[Global_industry_committee] Official request from Arshan to GPCommitte

dinis cruz dinis.cruz at owasp.org
Thu Feb 12 06:52:57 EST 2009


FYI, another email on this thread

2009/2/11 dinis cruz <dinis.cruz at owasp.org>

> Thanks
>
> Can you also send us an updated version of that table that shows which
> browsers do each one of these 3 things.
>
> we also should include in there information about how to contact & interact
> with the ISWG and to 'explicitly' ask the browsers for:
>
>  a) what is the current coverage for these 3 issues they browsers have
> (i.e. confirm the table you are going to send us)
>  b) for the versions that don't currently support these, please provide a
> timescale when they are scheduled to be implemented
>
> What about adding a small paragraph saying that these are just the first
> set of recommendations from our community and that our objective is to
> create a working relationship with each of the browser vendors.
>
> Matt, after we cleaned up this letter, we should 1st send it to
> owasp-leaders, then open a 15/20 day public consultation perid where we will
> send a RFC to the owasp-all and main webapp & browser mailing lists.
>
> Dinis
>
> 2009/2/11 Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
>
>  Here's why we might not want to send this letter. There have been a lot
>> of security improvements in IE8 and Mozilla was the first to recently adopt
>> HTTPOnly to completion so the whole "browsers never listen to us or do any
>> security" argument is not in line with trending. Think on that before we
>> take this any further.
>>
>>
>>
>> 1) Here is the actual letter:
>>
>>
>>
>> Hello World,
>>
>>
>>
>> The OWASP Foundation is deeply concerned about the risk associated with
>> increasingly useful and powerful browsers. We are seeking to support the
>> browser vendors with research, resources, and ideas.  At our recent Summit
>> in Portugal, OWASP's Internal Security Working Group (ISWG) met to discuss
>> the key security challenges in browsers.  The ISWG is a group of web
>> application security specialists that contribute their time to OWASP to try
>> to make the Internet a safer place.
>>
>>
>>
>> We're hoping to work to identify some practical solutions to some of the
>> security issues that could affect security of both browser users and
>> organizations with web applications.  The following recommendations are some
>> initial ideas we'd like to help get implemented. We selected a few of these
>> ideas as good starting points because they are either relatively simple to
>> implement or they offer a great deal of protection.
>>
>>
>>
>> ·         The first protection the ISWG is recommending browsers
>> implement is HTTPOnly. The majority of major browsers currently offer some
>> level of protection when applications use the HTTPOnly flag. Unfortunately,
>> because the implementations are not complete, it is still possible under
>> some circumstances to bypass the mechanism. When this flag is turned on,
>> JavaScript should not be able to read or write to the cookie object in the
>> page's DOM. Also, it is possible to read cookie data from XmlHttpRequest
>> response data even with HTTPOnly on. Ideally, no JavaScript could access or
>> modify any cookie data from a cookie with the HTTPOnly flag.
>>
>>
>>
>> ·         The second protection the ISWG is recommending is the disabling
>> of "autocomplete" features within cross-domain iframes. Browser users
>> utilize this feature so they don't have to remember passwords for multiple
>> sites or save themselves the effort of repeatedly typing in the same
>> credentials. However, the recently publicized "clickjacking" technique has
>> enabled attackers to trick users into clicking "past" a benign looking page
>> and into a site that they trust. If a browser automatically populates a
>> login form for a site the user trusts, an attacker can force the user to
>> click the "login" button and further execute fully authenticated
>> functionality on the attacker's behalf.
>>
>>
>>
>> ·         The final protection the ISWG is recommending is the
>> implementation of "jail" tags. Jail tags could allow applications to
>> reliably mark pieces of the page where untrusted user input appears without
>> exposing any risk of cross-site scripting. The future of the web is more
>> interconnectivity and more user content, so the need for this type of
>> protection is critical.
>>
>>
>>
>>
>>
>> 2) Arshan, Dinis, Jeff W., all the Aspect and OWASP signatures you can
>> shake a stick at. I bet we could also get a lot of other security firms to
>> sign on too. I guess it is the job of the GPC to try to get signatures from
>> standards bodies and companies that could have financial impact on browser
>> vendors.
>>
>>
>>
>> 3) W3C, large financial organizations, big user-facing sites.
>>
>>
>>
>> 4) IE, Mozilla, Opera, Safari, Chrome teams.
