[Global_industry_committee] Official request from Arshan to GPCommitte

dinis cruz dinis.cruz at owasp.org
Thu Feb 12 10:37:48 EST 2009


(since Arshan is not on these list, I'm relaying his email)

See below the link to his 2nd version

2009/2/12 Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>

>  Agree. The 2nd edit of the letter can be found here (thanks Jason!):
>
> https://www.owasp.org/index.php/ISWG_Open_Letters_to_Browsers
>
> ------------------------------
> *From:* dinis cruz [mailto:dinis.cruz at owasp.org]
> *Sent:* Thu 2/12/2009 6:52 AM
> *To:* Arshan Dabirsiaghi; global_industry_committee at lists.owasp.org
> *Cc:* global_tools_and_project_committee at lists.owasp.org
> *Subject:* Re: Official request from Arshan to GPCommitte
>
> FYI, another email on this thread
>
> 2009/2/11 dinis cruz <dinis.cruz at owasp.org>
>
>> Thanks
>>
>> Can you also send us an updated version of that table that shows which
>> browsers do each one of these 3 things.
>>
>> we also should include in there information about how to contact &
>> interact with the ISWG and to 'explicitly' ask the browsers for:
>>
>>  a) what is the current coverage for these 3 issues they browsers have
>> (i.e. confirm the table you are going to send us)
>>  b) for the versions that don't currently support these, please provide a
>> timescale when they are scheduled to be implemented
>>
>> What about adding a small paragraph saying that these are just the first
>> set of recommendations from our community and that our objective is to
>> create a working relationship with each of the browser vendors.
>>
>> Matt, after we cleaned up this letter, we should 1st send it to
>> owasp-leaders, then open a 15/20 day public consultation perid where we will
>> send a RFC to the owasp-all and main webapp & browser mailing lists.
>>
>> Dinis
>>
>> 2009/2/11 Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
>>
>>   Here's why we might not want to send this letter. There have been a lot
>>> of security improvements in IE8 and Mozilla was the first to recently adopt
>>> HTTPOnly to completion so the whole "browsers never listen to us or do any
>>> security" argument is not in line with trending. Think on that before we
>>> take this any further.
>>>
>>>
>>>
>>> 1) Here is the actual letter:
>>>
>>>
>>>
>>> Hello World,
>>>
>>>
>>>
>>> The OWASP Foundation is deeply concerned about the risk associated with
>>> increasingly useful and powerful browsers. We are seeking to support the
>>> browser vendors with research, resources, and ideas.  At our recent Summit
>>> in Portugal, OWASP's Internal Security Working Group (ISWG) met to discuss
>>> the key security challenges in browsers.  The ISWG is a group of web
>>> application security specialists that contribute their time to OWASP to try
>>> to make the Internet a safer place.
>>>
>>>
>>>
>>> We're hoping to work to identify some practical solutions to some of the
>>> security issues that could affect security of both browser users and
>>> organizations with web applications.  The following recommendations are some
>>> initial ideas we'd like to help get implemented. We selected a few of these
>>> ideas as good starting points because they are either relatively simple to
>>> implement or they offer a great deal of protection.
>>>
>>>
>>>
>>> ·         The first protection the ISWG is recommending browsers
>>> implement is HTTPOnly. The majority of major browsers currently offer some
>>> level of protection when applications use the HTTPOnly flag. Unfortunately,
>>> because the implementations are not complete, it is still possible under
>>> some circumstances to bypass the mechanism. When this flag is turned on,
>>> JavaScript should not be able to read or write to the cookie object in the
>>> page's DOM. Also, it is possible to read cookie data from XmlHttpRequest
>>> response data even with HTTPOnly on. Ideally, no JavaScript could access or
>>> modify any cookie data from a cookie with the HTTPOnly flag.
>>>
>>>
>>>
>>> ·         The second protection the ISWG is recommending is the
>>> disabling of "autocomplete" features within cross-domain iframes. Browser
>>> users utilize this feature so they don't have to remember passwords for
>>> multiple sites or save themselves the effort of repeatedly typing in the
>>> same credentials. However, the recently publicized "clickjacking" technique
>>> has enabled attackers to trick users into clicking "past" a benign looking
>>> page and into a site that they trust. If a browser automatically populates a
>>> login form for a site the user trusts, an attacker can force the user to
>>> click the "login" button and further execute fully authenticated
>>> functionality on the attacker's behalf.
>>>
>>>
>>>
>>> ·         The final protection the ISWG is recommending is the
>>> implementation of "jail" tags. Jail tags could allow applications to
>>> reliably mark pieces of the page where untrusted user input appears without
>>> exposing any risk of cross-site scripting. The future of the web is more
>>> interconnectivity and more user content, so the need for this type of
>>> protection is critical.
>>>
>>>
>>>
>>>
>>>
>>> 2) Arshan, Dinis, Jeff W., all the Aspect and OWASP signatures you can
>>> shake a stick at. I bet we could also get a lot of other security firms to
