[Global_industry_committee] New IETF Web Security working group / W3C Web Application Security Working Group

Colin Watson colin.watson at owasp.org
Sat Oct 23 10:14:02 EDT 2010

Please see below a message sent to the OWASP London list, and
forwarded here with permission.

Does anyone know people involved with this already, or any other comments?


---------- Forwarded message ----------
From: Tobias Gondrom <tobias.gondrom at gondrom.org>
Date: 22 October 2010 20:01
Subject: [Owasp-london] We can address some of the Security problems
at the root: New IETF Web Security working group – your ideas?
To: owasp-london at lists.owasp.org

Hi dear fellow OWASP London members,

many of the security problems we face derive from weaknesses and
inconsistencies in the operation of the browsers and the HTTP
protocol. And as OWASP, we have been pretty good at mitigating these
problems and working around these deficiencies. But many times I felt
like we actually should try to change the underlying root of the
problem rather then having to live and work within it.

The IETF (Internet Engineering Task Force) set up a new working group
WEBSEC (http://datatracker.ietf.org/wg/websec/charter/) to identify
and tackle these underlying issues and develop standards to solve them
wherever possible. It will also work closely with the W3C Web
Application Security Working Group to get the new changes on the road
and implemented.

These two working groups will provide the unique opportunity to
actually change some of the underlying mechanisms and try to solve
some of our biggest security challenges at the root. But for that to
accomplish, it is important to understand what the problem and what
should be done and what better place then OWASP, with the best Web
Application Security minds, to ask what is good and what should be
changed and corrected and in which way.

So I would like to invite you to provide input for this and join the
WEBSEC working group (note: the IETF is an open organization like
OWASP and all WGs are open for everybody to join freely).
You can join the group and its mailing-list here:
If you are new to the IETF, there is a small info page Tao of the IETF

So what are your ideas to help mitigate many of the OWASP top ten?
What are the biggest problems?
What should be done?
What HTTP headers, protocol and policies would you suggest we change or correct?
Do we need to standardize new headers and certain browser behavior
across the vendors?
How should browsers behave to be safe or how should their behavior
change for use to be able to build more secure web applications?

The time frame for this opportunity of change is within the next few
months, so if you have ideas and suggestions please come forward and
we need to work on them now!

Just as an example of the first items that we discuss are Media Type
Sniffing, Web Origin Concept, integrity of the browser and server,
usage of DNSSEC, Strict Transport Security, X-FRAME-OPTIONS, but
there's a lot more to do and we need your input as OWASP experts!

So if you have ideas, please join the WG and/or get in touch with me.
And please forward this to interested chapters and people!

Kind regards, Tobias

Tobias Gondrom
email: tobias.gondrom at gondrom.org
mobile: +447521003005

Owasp-london mailing list
Owasp-london at lists.owasp.org

More information about the Global_industry_committee mailing list