[Global_industry_committee] [Global_tools_and_project_committee] Official request from Arshan to GPCommitte

David Campbell dcampbell at owasp.org
Thu Feb 12 10:15:32 EST 2009


We haven't discussed this topic as a committee yet but my initial  
reaction is to update the letter praising Redmon and mozilla for the  
steps on the right direction and chastising the rest for failing to  
show progress

Thoughts?

DC


On Feb 12, 2009, at 4:51, dinis cruz <dinis.cruz at owasp.org> wrote:

> Jason, that is a very good point (my objective is to move this  
> forward and at the moment it seems to be on nowhere's land)
>
> So, Global Industry Committee guys, as per the thread below, what do  
> you think should be our action plan?
>
> Dinis
>
> 2009/2/12 Jason Li <jason.li at owasp.org>
> I'm not trying to be the jurisdiction police - honest. But wasn't  
> the Global Industry Committee setup precisely for this kind of  
> purpose of reaching out to industry to promote best security  
> practices?
>
> Nonetheless, I read through the letter and provided feedback to  
> Arshan which he can forward back if appropriate. I'm extremely nit- 
> picky so I didn't want to spam the list with mundane edits :-)
>
> --
> -Jason Li-
> -jason.li at owasp.org-
>
>
> On Wed, Feb 11, 2009 at 3:36 PM, dinis cruz <dinis.cruz at owasp.org>  
> wrote:
> Btw, my view is not that the" browsers never listen to us or don't  
> do any security"
>
> my view is that 'they don't do enought and don't have enough  
> business justification to do more"
>
> my hope is that our actions will give those browsers that business  
> justification they need :)
>
> Dinis
>
> 2009/2/11 Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
> Here's why we might not want to send this letter. There have been a  
> lot of security improvements in IE8 and Mozilla was the first to  
> recently adopt HTTPOnly to completion so the whole "browsers never  
> listen to us or do any security" argument is not in line with  
> trending. Think on that before we take this any further.
>
>
>
> 1) Here is the actual letter:
>
>
>
> Hello World,
>
>
>
> The OWASP Foundation is deeply concerned about the risk associated  
> with increasingly useful and powerful browsers. We are seeking to  
> support the browser vendors with research, resources, and ideas.  At  
> our recent Summit in Portugal, OWASP's Internal Security Working  
> Group (ISWG) met to discuss the key security challenges in  
> browsers.  The ISWG is a group of web application security  
> specialists that contribute their time to OWASP to try to make the  
> Internet a safer place.
>
>
>
> We're hoping to work to identify some practical solutions to some of  
> the security issues that could affect security of both browser users  
> and organizations with web applications.  The following  
> recommendations are some initial ideas we'd like to help get  
> implemented. We selected a few of these ideas as good starting  
> points because they are either relatively simple to implement or  
> they offer a great deal of protection.
>
>
>
> ·         The first protection the ISWG is recommending browsers imp 
> lement is HTTPOnly. The majority of major browsers currently offer s 
> ome level of protection when applications use the HTTPOnly flag. Unf 
> ortunately, because the implementations are not complete, it is stil 
> l possible under some circumstances to bypass the mechanism. When th 
> is flag is turned on, JavaScript should not be able to read or write 
>  to the cookie object in the page's DOM. Also, it is possible to rea 
> d cookie data from XmlHttpRequest response data even with HTTPOnly o 
> n. Ideally, no JavaScript could access or modify any cookie data fro 
> m a cookie with the HTTPOnly flag.
>
>
>
> ·         The second protection the ISWG is recommending is the disa 
> bling of "autocomplete" features within cross-domain iframes. Browse 
> r users utilize this feature so they don't have to remember password 
> s for multiple sites or save themselves the effort of repeatedly typ 
> ing in the same credentials. However, the recently publicized "click 
> jacking" technique has enabled attackers to trick users into clickin 
> g "past" a benign looking page and into a site that they trust. If a 
>  browser automatically populates a login form for a site the user tr 
> usts, an attacker can force the user to click the "login" button and 
>  further execute fully authenticated functionality on the attacker's 
>  behalf.
>
>
>
> ·         The final protection the ISWG is recommending is the imple 
> mentation of "jail" tags. Jail tags could allow applications to reli 
> ably mark pieces of the page where untrusted user input appears with 
> out exposing any risk of cross-site scripting. The future of the web 
>  is more interconnectivity and more user content, so the need for th 
> is type of protection is critical.
>
>
>
>
>
> 2) Arshan, Dinis, Jeff W., all the Aspect and OWASP signatures you  
> can shake a stick at. I bet we could also get a lot of other  
> security firms to sign on too. I guess it is the job of the GPC to  
> try to get signatures from standards bodies and companies that could  
