[Global_industry_committee] [Global_tools_and_project_committee] Official request from Arshan to GPCommitte

dinis cruz dinis.cruz at owasp.org
Thu Feb 12 10:40:41 EST 2009


Yap David, that sounds good. We should be highlighting what they do well.

In fact one of the most powerful statements we can make is to explicitly
list which browser supports what. Since that will put some 'light' pressure
on the ones without those features.

The first objective here is to draw a line in stand (with a date) and start
an engagement/working relatioship with both browsers and its
corporate/governmental users

Dinis

2009/2/12 David Campbell <dcampbell at owasp.org>

> We haven't discussed this topic as a committee yet but my initial reaction
> is to update the letter praising Redmon and mozilla for the steps on the
> right direction and chastising the rest for failing to show progress
>
> Thoughts?
>
> DC
>
>
> On Feb 12, 2009, at 4:51, dinis cruz <dinis.cruz at owasp.org> wrote:
>
> Jason, that is a very good point (my objective is to move this forward and
> at the moment it seems to be on nowhere's land)
>
> So, Global Industry Committee guys, as per the thread below, what do you
> think should be our action plan?
>
> Dinis
>
> 2009/2/12 Jason Li <jason.li at owasp.org>
>
>> I'm not trying to be the jurisdiction police - honest. But wasn't the
>> Global Industry Committee setup precisely for this kind of purpose of
>> reaching out to industry to promote best security practices?
>>
>> Nonetheless, I read through the letter and provided feedback to Arshan
>> which he can forward back if appropriate. I'm extremely nit-picky so I
>> didn't want to spam the list with mundane edits :-)
>>
>> --
>> -Jason Li-
>> -jason.li at owasp.org-
>>
>>
>> On Wed, Feb 11, 2009 at 3:36 PM, dinis cruz < <dinis.cruz at owasp.org>
>> dinis.cruz at owasp.org> wrote:
>>
>>> Btw, my view is not that the" browsers never listen to us or don't do any
>>> security"
>>>
>>> my view is that 'they don't do enought and don't have enough business
>>> justification to do more"
>>>
>>> my hope is that our actions will give those browsers that business
>>> justification they need :)
>>>
>>> Dinis
>>>
>>> 2009/2/11 Arshan Dabirsiaghi < <arshan.dabirsiaghi at aspectsecurity.com>
>>> arshan.dabirsiaghi at aspectsecurity.com>
>>>
>>>>  Here's why we might not want to send this letter. There have been a
>>>> lot of security improvements in IE8 and Mozilla was the first to recently
>>>> adopt HTTPOnly to completion so the whole "browsers never listen to us or do
>>>> any security" argument is not in line with trending. Think on that before we
>>>> take this any further.
>>>>
>>>>
>>>>
>>>> 1) Here is the actual letter:
>>>>
>>>>
>>>>
>>>> Hello World,
>>>>
>>>>
>>>>
>>>> The OWASP Foundation is deeply concerned about the risk associated with
>>>> increasingly useful and powerful browsers. We are seeking to support the
>>>> browser vendors with research, resources, and ideas.  At our recent Summit
>>>> in Portugal, OWASP's Internal Security Working Group (ISWG) met to discuss
>>>> the key security challenges in browsers.  The ISWG is a group of web
>>>> application security specialists that contribute their time to OWASP to try
>>>> to make the Internet a safer place.
>>>>
>>>>
>>>>
>>>> We're hoping to work to identify some practical solutions to some of the
>>>> security issues that could affect security of both browser users and
>>>> organizations with web applications.  The following recommendations are some
>>>> initial ideas we'd like to help get implemented. We selected a few of these
>>>> ideas as good starting points because they are either relatively simple to
>>>> implement or they offer a great deal of protection.
>>>>
>>>>
>>>>
>>>> ·         The first protection the ISWG is recommending browsers
>>>> implement is HTTPOnly. The majority of major browsers currently offer some