>>> sign on too. I guess it is the job of the GPC to try to get signatures from
>>> standards bodies and companies that could have financial impact on browser
>>> vendors.
>>>
>>>
>>>
>>> 3) W3C, large financial organizations, big user-facing sites.
>>>
>>>
>>>
>>> 4) IE, Mozilla, Opera, Safari, Chrome teams.
>>>
>>>
>>>
>>> *From:* dinis cruz [mailto:dinis.cruz at owasp.org]
>>> *Sent:* Wednesday, February 11, 2009 2:04 PM
>>> *To:* Matt Tesauro
>>> *Cc:* Arshan Dabirsiaghi; Paulo Coimbra
>>> *Subject:* Official request from Arshan to GPCommitte
>>>
>>>
>>>
>>> Hi Matt
>>>
>>> As per the thread below (if you can make sense of it :)  )  , Arshan is
>>> going to email you with an official request to the Global Projects Committee
>>> which I would like you to handle (i.e. log it, document it, and email the
>>> GPC list with the details so that we start dealing with it). As a separate
>>> note, we need to create a GPC workflow (documented on the WIKI) for these
>>> types of request
>>>
>>> Over to you Arshan :)
>>>
>>> Thanks
>>>
>>> Dinis
>>>
>>>
>>>
>>> Dinis Cruz
>>> 18:51
>>> here is the chat bits
>>> 18:51
>>>
>>> me:  have you asked for it?
>>> (board approval?
>>> Sent at 6:34 PM on Wednesday
>>> me:  ok
>>> just sent the email to Ivan
>>> I was offline for a couple minutes
>>> did you reply to
>>>
>>> have you asked for it? (board approval?
>>> Sent at 6:39 PM on Wednesday
>>> Arshan:  i definitely did, a few times, but i don't know if emails were
>>> ever involved
>>> Sent at 6:43 PM on Wednesday
>>> Arshan:  we also asked for a few signatures and got 0
>>> me:  See you are doing that the wrong way
>>> you need to make official requests
>>> so that people take you seriously
>>> I think that what you are trying do fits with the Global Projects
>>> Committee scope right?
>>> Arshan:  nobody will sign it for 2 reasons
>>> 1) its too political
>>> nobody has any incentive to actually sign, it can only hurt them
>>> me:  dude, you are missing the point, at this state a non-signature (on
>>> the record) is as good as a signature
>>> but we need to ask them officially
>>> so that we have an official 'non signature'
>>> and the request can't come from you
>>> Arshan:  are we going to list every organization who didn't sign?
>>> 2) even if they would they would want to look or influence the contents
>>> of the letter and the 3 recommendations
>>> me:  it has to come from an official Owasp entity (which at this state
>>> probably means either the board of a Committe)
>>> Arshan did not receive your chat.
>>> Arshan:  2) even if they would they would want to look or influence the
>>> contents of the letter and the 3 recommendations
>>> Arshan did not receive your chat.
>>> me:  hum, this google chat is not working 100%
>>> what is your skype alias?
>>> Arshan did not receive your chat.
>>> Arshan did not receive your chat.
>>> Arshan:  i'm not trying to get the BROWSERS to sign the letter
>>> Arshan did not receive your chat.
>>> Arshan did not receive your chat.
>>> Arshan:  i was trying to get standards bodies (w3c) and companies
>>> (ebay/paypal)
>>> arshan.dabirsiaghi
>>> Sent at 6:50 PM on Wednesday
>>> Arshan Dabirsiaghi
>>> 18:51
>>> i was trying to get standards bodies (w3c) and companies
>>> (ebay/paypal)
>>> 18:51
>>>
>>> if we write a letter to the browsers
>>> Dinis Cruz
>>> 18:52
>>> I know, we need to get our members, governments & others to sign
>>> Arshan Dabirsiaghi
>>> 18:52
>>> and have a bunch of companies on the bottom with non-signatures
>>> Dinis Cruz
>>> 18:53
>>> we need to think strategically about how we phrase it, but I think we
>>> should mention the companies we contacted for support
>>> 18:53
>>>
>>> but we need to have that conversation and figure out what is the best
>>> 'offical' way to do this
>>> 18:54
>>>
>>> so, moving forward: please send your request to the Global Projects
>>> Committee (I will trigger the process) so that we can take it from there
>>> Arshan Dabirsiaghi
>>> 18:54
>>> ok
>>> Dinis Cruz
>>> 18:54
>>> I think the request should come from that gropu
>>> 18:54
>>>
>>> by request I mean communications,
>>> Arshan Dabirsiaghi
>>> 18:54
>>> yeah
>>> Dinis Cruz
>>> 18:55
>>> by communications I mean:
>>>
>>>  - letter to people who we want to support the positioning document
>>> -  position document to browsers
>>> 18:55
>>>
>>> - email to owasp-leaders (and maybe even owasp-all)
>>> 18:55
>>>
>>> what you need to give the GPT is:
>>>
>>>  - Position document (that page you already have)
>>> 18:57
>>>
>>> 1) Position document (that page you already have)
>>> 2) List of people who are going on the record signing it (you, the other
>>> authors and who wants from OWASP to support it (for example I will sign on
>>> the dotted line)
>>> 3) List of people who you want the GPT to contact for support
>>> 4) LIst of Browsers that you want the GPT to send the Position Document
>>> 18:57
>>>
>>> is that cool?
>>> Arshan Dabirsiaghi
>>> 18:57
>>> what should i email that too
>>> 18:57
>>>
>>> to*
>>> Dinis Cruz
>>> 18:58
>>> me and Matt Tesauro, but let me fire the first email
>>> 18:58
>>>
>>> you're ok with this plan?
>>> Arshan Dabirsiaghi
>>> 18:58
>>> yeah
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20090212/ecb422bb/attachment.html 


More information about the Global_industry_committee mailing list