IRC log of webappsec on 2012-05-03

Timestamps are in UTC.

00:02:49 [bhill2]
bhill2 has joined #webappsec
00:02:55 [bhill2]
rrsagent make minutes
00:03:02 [bhill2]
\
00:32:55 [Zakim]
Zakim has left #webappsec
00:51:05 [dveditz]
dveditz has joined #webappsec
01:43:54 [gopal]
gopal has joined #webappsec
03:27:45 [tanvi]
tanvi has joined #webappsec
03:30:38 [tanvi1]
tanvi1 has joined #webappsec
03:34:56 [tanvi]
tanvi has joined #webappsec
04:53:20 [gopal]
gopal has joined #webappsec
05:25:34 [tanvi]
tanvi has joined #webappsec
05:28:07 [tanvi1]
tanvi1 has joined #webappsec
05:35:01 [tanvi]
tanvi has joined #webappsec
05:51:26 [jrossi1]
jrossi1 has joined #webappsec
06:14:06 [gioma1]
gioma1 has joined #webappsec
15:57:53 [RRSAgent]
RRSAgent has joined #webappsec
15:57:53 [RRSAgent]
logging to http://www.w3.org/2012/05/03-webappsec-irc
15:57:56 [Zakim]
Zakim has joined #webappsec
15:58:08 [bhill2]
zakim, this will be 92795
15:58:08 [Zakim]
I do not see a conference matching that name scheduled within the next hour, bhill2
15:58:14 [ekr]
I'm heading out now, expect me there in about 15.
15:58:31 [bhill2]
zakim, this will be 92794
15:58:32 [Zakim]
I do not see a conference matching that name scheduled within the next hour, bhill2
16:06:03 [Arno_]
Arno_ has joined #webappsec
16:07:50 [anne]
anne has joined #webappsec
16:23:20 [bhill2]
zakim, this is 92794
16:23:20 [Zakim]
ok, bhill2; that matches SEC_WASWG()12:00PM
16:23:25 [bhill2]
bridge is open for anyone who wants to dial-in
16:24:06 [timeless]
timeless has joined #webappsec
16:24:07 [anne]
is today's agenda available?
16:24:54 [bhill2]
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0017.html
16:25:01 [timeless]
RRSAgent, draft minutes
16:25:01 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
16:25:08 [bhill2]
we will be starting in five minutes or so
16:25:12 [timeless]
RRSAgent, draft minutes
16:25:12 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
16:25:25 [timeless]
RRSAgent, make logs public
16:25:28 [anne]
thanks bhill2
16:25:28 [timeless]
RRSAgent, draft minutes
16:25:28 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
16:25:39 [timeless]
s|\||
16:25:40 [timeless]
RRSAgent, draft minutes
16:25:40 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
16:25:57 [timeless]
s/I'm heading out now, expect me there in about 15.//
16:26:04 [timeless]
s/rrsagent make minutes//
16:26:07 [timeless]
RRSAgent, draft minutes
16:26:07 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
16:26:24 [timeless]
s/is today's agenda available?//
16:26:26 [timeless]
RRSAgent, draft minutes
16:26:26 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
16:27:20 [timeless]
s/thanks bhill2//
16:27:22 [timeless]
RRSAgent, draft minutes
16:27:22 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
16:28:23 [Zakim]
+??P3
16:29:08 [gioma1]
Zakim, ??P3 is gioma1
16:29:08 [Zakim]
+gioma1; got it
16:29:39 [timeless]
Zakim, who is on the call?
16:29:39 [Zakim]
On the phone I see +1.650.693.aaaa, gioma1
16:29:48 [ekr]
ekr has joined #webappsec
16:30:03 [timeless]
Zakim, aaaa is [Jupiter]
16:30:03 [Zakim]
+[Jupiter]; got it
16:30:10 [timeless]
Zakim, [Jupiter] contains bhill2
16:30:10 [Zakim]
+bhill2; got it
16:30:15 [timeless]
Zakim, [Jupiter] contains dveditz
16:30:15 [Zakim]
+dveditz; got it
16:30:32 [timeless]
Zakim, [Jupiter] contains ekr
16:30:32 [Zakim]
+ekr; got it
16:31:02 [timeless]
Zakim, [Jupiter] contains Arno_
16:31:02 [Zakim]
+Arno_; got it
16:31:14 [timeless]
Zakim, [Jupiter] contains Josh_Soref
16:31:14 [Zakim]
+Josh_Soref; got it
16:32:08 [dveditz]
dveditz has joined #webappsec
16:32:19 [timeless]
Zakim, who is on the call?
16:32:19 [Zakim]
On the phone I see [Jupiter], gioma1
16:32:19 [bhill2]
can those on the phone hear us?
16:32:20 [Zakim]
[Jupiter] has Josh_Soref
16:32:55 [JeffH]
JeffH has joined #webappsec
16:33:12 [timeless]
Zakim, [Jupiter] contains bhill2, dveditz, ekr, Arno_, Josh_Soref
16:33:12 [Zakim]
Josh_Soref was already listed in [Jupiter], timeless
16:33:14 [Zakim]
+bhill2, dveditz, ekr, Arno_; got it
16:33:20 [timeless]
Zakim, who is on the call?
16:33:20 [Zakim]
On the phone I see [Jupiter], gioma1
16:33:21 [Zakim]
[Jupiter] has bhill2, dveditz, ekr, Arno_
16:33:42 [bhill2]
any better on call mic volume?
16:34:16 [timeless]
Zakim, [Jupiter] also has JeffH
16:34:16 [Zakim]
+JeffH; got it
16:34:24 [timeless]
Zakim, who is on the call?