>>>> level of protection when applications use the HTTPOnly flag. Unfortunately,
>>>> because the implementations are not complete, it is still possible under
>>>> some circumstances to bypass the mechanism. When this flag is turned on,
>>>> JavaScript should not be able to read or write to the cookie object in the
>>>> page's DOM. Also, it is possible to read cookie data from XmlHttpRequest
>>>> response data even with HTTPOnly on. Ideally, no JavaScript could access or
>>>> modify any cookie data from a cookie with the HTTPOnly flag.
>>>>
>>>>
>>>>
>>>> ·         The second protection the ISWG is recommending is the
>>>> disabling of "autocomplete" features within cross-domain iframes. Browser
>>>> users utilize this feature so they don't have to remember passwords for
>>>> multiple sites or save themselves the effort of repeatedly typing in the
>>>> same credentials. However, the recently publicized "clickjacking" technique
>>>> has enabled attackers to trick users into clicking "past" a benign looking
>>>> page and into a site that they trust. If a browser automatically populates a
>>>> login form for a site the user trusts, an attacker can force the user to
>>>> click the "login" button and further execute fully authenticated
>>>> functionality on the attacker's behalf.
>>>>
>>>>
>>>>
>>>> ·         The final protection the ISWG is recommending is the
>>>> implementation of "jail" tags. Jail tags could allow applications to
>>>> reliably mark pieces of the page where untrusted user input appears without
>>>> exposing any risk of cross-site scripting. The future of the web is more
>>>> interconnectivity and more user content, so the need for this type of
>>>> protection is critical.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2) Arshan, Dinis, Jeff W., all the Aspect and OWASP signatures you can
>>>> shake a stick at. I bet we could also get a lot of other security firms to
>>>> sign on too. I guess it is the job of the GPC to try to get signatures from
>>>> standards bodies and companies that could have financial impact on browser
>>>> vendors.
>>>>
>>>>
>>>>
>>>> 3) W3C, large financial organizations, big user-facing sites.
>>>>
>>>>
>>>>
>>>> 4) IE, Mozilla, Opera, Safari, Chrome teams.
>>>>
>>>>
>>>>
>>>> *From:* dinis cruz [mailto: <dinis.cruz at owasp.org>dinis.cruz at owasp.org]
>>>>
>>>> *Sent:* Wednesday, February 11, 2009 2:04 PM
>>>> *To:* Matt Tesauro
>>>> *Cc:* Arshan Dabirsiaghi; Paulo Coimbra
>>>> *Subject:* Official request from Arshan to GPCommitte
>>>>
>>>>
>>>>
>>>> Hi Matt
>>>>
>>>> As per the thread below (if you can make sense of it :)  )  , Arshan is
>>>> going to email you with an official request to the Global Projects Committee
>>>> which I would like you to handle (i.e. log it, document it, and email the
>>>> GPC list with the details so that we start dealing with it). As a separate
>>>> note, we need to create a GPC workflow (documented on the WIKI) for these
>>>> types of request
>>>>
>>>> Over to you Arshan :)
>>>>
>>>> Thanks
>>>>
>>>> Dinis
>>>>
>>>>
>>>>
>>>> Dinis Cruz
>>>> 18:51
>>>> here is the chat bits
>>>> 18:51
>>>>
>>>> me:  have you asked for it?
>>>> (board approval?
>>>> Sent at 6:34 PM on Wednesday
>>>> me:  ok
>>>> just sent the email to Ivan
>>>> I was offline for a couple minutes
>>>> did you reply to
>>>>
>>>> have you asked for it? (board approval?
>>>> Sent at 6:39 PM on Wednesday
>>>> Arshan:  i definitely did, a few times, but i don't know if emails were
>>>> ever involved
>>>> Sent at 6:43 PM on Wednesday
>>>> Arshan:  we also asked for a few signatures and got 0
>>>> me:  See you are doing that the wrong way
>>>> you need to make official requests
>>>> so that people take you seriously
>>>> I think that what you are trying do fits with the Global Projects
>>>> Committee scope right?
>>>> Arshan:  nobody will sign it for 2 reasons
>>>> 1) its too political
>>>> nobody has any incentive to actually sign, it can only hurt them