>>
>>
>>
>> *From:* dinis cruz [mailto:dinis.cruz at owasp.org]
>> *Sent:* Wednesday, February 11, 2009 2:04 PM
>> *To:* Matt Tesauro
>> *Cc:* Arshan Dabirsiaghi; Paulo Coimbra
>> *Subject:* Official request from Arshan to GPCommitte
>>
>>
>>
>> Hi Matt
>>
>> As per the thread below (if you can make sense of it :)  )  , Arshan is
>> going to email you with an official request to the Global Projects Committee
>> which I would like you to handle (i.e. log it, document it, and email the
>> GPC list with the details so that we start dealing with it). As a separate
>> note, we need to create a GPC workflow (documented on the WIKI) for these
>> types of request
>>
>> Over to you Arshan :)
>>
>> Thanks
>>
>> Dinis
>>
>>
>>
>> Dinis Cruz
>> 18:51
>> here is the chat bits
>> 18:51
>>
>> me:  have you asked for it?
>> (board approval?
>> Sent at 6:34 PM on Wednesday
>> me:  ok
>> just sent the email to Ivan
>> I was offline for a couple minutes
>> did you reply to
>>
>> have you asked for it? (board approval?
>> Sent at 6:39 PM on Wednesday
>> Arshan:  i definitely did, a few times, but i don't know if emails were
>> ever involved
>> Sent at 6:43 PM on Wednesday
>> Arshan:  we also asked for a few signatures and got 0
>> me:  See you are doing that the wrong way
>> you need to make official requests
>> so that people take you seriously
>> I think that what you are trying do fits with the Global Projects
>> Committee scope right?
>> Arshan:  nobody will sign it for 2 reasons
>> 1) its too political
>> nobody has any incentive to actually sign, it can only hurt them
>> me:  dude, you are missing the point, at this state a non-signature (on
>> the record) is as good as a signature
>> but we need to ask them officially
>> so that we have an official 'non signature'
>> and the request can't come from you
>> Arshan:  are we going to list every organization who didn't sign?
>> 2) even if they would they would want to look or influence the contents of
>> the letter and the 3 recommendations
>> me:  it has to come from an official Owasp entity (which at this state
>> probably means either the board of a Committe)
>> Arshan did not receive your chat.
>> Arshan:  2) even if they would they would want to look or influence the
>> contents of the letter and the 3 recommendations
>> Arshan did not receive your chat.
>> me:  hum, this google chat is not working 100%
>> what is your skype alias?
>> Arshan did not receive your chat.
>> Arshan did not receive your chat.
>> Arshan:  i'm not trying to get the BROWSERS to sign the letter
>> Arshan did not receive your chat.
>> Arshan did not receive your chat.
>> Arshan:  i was trying to get standards bodies (w3c) and companies
>> (ebay/paypal)
>> arshan.dabirsiaghi
>> Sent at 6:50 PM on Wednesday
>> Arshan Dabirsiaghi
>> 18:51
>> i was trying to get standards bodies (w3c) and companies
>> (ebay/paypal)
>> 18:51
>>
>> if we write a letter to the browsers
>> Dinis Cruz
>> 18:52
>> I know, we need to get our members, governments & others to sign
>> Arshan Dabirsiaghi
>> 18:52
>> and have a bunch of companies on the bottom with non-signatures
>> Dinis Cruz
>> 18:53
>> we need to think strategically about how we phrase it, but I think we
>> should mention the companies we contacted for support
>> 18:53
>>
>> but we need to have that conversation and figure out what is the best
>> 'offical' way to do this
>> 18:54
>>
>> so, moving forward: please send your request to the Global Projects
>> Committee (I will trigger the process) so that we can take it from there
>> Arshan Dabirsiaghi
>> 18:54
>> ok
>> Dinis Cruz
>> 18:54
>> I think the request should come from that gropu
>> 18:54
>>
>> by request I mean communications,
>> Arshan Dabirsiaghi
>> 18:54
>> yeah
>> Dinis Cruz
>> 18:55
>> by communications I mean:
>>
>>  - letter to people who we want to support the positioning document
>> -  position document to browsers
>> 18:55
>>
>> - email to owasp-leaders (and maybe even owasp-all)
>> 18:55
>>
>> what you need to give the GPT is:
>>
>>  - Position document (that page you already have)
>> 18:57
>>
>> 1) Position document (that page you already have)
>> 2) List of people who are going on the record signing it (you, the other
>> authors and who wants from OWASP to support it (for example I will sign on
>> the dotted line)
>> 3) List of people who you want the GPT to contact for support
>> 4) LIst of Browsers that you want the GPT to send the Position Document
>> 18:57
>>
>> is that cool?
>> Arshan Dabirsiaghi
>> 18:57
>> what should i email that too
>> 18:57
>>
>> to*
>> Dinis Cruz
>> 18:58
>> me and Matt Tesauro, but let me fire the first email
>> 18:58
>>
>> you're ok with this plan?
>> Arshan Dabirsiaghi
>> 18:58
>> yeah
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20090212/f0d4545e/attachment.html 


More information about the Global_industry_committee mailing list