16:34:24 [Zakim]
On the phone I see [Jupiter], gioma1
16:34:26 [Zakim]
[Jupiter] has bhill2, dveditz, ekr, Arno_, Josh_Soref, JeffH
16:34:27 [gioma1]
just static noise and silence for me
16:35:12 [timeless]
Zakim, [Jupiter] also has DanD
16:35:12 [Zakim]
+DanD; got it
16:35:43 [gioma1]
it was me trying to say I heard someone
16:35:44 [DanD]
DanD has joined #webappsec
16:36:14 [timeless]
scribe: Josh_Soref
16:36:17 [timeless]
scribenick: timeless
16:36:29 [bhill2]
we will pass around the wireless mic and we are lucky to have the W3C's best scribe at hand
16:36:39 [bhill2]
we will pass around the wireless mic
16:36:47 [bhill2]
and are lucky to have the top W3C scribe in the room
16:36:59 [timeless]
Zakim, [Jupiter] also has puhley
16:36:59 [Zakim]
+puhley; got it
16:37:28 [timeless]
Chair: BradH
16:37:50 [timeless]
bhill2: Brad Hill, Pay Pal, Co-Chair
16:38:19 [timeless]
puhley: Peleus Uhley, Adobe
16:38:38 [timeless]
DanD: Dan Druta, AT&T
16:38:49 [timeless]
dveditz: Dan Veditz, Mozilla
16:39:04 [timeless]
ekr: Eric Rescorla, Co-Chair
16:39:09 [JeffH]
can u hear gioma1?
16:39:16 [gioma1]
no I cannot
16:39:34 [timeless]
Arno_: Arnaud Braud, France Telecom, observer
16:39:57 [JeffH]
hear better ?
16:40:08 [timeless]
JeffH: Jeff Hill, PayPal
16:40:18 [timeless]
Josh_Soref: Josh Soref, RIM, observer, scribe
16:40:20 [bhill2]
http://www.w3.org/Security/wiki/Clickjacking_Threats
16:40:24 [JeffH]
it's Jeff Hodges
16:40:33 [timeless]
puhley: for those on the phone, there's a click jacking page
16:40:45 [timeless]
s|http://www.w3.org/Security/wiki/Clickjacking_Threats|-">http://www.w3.org/Security/wiki/Clickjacking_Threats|-> http://www.w3.org/Security/wiki/Clickjacking_Threats Clickjacking Threats|
16:40:49 [timeless]
RRSAgent, draft minutes
16:40:49 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
16:41:22 [timeless]
s/Chair: BradH/Chair: BradH, ekr/
16:41:50 [timeless]
[ puhley describes the Clickjacking Threats page ]
16:41:55 [timeless]
[ Content overlays ]
16:42:13 [timeless]
puhley: overlay attacks
16:42:22 [timeless]
... transparent overlay attacks
16:42:23 [caribou]
s/Jeff Hill/Jeff Hodges/
16:42:37 [timeless]
... there are basically 4 different attacks
16:42:45 [timeless]
... flash player has a screen scraping solution
16:42:54 [timeless]
... it'll write out a dialog to the screen
16:43:05 [timeless]
... and then it will ask the renderer what's actually shown
16:43:13 [timeless]
... to see if it's really showing
16:43:20 [timeless]
... but as we add content separation
16:43:31 [timeless]
... we don't want to allow content to screen scrape
16:43:47 [timeless]
... other solutions include X-Frame-Options
16:43:49 [timeless]
... Frame Busting
16:43:51 [timeless]
... etc.
16:43:57 [timeless]
... another type of attack is Scrolling attack
16:44:05 [timeless]
... in this, the victim content is completely visible
16:44:08 [timeless]
... top layer of content
16:44:19 [timeless]
... but you scroll it offscreen so only the answers are visible
16:44:25 [timeless]
... but you put a fake question to the left
16:44:32 [timeless]
... "Do you like chocolate"
16:44:36 [timeless]
[ Everyone likes chocolate ]
16:44:42 [timeless]
puhley: a downside
16:44:56 [timeless]
... of the solution of putting questions in the center of the page
16:45:06 [timeless]
... is that users think it's coming from the system
16:45:17 [timeless]
... which means that users trust the question more than it should
16:45:25 [timeless]
dveditz: there are two kinds of questions
16:45:39 [timeless]
... the browser can relatively easily ensure its content won't be click-jacked
16:45:56 [timeless]
... but it's harder to protect the correct conveyance of two different web contents
16:46:07 [timeless]
puhley: does the user need to know the origin of content?
16:46:20 [timeless]
... and making sure the question is tied to the piece of content with which it's associated
16:46:25 [timeless]
... a reason that flash renders itself
16:46:29 [timeless]
... instead of a modal dialog
16:46:37 [timeless]
... is if you're on a page with ads on the side
16:46:51 [timeless]
... you don't want a malicious ad on the side to convince the user that it's CNN
16:46:59 [timeless]
... another attack is rapid content replacement
16:47:11 [timeless]
... make a dialog fully visible, but only for a fraction of a second
16:47:21 [timeless]
... convince a user to click rapidly
16:47:29 [timeless]
... then swap in the attack for a short period
16:47:33 [timeless]
... a countermeasure
16:47:42 [timeless]
... is to require a dialog be visible for a set number of seconds
16:47:48 [timeless]
... (Flash Player)
16:47:54 [timeless]
... it creates a problem for users
16:48:02 [timeless]
dveditz: Mozilla has a counter visible
16:48:10 [timeless]
puhley: there are tradeoffs in any solution
16:48:19 [timeless]
... another version is repositioning the trusted window
16:48:23 [timeless]
... you're doing screen scraping
16:48:27 [timeless]
... the window is visible for 3 seconds
16:48:31 [dveditz]
(the impt point was that users complain about that kind of solution)
16:48:32 [timeless]
... but in the right hand corner
16:48:46 [timeless]
... and then you scroll it to the center of the screen
16:48:50 [timeless]
... and then back to the corner
16:49:11 [timeless]
... one thing David brings up in his paper is Phantom mouse cursors
16:49:19 [timeless]
... i'm not sure he sent a link to the demo to the list
16:49:29 [timeless]
... basically you create a floating div tag with a mouse cursor
16:49:40 [timeless]
... which is at a fixed offset from the real mouse cursor
16:49:53 [timeless]
... and the real mouse cursor has an invisible cursor
16:50:02 [timeless]
... and you get the real mouse cursor over the dangerous dialog
16:50:12 [timeless]
... but the fake one is over "Do you like chocolate?"
