- Root Authorities
- Commercial “Trusted” 3rd party certificate pre-populated in browser
- 3rd Party root authorities that are configured by user
- Configured/Local root authorities that are not provided by or supported by a 3rd party
- Intranet - Entity and services known/provided to the user (Corporation, enterprise/organizational)
- Internet - External entity that is trusted by user (user extends trust)
Applications / APIs / Browser Services
Browser services, applications, services, extensions and APIs and that support the user or enhance web capabilities. Services in this section may make use of standards based protocols and services or custom/proprietary services and capabilities.
- Filters URL/IP
- Blacklisted IP addresses
- IP address
- Country of origin for IP address
- Reputation services
- URL/Web Blacklists
- Content / API filters
- Active content and allowed usage
- Java Script
- Active X
- Active content and allowed usage
* HTTP content in an HTTPS page (mixed security modes)
- Page integrity checking
- Has the page completed loading
- Cookies
- Persistent
- Non-persistent
- Encrypted
- Certificate continuity (Browser has encountered the certificate in the past)
- Certificate revocation status
- Features / Functionality provided by ISP
- The target URI for a pending request
- Does the page contain content sourced from distinct servers?
- Does the page come from the intranet or the Internet?
- HTTP content in an HTTPS page
- Referring page
- Redirection path
- Form Validation
User Data
Any data about the web service that is entered/configured/managed by the user.
- URL entered by user
- Configured trust roots
- Configured self-signed certificates
- Browser history, bookmarks, accumulated user agent state
- Past introductions from friends (e.g. in email)
- Information from external devices (e.g. phone call)
- Shared secret knowledge (e.g. a picture, or a password)
- Personalization (e.g. account history, user's full name)
- Shared public knowledge (e.g. mother's maiden name, zip code) (ANTI-PATTERN)
Design Principles UI Mixed Secuirty Modes
(NOTE: Holding Place for this information Action Item 381 - mixed security context)
Security context MUST be seperated into trusted and untrusted sources and kept isolated when presented to the user. Developers and browser development community need to collaborate and further security standards in order to ensure that the user community is presented with consistent and clear information on the capabilities of a given trusted web site.
The following are some of the current issues involved with mixed security context (e.g HTTPs but clear text forms)
- If Page is protected by HTTPs, all user data on the page should be sent encrypted with the HTTPs certificate.