>>>> me:  dude, you are missing the point, at this state a non-signature (on
>>>> the record) is as good as a signature
>>>> but we need to ask them officially
>>>> so that we have an official 'non signature'
>>>> and the request can't come from you
>>>> Arshan:  are we going to list every organization who didn't sign?
>>>> 2) even if they would they would want to look or influence the contents
>>>> of the letter and the 3 recommendations
>>>> me:  it has to come from an official Owasp entity (which at this state
>>>> probably means either the board of a Committe)
>>>> Arshan did not receive your chat.
>>>> Arshan:  2) even if they would they would want to look or influence the
>>>> contents of the letter and the 3 recommendations
>>>> Arshan did not receive your chat.
>>>> me:  hum, this google chat is not working 100%
>>>> what is your skype alias?
>>>> Arshan did not receive your chat.
>>>> Arshan did not receive your chat.
>>>> Arshan:  i'm not trying to get the BROWSERS to sign the letter
>>>> Arshan did not receive your chat.
>>>> Arshan did not receive your chat.
>>>> Arshan:  i was trying to get standards bodies (w3c) and companies
>>>> (ebay/paypal)
>>>> arshan.dabirsiaghi
>>>> Sent at 6:50 PM on Wednesday
>>>> Arshan Dabirsiaghi
>>>> 18:51
>>>> i was trying to get standards bodies (w3c) and companies
>>>> (ebay/paypal)
>>>> 18:51
>>>>
>>>> if we write a letter to the browsers
>>>> Dinis Cruz
>>>> 18:52
>>>> I know, we need to get our members, governments & others to sign
>>>> Arshan Dabirsiaghi
>>>> 18:52
>>>> and have a bunch of companies on the bottom with non-signatures
>>>> Dinis Cruz
>>>> 18:53
>>>> we need to think strategically about how we phrase it, but I think we
>>>> should mention the companies we contacted for support
>>>> 18:53
>>>>
>>>> but we need to have that conversation and figure out what is the best
>>>> 'offical' way to do this
>>>> 18:54
>>>>
>>>> so, moving forward: please send your request to the Global Projects
>>>> Committee (I will trigger the process) so that we can take it from there
>>>> Arshan Dabirsiaghi
>>>> 18:54
>>>> ok
>>>> Dinis Cruz
>>>> 18:54
>>>> I think the request should come from that gropu
>>>> 18:54
>>>>
>>>> by request I mean communications,
>>>> Arshan Dabirsiaghi
>>>> 18:54
>>>> yeah
>>>> Dinis Cruz
>>>> 18:55
>>>> by communications I mean:
>>>>
>>>>  - letter to people who we want to support the positioning document
>>>> -  position document to browsers
>>>> 18:55
>>>>
>>>> - email to owasp-leaders (and maybe even owasp-all)
>>>> 18:55
>>>>
>>>> what you need to give the GPT is:
>>>>
>>>>  - Position document (that page you already have)
>>>> 18:57
>>>>
>>>> 1) Position document (that page you already have)
>>>> 2) List of people who are going on the record signing it (you, the other
>>>> authors and who wants from OWASP to support it (for example I will sign on
>>>> the dotted line)
>>>> 3) List of people who you want the GPT to contact for support
>>>> 4) LIst of Browsers that you want the GPT to send the Position Document
>>>> 18:57
>>>>
>>>> is that cool?
>>>> Arshan Dabirsiaghi
>>>> 18:57
>>>> what should i email that too
>>>> 18:57
>>>>
>>>> to*
>>>> Dinis Cruz
>>>> 18:58
>>>> me and Matt Tesauro, but let me fire the first email
>>>> 18:58
>>>>
>>>> you're ok with this plan?
>>>> Arshan Dabirsiaghi
>>>> 18:58
>>>> yeah
>>>>
>>>
>>>
>>> _______________________________________________
>>> Global_tools_and_project_committee mailing list
>>>  <Global_tools_and_project_committee at lists.owasp.org>
>>> Global_tools_and_project_committee at lists.owasp.org
>>> <https://lists.owasp.org/mailman/listinfo/global_tools_and_project_committee>
>>> https://lists.owasp.org/mailman/listinfo/global_tools_and_project_committee
>>>
>>>
>>
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20090212/f5615025/attachment-0001.html 


More information about the Global_industry_committee mailing list