16:50:16 [timeless]
... Another attack is Drag and drop
16:50:27 [timeless]
... this is more specific to certain victim windows
16:50:50 [timeless]
... one of the top 10 web attacks from last year included a DnD attack
16:50:58 [timeless]
... for people doing frame busting, people play tricks with event handlers
16:51:04 [timeless]
... using 204 event codes
16:51:20 [timeless]
... tell the browser "No Content"
16:51:31 [timeless]
... try to use malicious event handlers
16:51:41 [timeless]
... if the browser creates a super window
16:51:47 [timeless]
... can i create a listener to it
16:51:49 [timeless]
s/it/it?/
16:51:57 [timeless]
... Trusted Dialog extensions
16:52:19 [timeless]
... Say the dialog is bright yellow
16:52:25 [timeless]
... you render yellow on the page around it
16:52:33 [timeless]
... and it looks like your content is part of the trust
16:52:56 [timeless]
... maybe extending the two lines into a longer fraction of a paragraph
16:53:02 [timeless]
... Trusted User interfaces
16:53:10 [timeless]
... any solution needs to be careful about how much trust it conveys
16:53:24 [timeless]
... that something isn't equivalent to the SSL dialog
16:53:38 [timeless]
... Brad posted that there's no distinct level of trust
16:53:54 [timeless]
... for the last one, i recorded a general thing "does the user understand what they're looking at?"
16:54:03 [timeless]
... I list some possible solutions for some of them
16:54:15 [timeless]
... this is designed to be the aggregation of ideas
16:54:25 [timeless]
JeffH: this is the problem space
16:54:31 [timeless]
bhill2: status codes and event handlers
16:54:42 [timeless]
... people are afraid of being able to turn off scripting in iframes
16:54:48 [timeless]
... since it turns off frame-busting
16:55:14 [timeless]
Meeting: WebAppSec F2F
16:56:00 [bhill2]
gioma1: would you like to discuss your submission, either voice or here on irc?
16:56:11 [timeless]
i/for those on/Topic: Clickjacking threats overview/
16:56:13 [bhill2]
I can project the irc channel for the room
16:56:20 [bhill2]
or we can just go over the paper ourselves
16:56:28 [timeless]
i/Brad Hill, Pay Pal/Topic: Introductions/
16:56:37 [timeless]
RRSAgent, draft minutes
16:56:37 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
16:56:54 [gioma1]
I'm unable in voice, I hear very badly. But I'm open to any question about the paper in IRC.
16:57:54 [timeless]
bhill2: There is another attack
16:58:01 [timeless]
... where you can use the rapid click attack
16:58:06 [timeless]
... in the context of two browser windows
16:58:12 [timeless]
... or opening a dialog in the browser context
16:58:41 [timeless]
... trusted-window underneath untrusted-window
16:58:47 [timeless]
... and that allows bypass of X-Frame-Options
16:59:09 [bhill2]
gioma1: we'll review the paper here voice, then, and ask questions on irc
16:59:26 [timeless]
bhill2: probably most of us here are familiar with NoScript
16:59:54 [timeless]
... most prominently it offers the ability to turn off scripts per context
17:00:07 [timeless]
... it's popular among security conscious individuals
17:00:14 [timeless]
... it also has ClearClick
17:00:26 [timeless]
... and it's the most prominent implementation
17:00:32 [timeless]
... Flash Player has something specific
17:00:37 [timeless]
... but ClearClick is more general
17:01:03 [timeless]
... The ClearClick WAS 2012 paper
17:01:12 [timeless]
... proposes an on-by-default mechanism
17:01:26 [gioma1]
http://noscript.net/downloads/ClearClick_WAS2012.pdf
17:01:43 [timeless]
s|http://noscript.net/downloads/ClearClick_WAS2012.pdf|ClearClick WAS 2012 paper|
17:01:58 [timeless]
bhill2: the ClearClick technology is implemented mostly in terms of HTML5 technology
17:02:13 [timeless]
... and requires very few browser hooks
17:02:30 [timeless]
... ClearClick works by registering a listener that captures mouse/keyboard/dnd events
17:02:39 [timeless]
... so it can see them before they're delivered to browser content
17:02:50 [tanvi]
tanvi has joined #webappsec
17:02:52 [timeless]
... done with a mozilla specific event
17:03:00 [timeless]
... the second stage is a Fast-track bypass
17:03:13 [timeless]
... to check if the window is unlocked
17:03:59 [timeless]
... i.e. Trusted
17:04:20 [gopal]
gopal has joined #webappsec
17:04:29 [timeless]
s/Trusted/Trustworthy against itself/
17:04:43 [timeless]
... Parent chain check
17:04:50 [timeless]
... [PlaceHolder]
17:05:01 [timeless]
... Rapid Fire check
17:05:07 [timeless]
.. [PlaceHolder2]
17:05:15 [timeless]
... Obstruction check
17:05:22 [tanvi1]
tanvi1 has joined #webappsec
17:05:30 [timeless]
... takes a screenshot of reasonably sized (roughly 300x200px)
17:06:02 [timeless]
... and comparing the content the user clicking
17:06:43 [timeless]
... with the rendering the user sees
17:07:04 [gioma1]
q+
17:07:15 [timeless]
bhill2: there's no policy-channel between the server and the plugin
17:07:39 [timeless]
ekr: the larger the window the less good things get
17:07:43 [timeless]
... if all i'm changing is the price
17:07:52 [timeless]
ack gioma1
17:07:54 [gioma1]
I'd like to clarify
17:08:05 [gioma1]
that the size of the screenshot has an upper bound
17:08:14 [gioma1]
of 320x200 for perf reasons,
17:08:28 [puhley]
puhley has joined #webappsec
17:08:29 [gioma1]
but the lower bound is set by the document's inherent size
17:08:44 [gioma1]
(so very tiny button gadgets like "Like!" work)
17:08:52 [timeless]
ekr: the case i'm thinking of
17:08:55 [timeless]
... Amazon Purchasing
17:09:03 [timeless]
... the thing being obscured is quite large
17:09:08 [timeless]
bhill2: in the case of a PayPal dialog
17:09:17 [timeless]
... you could change just the price or the name of the user
17:09:38 [timeless]
ekr: this style strategy seems to require site interaction
17:09:46 [timeless]
... indicating how much tolerance it has
17:10:03 [gioma1]
btw, the size grows in case of a form to include the whole form
17:10:21 [timeless]
bhill2: that's less of an oversight on the part of ClearClick
17:11:00 [timeless]
Josh_Soref: what tolerance does one get if it's the size of the form
17:11:03 [timeless]
... is it still x%?