> have financial impact on browser vendors.
>
>
>
> 3) W3C, large financial organizations, big user-facing sites.
>
>
>
> 4) IE, Mozilla, Opera, Safari, Chrome teams.
>
>
>
> From: dinis cruz [mailto:dinis.cruz at owasp.org]
> Sent: Wednesday, February 11, 2009 2:04 PM
> To: Matt Tesauro
> Cc: Arshan Dabirsiaghi; Paulo Coimbra
> Subject: Official request from Arshan to GPCommitte
>
>
>
> Hi Matt
>
> As per the thread below (if you can make sense of it :)  )  , Arshan  
> is going to email you with an official request to the Global  
> Projects Committee which I would like you to handle (i.e. log it,  
> document it, and email the GPC list with the details so that we  
> start dealing with it). As a separate note, we need to create a GPC  
> workflow (documented on the WIKI) for these types of request
>
> Over to you Arshan :)
>
> Thanks
>
> Dinis
>
>
>
> Dinis Cruz
> 18:51
> here is the chat bits
> 18:51
>
> me:  have you asked for it?
> (board approval?
> Sent at 6:34 PM on Wednesday
> me:  ok
> just sent the email to Ivan
> I was offline for a couple minutes
> did you reply to
>
> have you asked for it? (board approval?
> Sent at 6:39 PM on Wednesday
> Arshan:  i definitely did, a few times, but i don't know if emails  
> were ever involved
> Sent at 6:43 PM on Wednesday
> Arshan:  we also asked for a few signatures and got 0
> me:  See you are doing that the wrong way
> you need to make official requests
> so that people take you seriously
> I think that what you are trying do fits with the Global Projects  
> Committee scope right?
> Arshan:  nobody will sign it for 2 reasons
> 1) its too political
> nobody has any incentive to actually sign, it can only hurt them
> me:  dude, you are missing the point, at this state a non-signature  
> (on the record) is as good as a signature
> but we need to ask them officially
> so that we have an official 'non signature'
> and the request can't come from you
> Arshan:  are we going to list every organization who didn't sign?
> 2) even if they would they would want to look or influence the  
> contents of the letter and the 3 recommendations
> me:  it has to come from an official Owasp entity (which at this  
> state probably means either the board of a Committe)
> Arshan did not receive your chat.
> Arshan:  2) even if they would they would want to look or influence  
> the contents of the letter and the 3 recommendations
> Arshan did not receive your chat.
> me:  hum, this google chat is not working 100%
> what is your skype alias?
> Arshan did not receive your chat.
> Arshan did not receive your chat.
> Arshan:  i'm not trying to get the BROWSERS to sign the letter
> Arshan did not receive your chat.
> Arshan did not receive your chat.
> Arshan:  i was trying to get standards bodies (w3c) and companies
> (ebay/paypal)
> arshan.dabirsiaghi
> Sent at 6:50 PM on Wednesday
> Arshan Dabirsiaghi
> 18:51
> i was trying to get standards bodies (w3c) and companies
> (ebay/paypal)
> 18:51
>
> if we write a letter to the browsers
> Dinis Cruz
> 18:52
> I know, we need to get our members, governments & others to sign
> Arshan Dabirsiaghi
> 18:52
> and have a bunch of companies on the bottom with non-signatures
> Dinis Cruz
> 18:53
> we need to think strategically about how we phrase it, but I think  
> we should mention the companies we contacted for support
> 18:53
>
> but we need to have that conversation and figure out what is the  
> best 'offical' way to do this
> 18:54
>
> so, moving forward: please send your request to the Global Projects  
> Committee (I will trigger the process) so that we can take it from  
> there
> Arshan Dabirsiaghi
> 18:54
> ok
> Dinis Cruz
> 18:54
> I think the request should come from that gropu
> 18:54
>
> by request I mean communications,
> Arshan Dabirsiaghi
> 18:54
> yeah
> Dinis Cruz
> 18:55
> by communications I mean:
>
>  - letter to people who we want to support the positioning document
> -  position document to browsers
> 18:55
>
> - email to owasp-leaders (and maybe even owasp-all)
> 18:55
>
> what you need to give the GPT is:
>
>  - Position document (that page you already have)
> 18:57
>
> 1) Position document (that page you already have)
> 2) List of people who are going on the record signing it (you, the  
> other authors and who wants from OWASP to support it (for example I  
> will sign on the dotted line)
> 3) List of people who you want the GPT to contact for support
> 4) LIst of Browsers that you want the GPT to send the Position  
> Document
> 18:57
>
> is that cool?
> Arshan Dabirsiaghi
> 18:57
> what should i email that too
> 18:57
>
> to*
> Dinis Cruz
> 18:58
> me and Matt Tesauro, but let me fire the first email
> 18:58
>
> you're ok with this plan?
> Arshan Dabirsiaghi
> 18:58
> yeah
>
>
>
> _______________________________________________
> Global_tools_and_project_committee mailing list
> Global_tools_and_project_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_tools_and_project_committee
>
>
>
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20090212/f4c1d50a/attachment-0001.html 


More information about the Global_industry_committee mailing list