IG/web security model

Web Security model

The W3C Web Security Interest Group has not yet produced any documentation to detail the security model offered by the web. Nevertheless, some good references can be found on the following resources :

• STREWS European project has delivered a document describing the security and threats of the web platform http://www.strews.eu/index.php/results

This deliverable reports on the broad web security assessment of STREWS. As part of this report, we provide a clear and understandable overview of the Web ecosystem, and discuss the vulnerability landscape, as well as of the underlying attacker models. In addition, we provide a catalog of best prac- tices with existing countermeasures and mitigation techniques, to guide European industrial players to improve step-by-step the trustworthiness of their IT infrastructures. The report concludes with interesting challenges for securing the Web platform, opportunities for future research and trends in improving web security.

• Question : does the Browser Security Handbook stay a good reference ? Are there any updated version ?

• The list of W3C specifications dealing with security features are the following ones

- CORS Proposed Recommendation

- CSP 1.0 Candidate Recommendation and CSP 1.1 draft

- User Interface Security Directives for Content Security Policy draft

- XML security set of specifications

- Web Crypto API draft and Web Crypto Key Discovery API draft

- to be completed

Understanding interaction with other technologies

W3C technologies do rely on the internet and interact with web security technologies defined by external standardization bodies. It is of high interest for the W3C Web Security Interest Group to maintain a reasonable knowledge of those technologies, and how they do overlap/interact/bind each other. The following list identifies the technology we should pay attention to :

• FIDO : draft specifications are available since February 2014 here
• HTTP2 and TLS : read HTTP2 co-chair status in january 2014 and access security issues related to HTTP2
• Public Key Pinning extension https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/

An extension to the HTTP protocol allowing web host operators to instruct user agents (UAs) to remember ("pin") the hosts' cryptographic identities for a given period of time.

• HTTP Authentication framework http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-25
• to be completed

Web Crypto Next Workshop

[1]