17:11:16 [timeless]
... the concern is that if only a few pixels (the $$ number) are changed
17:11:21 [timeless]
... and the form is "very big"
17:11:37 [timeless]
... then %-wise relative to the protected pixel area, the variation may be below the threshold
17:11:43 [timeless]
q+ gioma1
17:12:18 [gioma1]
it used to be no tolerance
17:12:29 [gioma1]
ATM (3 or 4 weeks) it's 18%, configurable.
17:12:48 [timeless]
s/ATM/At-the-moment/
17:12:53 [bhill2]
configurable by you, or by the target content?
17:13:20 [gioma1]
By the tool even at runtime, so currently by me but...
17:13:38 [gioma1]
a policy channel would be a benefit for several site-customizations which
17:13:51 [gioma1]
would increase both accuracy and sensitivity
17:14:59 [timeless]
bhill2: an additional check gioma1 sent on the mailing list, after he sent the paper.
17:15:03 [timeless]
... is for phantom-cursor, is that if the cursor has been changed, it triggers
17:15:06 [timeless]
... ClearClick
17:15:30 [timeless]
... Generally, when the difference is significant, ClearClick presents the user with a comparison dialog
17:15:44 [timeless]
... where the user can choose to proceed or stop
17:15:51 [timeless]
... he's also looking into mozAfterPaint
17:15:59 [timeless]
... in order to address timing based attacks
17:16:04 [timeless]
... I'll read his conclusion:
17:16:39 [timeless]
... [Conclusion]
17:16:56 [timeless]
s/[Conclusion]/[Paper-Section-5]/
17:18:10 [bhill2]
I asked the room who uses ClearClick
17:18:14 [bhill2]
several hands went up
17:18:23 [gioma1]
:)
17:18:35 [bhill2]
people agreed that "used to see false positives a lot, lately it is very very good, don't see them anymore"
17:19:06 [bhill2]
timeless is trying to generate a warning on bugzilla where he had previously seen them
17:19:29 [gioma1]
in facts, it's the effect of the recent tolerance introduction and other tweakings regarding viewport decoration detection.
17:19:50 [timeless]
bhill2: that we haven't seen false positives in a long time
17:19:55 [timeless]
... is fairly encouraging
17:20:07 [timeless]
... and then having a way for a site being able to specify what it wants protected
17:20:16 [timeless]
... we could standardize this
17:21:17 [bhill2]
alternate download: http://lists.w3.org/Archives/Public/public-webappsec/2012May/att-0021/ClearClick_WAS2012.pdf
17:22:19 [bhill2]
we will take a 10 minute break
17:22:26 [timeless]
s/[Paper-Section-5]/The ClearClick module included in the NoScript add-on for the Mozilla Firefox browser is currently the most effective client-side protection against various forms of UI Redressing attacks. It is enabled by default (independently from web author's opt-in), protects plugin content as well as embedded documents and doesn't impose origin restrictions on the nesting hierarchy. Unfor
17:22:26 [timeless]
tunately its main issue is the relative complexity of its implementation, which depends on a few Mozilla specific platform features, even though it's entirely written in JavaScript and mostly relies on portable HTML 5 features./
17:22:37 [bhill2]
back at 32 after the hour
17:22:44 [bhill2]
thanks gioma!
17:22:44 [timeless]
s|tunately its main issue is the relative complexity of its implementation, which depends on a few Mozilla specific platform features, even though it's entirely written in JavaScript and mostly relies on portable HTML 5 features./||
17:22:51 [timeless]
s/Unfor/Unfortunately its main issue is the relative complexity of its implementation, which depends on a few Mozilla specific platform features, even though it's entirely written in JavaScript and mostly relies on portable HTML 5 features./
17:22:55 [timeless]
RRSAgent, draft minutes
17:22:55 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
17:32:11 [timeless]
Topic: Introductions continued
17:32:35 [gopal]
+gopal
17:32:43 [timeless]
s/+gopal//
17:33:02 [timeless]
Zakim, [Jupiter] also has gopal
17:33:02 [Zakim]
+gopal; got it
17:33:19 [timeless]
gopal: Gopal Raghavan, Nokia
17:33:40 [timeless]
Zakim, [Jupiter] also has tanvi1
17:33:40 [Zakim]
+tanvi1; got it
17:33:50 [timeless]
tanvi1: Tanvi Vyas, Mozilla
17:34:08 [tanvi]
changed my nick back to tanvi
17:34:18 [timeless]
s/tnavi1/tanvi/G
17:34:29 [timeless]
Topic: Protected Interactive Elements
17:34:47 [timeless]
bhill2: this is another approach i proposed on the list a couple of months ago
17:34:56 [timeless]
... it's much less comprehensive than ClearClick
17:35:01 [timeless]
... the basic idea is that
17:35:19 [timeless]
... the Web Application could declare -this control is clickjacking protected-
17:35:28 [timeless]
... it could have a countdown, or a slider
17:35:37 [timeless]
... while it's being interacted with, it would have to be topmost
17:35:49 [timeless]
... visible, static(unmoving)
17:36:02 [timeless]
s/static(unmoving)/stationary/
17:36:24 [timeless]
... examples could be a new element type, or add a new attribute
17:36:40 [DanD]
DanD has joined #WebAppsec
17:36:48 [timeless]
... examples of how this might work
17:36:54 [timeless]
Zakim, tanvi1 is tanvi
17:36:54 [Zakim]
sorry, timeless, I do not recognize a party named 'tanvi1'
17:37:48 [timeless]
s/changed my nick back to tanvi//
17:38:22 [timeless]
... the action the user needs to do to confirm the action is Slide
17:38:28 [timeless]
dveditz: that's a problem for a Screen Reader
17:38:45 [timeless]
bhill2: i think a lot of these attacks aren't applicable to screen readers
17:38:59 [timeless]
... luckily/unluckily they aren't a target
17:39:08 [timeless]
... but there would be the ability to degrade gracefully
17:39:19 [timeless]
... it could act as a normal button
17:40:01 [timeless]
... or the AA could support the feature
17:40:13 [timeless]
DanD: what happens if you have two competing protected elements
17:40:25 [JeffH]
JeffH has joined #webappsec
17:40:32 [timeless]
bhill2: they only have to be topmost while your click is being delivered to an element
17:40:41 [JeffH]
what is link to list of this meeting's reg'd attendees ?
17:40:43 [timeless]
... the click is only being delivered to one element at a time
17:40:49 [JeffH]
and is there a link to what Brad is presenting now ?
17:42:49 [JeffH]
thx
17:42:54 [timeless]
s|and is there a link to what Brad is presenting now ?|-> http://www.w3.org/Security/wiki/Anti-Clickjacking_Protected_Interactive_Elements Clickjacking Protected Interactive Elements|
17:42:58 [timeless]
s/thx//
17:43:07 [timeless]
RRSAgent, draft minutes
17:43:07 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
17:43:42 [timeless]
ekr: i'm just starting to think about the underlying theory of the mechanism
17:43:53 [timeless]
... it seems to be force the user to take some time to see it
17:43:57 [timeless]
... and take some time to watch it
17:44:02 [timeless]
bhill2: yes, and have the ability to abort
17:44:16 [timeless]
ekr: i wonder how much drop off you'd get
17:44:22 [timeless]
bhill2: i don't have user studies on this yet
17:44:39 [timeless]
... what would be feasible, and what would UAs be willing to do
17:44:50 [timeless]
... it isn't applicable to everything
17:44:58 [timeless]
dveditz: it doesn't fix DnD
17:45:01 [timeless]
bhill2: right
17:45:11 [timeless]
... but it has low battery/perf overhead
17:45:22 [timeless]
puhley: for an html element
17:45:26 [timeless]
... you set up a div tag
17:45:28 [timeless]
... with content in it
17:46:18 [timeless]
bhill2: you could have a new request
17:46:24 [timeless]
... but if you're on a laggy network
17:46:30 [timeless]
... you don't want to click and wait for a resource
17:46:45 [timeless]
Zakim, [Jupiter] also has paulc
17:46:45 [Zakim]
+paulc; got it
17:46:56 [timeless]
paulc: as your host, i'm noting there are sweets outside
17:47:03 [timeless]
... and once the html group gets there, they'll be gone
17:47:10 [timeless]
Zakim, [Jupiter] no longer has paulc
17:47:10 [Zakim]
-paulc; got it
17:47:21 [timeless]
ekr: are there other legitimate reasons
17:47:26 [timeless]
... for why it would be obscured
17:47:42 [timeless]
... it almost seems like
17:47:51 [timeless]
... if it would have changed when i click the control
17:47:55 [timeless]
... it's probably a bad case
17:48:00 [timeless]
bhill2: the difference is
17:48:05 [timeless]
... you have less complexity
17:48:15 [timeless]
... i was trying to have to do constant monitoring
17:48:21 [timeless]
... constant screen shots
17:48:31 [timeless]
... that's an unacceptable requirement
17:48:36 [timeless]
... on a mobile device
17:48:41 [timeless]
ekr: i put my finger on this slider
17:48:51 [timeless]
... and you do a Reflow
17:48:59 [timeless]
... you redraw that section of the screen
17:49:22 [timeless]
... and we expect the user to figure out what changed
17:49:34 [timeless]
Josh_Soref: that's sort of like what clearclick's compare-dialog does
17:49:47 [timeless]
[ bhill2 scrolls to example 2 ]
17:49:59 [timeless]
q?
17:50:06 [timeless]
q- gioma
17:50:08 [timeless]
q- gioma1
17:50:30 [timeless]
bhill2: here there's a clown store text with a like below
17:50:35 [timeless]
... but clicking the like button
17:50:44 [timeless]
... then can show "Slide to like Acme Inc."
17:50:54 [timeless]
ekr: in this case, there's a reason why we'd want to change the content
17:51:12 [Zakim]
+ +1.858.485.aabb
17:51:19 [timeless]
DanD: you may have a different approach, as a two factor user interaction
17:51:23 [timeless]
Zakim, where is +1858?
17:51:24 [Zakim]
North American dialing code 1.858 is California
17:51:57 [timeless]
... using two actions
17:52:07 [timeless]
bhill2: why couldn't an overlay site train you to do that?
17:52:28 [timeless]
DanD: i'd be happy to have something that surfaces out of an overlay
17:52:56 [timeless]
... the user would hopefully say "i won't trust that page,
17:53:16 [timeless]
... if the trusted element is different"
17:53:25 [timeless]
puhley: if the slider slides instead of the finger
17:53:28 [timeless]
... is that trusting?
17:53:42 [timeless]
bhill2: we had comments from michal zalewski
17:53:51 [timeless]
dveditz: what if who changes it?
17:53:58 [timeless]
... we can only protect mixed origin
17:54:00 [abarth]
abarth has joined #webappsec
17:54:06 [timeless]
... if we only have one origin, and that page moves
17:54:20 [timeless]
dveditz: in current browsers, you can create a dragging attack
17:54:32 [timeless]
bhill2: my requirements forced the control to be stationary
17:54:48 [timeless]
... now, what if the protected element is rendered offscreen?
17:55:01 [timeless]
dveditz: the nice thing is that the browser could have a hint about how to re-render
17:55:23 [timeless]
gopal: are you also considering orientation changes?
17:55:43 [timeless]
bhill2: does it shift while your finger is down?
17:55:45 [timeless]
gopal: no
17:56:03 [timeless]
bhill2: I proposed we could take you to a lightbox experience
17:56:14 [timeless]
dveditz: that's fine with checking out
17:56:21 [timeless]
... but if it's a like button
17:56:24 [timeless]
... or click an ad
17:56:28 [timeless]
... then it's more disruptive
17:56:39 [timeless]
... but those probably aren't using forms
17:56:57 [timeless]
... click fraud on an ad wants to get you there as fast as possible
17:57:23 [timeless]
bhill2: having backchannels with the site communicating what it wants to protect
17:57:28 [timeless]
DanD: did you do user studies?
17:57:32 [timeless]
bhill2: i have not yet
17:57:35 [timeless]
q?
17:57:49 [timeless]
Topic: Server-side approaches to clickjacking detection
17:58:50 [timeless]
dveditz: those slides don't appear to be on the archive
17:58:54 [timeless]
bhill2: let me send that out
17:59:41 [timeless]
[ Drawbacks of X-Frame-Options ]
18:00:13 [timeless]
bhill2: sometimes you don't want to share information to some parties
18:00:25 [timeless]
... Allow-From doesn't help
18:00:36 [timeless]
... the merchant that could generate a clickjack
18:00:45 [timeless]
... is the same that would be generating a sale
18:01:09 [timeless]
RRSAgent, pointer
18:01:09 [RRSAgent]
See http://www.w3.org/2012/05/03-webappsec-irc#T18-01-09
18:01:51 [timeless]
bhill2: the person embedding the +1/like button
18:01:56 [timeless]
... is the person who benefits
18:02:08 [timeless]
dveditz: can you embed a like for someone else?
18:02:19 [timeless]
bhill2: i think you can
18:02:42 [timeless]
http://developers.facebook.com/docs/reference/plugins/like/
18:03:23 [timeless]
s|http://developers.facebook.com/docs/reference/plugins/like/||
18:03:45 [timeless]
bhill2: sometimes iframes are better
18:03:53 [timeless]
... the screenshot approach is sometimes nice
18:04:05 [timeless]
... but sometimes your attention is elsewhere
18:04:12 [timeless]
... there's a problem with false positives
18:04:15 [timeless]
... that can be reduced
18:04:21 [timeless]
... and interactions are hard
18:04:28 [timeless]
... we tolerate ClearClick compare dialogs
18:04:39 [timeless]
... but people outside this room have no idea what it means
18:04:44 [timeless]
... we have low deployment rates
18:05:41 [timeless]
... ClearClick probably has 1‱
18:05:44 [timeless]
... it's very small
18:05:56 [timeless]
dveditz: if ClearClick was split out from NoScript, it could probably have higher deployment
18:06:05 [timeless]
bhill2: Adaptive UI randomization
18:06:11 [timeless]
... click jacking depends on same-origin
18:06:18 [timeless]
... it depends on consistent layout
18:06:25 [timeless]
... if you randomize the UI
18:06:33 [timeless]
... you can impinge the ability of the attacker
18:06:40 [timeless]
... that was proposed by Bill Curry (PayPal)
18:06:50 [timeless]
... one of the first proposals to the list
18:07:00 [Arno_]
Arno_ has joined #webappsec
18:07:02 [timeless]
... but the attacker can send clicks to multiple locations
18:07:20 [timeless]
dveditz: deployment on NoScript is a bit over 1%, but less than 2%
18:07:25 [timeless]
bhill2: that's quite impressive
18:07:47 [timeless]
... and successful attacks in 1% of cases is still a profitable business
18:08:03 [timeless]
... Refining Randomization
18:08:09 [timeless]
... we can do recording of clicks
18:08:25 [timeless]
... and do analysis to detect fraud
18:08:34 [timeless]
... / clickjacking
18:08:48 [timeless]
... on the backend we create a bucket based on target
18:08:49 [dveditz]
the most popular "user-chosen" add-on has around 10% deployment
18:09:02 [timeless]
... for like, the likee
18:09:05 [timeless]
... for pay, the payee
18:09:18 [timeless]
... look at first click miss rates bucket-by-bucket
18:09:21 [dveditz]
there are some ride-along add-ons that are more popular, that users didn't really select. e.g. the Java Console add-on
18:09:26 [timeless]
... assume some natural rate
18:09:57 [timeless]
... this protects against popunder and close attacks
18:10:06 [timeless]
... we can't distinguish one-off attacks from random noise
18:10:12 [timeless]
... but we can identify campaigns
18:10:23 [timeless]
... if they start doing click jacking
18:10:29 [timeless]
... we'll see the first click rates jump
18:10:35 [dveditz]
don't quote me on the numbers, I'm not one of our metrics guys. Just trying to eyeball the published "users" number on addons.mozilla.org but I don't know if they're measured the same way we measure Firefox users
18:10:39 [timeless]
... Sensitivity of Detection
18:11:09 [timeless]
[ Graphic: Sensitivity of Clickjacking Detection ]
18:13:18 [timeless]
dveditz: this isn't preventing fraud
18:13:26 [timeless]
bhill2: it's detecting after the fact
18:13:44 [timeless]
Josh_Soref: they can do more
18:13:49 [timeless]
... they can reverse the charges/likes
18:13:52 [timeless]
... and penalize the account
18:14:06 [timeless]
ekr: the enclosing page can track the mouse
18:15:28 [timeless]
bhill2: if the user doesn't see this interface
18:15:34 [timeless]
... they're seeing an overlay
18:15:42 [timeless]
... they'll have a 66% miss rate
18:15:46 [timeless]
... if it's only getting clickjacks
18:15:53 [timeless]
... and we can distinguish at the backend
18:16:08 [timeless]
DanD: this is an analytics capability
18:16:27 [timeless]
bhill2: Results
18:16:43 [timeless]
... assuming everything else works
18:17:00 [timeless]
... you can reduce the natural conversion rate to as little as 1% through clickjacking
18:17:07 [timeless]
... with 3 or 4 positions
18:17:13 [timeless]
... Adaptive Responses
18:17:27 [timeless]
... what if i try to put my competitor's store into the dog house?
18:17:40 [timeless]
... If you detect this, you can have a graduated response
18:17:50 [timeless]
... popup with X-Frame-Options
18:17:58 [timeless]
... Add a CAPTCHA or re-verify credentials
18:18:09 [timeless]
dveditz: do you guys check referers?
18:18:19 [timeless]
... i'm curious as to whether a reliable origin header is useful
18:18:37 [timeless]
... if you're trying to attack a rival
18:18:53 [timeless]
bhill2: the button would have to encode the refering frame
18:19:03 [timeless]
dveditz: you may or may not get a referer on that today
18:19:30 [timeless]
Josh_Soref: if there's no referer, the server can require more UI
18:19:40 [timeless]
bhill2: you can't use this for WebMail, or the FlashControlPanel
18:19:43 [timeless]
... or Nascar
18:19:57 [timeless]
... if you can't bucketize your targets
18:20:04 [timeless]
... for webmail/flashcontrolpanel
18:20:15 [timeless]
... it's expensive, you need to be able to do the analytics
18:20:23 [timeless]
JeffH: or already have it existing
18:20:33 [timeless]
bhill2: a lot of the targets already have the capabilities in house
18:20:46 [timeless]
... david hong said the attacker could try to disperse the attack
18:21:03 [timeless]
... some of this involves determining the natural misclick rate independently
18:21:12 [timeless]
... instead of case-by-case calculation
18:21:21 [timeless]
bhill2: the biggest attack is the partial reveal attack
18:21:45 [timeless]
... "Click the Sleepy Frog to Win"
18:21:58 [timeless]
... but ClearClick will find that in a heartbit
18:22:02 [timeless]
s/bit/beat/
18:22:19 [timeless]
... combining the statistical backend bucketization
18:22:23 [timeless]
... and apply it to clearclick
18:22:36 [timeless]
... the page could say "if you think you're going to have a ClearClick warning"
18:22:45 [timeless]
... "send the report to a feedback URI"
18:23:26 [timeless]
... a policy hint saying "report clickjacking to url" where the url encodes the transaction
18:23:32 [timeless]
... Advantages:
18:23:37 [timeless]
... that makes false positives disappear
18:23:42 [timeless]
... you never stop users from interacting
18:23:48 [timeless]
... they can learn
18:23:53 [timeless]
... no confusing dialogs
18:24:02 [timeless]
... small install base can protect everyone
18:24:26 [timeless]
... penalize the account commiting fraud based on highly sensitive information
18:24:31 [timeless]
... Conclusions:
18:24:35 [timeless]
... randomization isn't for everyone
18:24:41 [timeless]
... high cost, only usable in certain UIs
18:24:55 [timeless]
... primary targets are in its "sweet spot"
18:25:03 [timeless]
... Combines well with client-side techniques
18:25:25 [timeless]
... reporting loop + backend- fraud analsysi approach can remove some weaknesses of heuristic client-side techniques
18:25:43 [timeless]
s/analsysi/analysis/
18:25:54 [timeless]
DanD: it could be chatty
18:26:01 [timeless]
bhill2: it could be pretty simple
18:26:08 [timeless]
... instead of a dialog in ClearClick
18:26:15 [timeless]
... it's a single Ping with a unique identifier
18:26:31 [timeless]
dveditz: a META with a report URI
18:26:38 [timeless]
bhill2: META clickjack-report uri
18:26:47 [timeless]
dveditz: browsers that know do it
18:26:50 [timeless]
... browsers that don't ignore it
18:27:04 [timeless]
bhill2: the report isn't much difference from CSP
18:27:09 [Zakim]
- +1.858.485.aabb
18:27:10 [timeless]
... we only ship on violation
18:27:22 [timeless]
... that hasn't been a problem in bandwidth
18:32:00 [timeless]
Topic: What are we protecting
18:32:16 [timeless]
puhley: we're assuming a page that has already CSFP
18:32:49 [timeless]
... for PayPal, you have 1-click buys
18:33:16 [timeless]
... what does paypal need to encode?
18:33:32 [timeless]
bhill2: payee, amount
18:34:36 [timeless]
bhill2: the no-opt-in has the high bar
18:34:41 [timeless]
... the web is complicated
18:34:43 [tanvi1]
tanvi1 has joined #webappsec
18:34:49 [timeless]
... how do we know we aren't breaking a large part of the web
18:34:59 [timeless]
... does gioma1 have telemetry on false positives?
18:35:18 [timeless]
puhley: for the submit button/slider
18:35:26 [dveditz]
I doubt it, people would scream about tracking or somesuch
18:35:30 [timeless]
... the page would have to be designed to fit the slider protection
18:35:36 [tanvi]
tanvi has joined #webappsec
18:35:40 [gioma1]
I've got *voluntary* reports, could try to extract some stats for next meeting.
18:36:20 [dveditz]
the population of people interested in NoScript is almost exactly the sort that would notice and complain about extra connection attempts unrelated to their task at hand
18:37:06 [timeless]
bhill2: gioma1, it would be really cool if we could get the overall rate of warning dialogs
18:37:15 [timeless]
... what percentage of sites generate warning dialogs
18:37:27 [timeless]
... and how many times / year does the average (opt-in) user see a dialog
18:37:38 [gioma1]
bhill, I could extrapolate from people who uses the "Report" button
18:37:40 [dveditz]
that kind of non-specific telemetry is generally accepted
18:38:05 [gioma1]
are you suggesting to instrument current ClearClick to send anonymous usage stats?
18:38:49 [timeless]
puhley: for the use case
18:38:51 [timeless]
... who would use it
18:38:57 [timeless]
... we didn't define a User Persona
18:39:03 [JeffH]
gioma1: i think the short answer is "sure"
18:39:06 [timeless]
... we were talking about <input type
18:39:10 [timeless]
... ....
18:39:15 [timeless]
... you have a PayPal page
18:39:19 [timeless]
... and a pay now button
18:39:29 [timeless]
... the assumption is the attacker is using an iframe
18:39:36 [timeless]
... the victim page is by definition iframes
18:39:39 [timeless]
s/iframes/iframed/
18:39:53 [timeless]
... how does the page define that it's opting into the click-jack protection
18:39:57 [timeless]
... it could just be a header
18:40:07 [timeless]
... but the page has to define which button is click-jack protected
18:40:16 [timeless]
... would <input type="clickjackprotected">
18:40:22 [timeless]
... be sufficient instead of a page header
18:40:36 [timeless]
... there are pay now buttons on very large pages
18:40:40 [timeless]
... with full reciepts
18:40:48 [timeless]
s/reciepts/receipts/
18:41:04 [timeless]
... in clickjacking, a fraction of the page has been rendered
18:41:16 [timeless]
dveditz: are we only talking about opt in at this point?
18:41:23 [gioma1]
q+
18:41:24 [timeless]
... the nice thing about ClearClick is that it doesn't require opt in
18:41:34 [timeless]
... only Facebook/PayPal will do it
18:41:38 [whitech]
whitech has joined #webappsec
18:41:43 [timeless]
puhley: we have 3 levels
18:41:48 [timeless]
... optin
18:41:51 [timeless]
... slider
18:41:53 [timeless]
... server side
18:42:13 [timeless]
... 1. clearclick - browser for all pages
18:42:18 [gioma1]
q-
18:42:20 [timeless]
... 2. opt in "this is a sensitive page"
18:42:27 [timeless]
... -- slider
18:42:34 [timeless]
... 3. server side with heuristics
18:42:50 [timeless]
bhill2: 1.5, opt in for all pages, with policy channel to refine it
18:43:05 [timeless]
... not sure if there's a precedent for @w3 level
18:43:13 [timeless]
... a compatibility list like ie8
18:43:30 [timeless]
... deliberately fallback to ie7 mode
18:43:42 [timeless]
... i wonder if we could identify that certain sites always generate warnings
18:43:46 [timeless]
... and opt them out
18:43:52 [Zakim]
+ +1.858.485.aacc
18:43:53 [timeless]
... i'm tossing ideas out
18:44:17 [timeless]
DanD: the challenge is to educate the user community
18:44:20 [timeless]
... on the real
18:44:25 [timeless]
JeffH: that will never happen
18:44:35 [timeless]
DanD: having multiple options with UI implications will have user confusion
18:44:44 [timeless]
puhley: https in the location bar is an indication
18:44:54 [timeless]
... we changed once every 5 years and still confuse users
18:44:59 [timeless]
DanD: the protected element
18:45:04 [timeless]
... is a good way to give to a developer
18:45:09 [timeless]
... but it can be abused
18:45:14 [timeless]
... someone may overuse it
18:45:19 [timeless]
... and not realize they're causing harm
18:45:35 [timeless]
bhill2: that just means genuine sites get to show their own ui
18:45:42 [timeless]
... but it doesn't protect
18:45:52 [timeless]
... fraud sites
18:46:06 [timeless]
... the risk is that the end user will assume the right site is involved
18:46:19 [timeless]
dveditz: most click jacking is based on size of frame
18:46:26 [timeless]
... could we do something based on frame size?
18:46:34 [timeless]
... if the page is too small
18:46:42 [timeless]
... it might play with protected content
18:46:48 [timeless]
... it could be in CSP
18:47:01 [timeless]
bhill2: something like ClearClick with Hints+Policy+Feedback
18:47:08 [timeless]
... we could get very good for the whole web
18:47:27 [timeless]
... but what do you do when there's the "This is BAD"
18:47:39 [timeless]
... that's fine for PayPal/Facebook
18:47:53 [timeless]
... we could have the dialog for ClearClick
18:48:00 [timeless]
bhill2: i love the technology
18:48:03 [timeless]
... i hate the failure mode
18:48:11 [timeless]
puhley: i could say "deliver+give report"
18:49:09 [bhill2]
timeless: instead of showing a warning, redirect to a browser-hosted page that can't be attacked, which explains the situation
18:49:37 [bhill2]
timeless: there is no harm
18:49:47 [bhill2]
bhill2: unless it's a false positive, then the user is really freaked out
18:50:02 [bhill2]
timeless: browser vendors can use that to improve huristics
18:50:19 [timeless]
s/timeless:/Josh_Soref:/G
18:50:33 [timeless]
bhill2: if we do ClearClick and opt in
18:50:37 [timeless]
... that's a tiny percentage of the web
18:50:42 [timeless]
... if we opt everyone in by default
18:51:00 [timeless]
s/redirect to/redirect framed page to/
18:51:05 [timeless]
... is there a way we can
18:51:20 [timeless]
... Could we have browser manufacturers to investigate false positives?
18:51:26 [timeless]
... or just add a hard block?
18:51:40 [timeless]
puhley: i haven't used ClearClick enough
18:51:56 [timeless]
... majority of pages are simple
18:52:03 [timeless]
... it's just Hulu/Gaming sites
18:52:22 [gioma1]
the default tolerance (in ClearClick terms) for opt-out standalone deployments could be set relatively high
18:52:28 [gioma1]
(like the current 18%, which looks to be doing very well)
18:52:41 [gioma1]
and websites who care could tweak it to be stricter
18:52:43 [timeless]
gopal: does the slider consider touch events?
18:54:06 [bhill2]
timeless: it's a mock-up, browser implementer could choose how to do that
18:54:08 [timeless]
JeffH: how big a problem is clickjacking per se?
18:54:19 [timeless]
... puhley notes that most web pages are "simple"
18:54:31 [timeless]
... how much this is an issue on a global issue should inform this
18:54:39 [timeless]
bhill2: maybe it's nice to opt in by default
18:54:48 [timeless]
... but maybe the only people who care would be willing to opt in
18:54:56 [timeless]
puhley: there's a small number of sites who are concerned
18:55:01 [timeless]
... but they have a large number of users
18:55:08 [timeless]
JeffH: but that can inform how it's approached
18:55:22 [timeless]
... thinking about the userbase and the entire set of sites
18:55:40 [timeless]
... v. scoping to high value/high expertise sites
18:55:44 [timeless]
... and what's sufficient to hand them
18:55:50 [timeless]
... may be less work for a group such as this
18:56:02 [timeless]
... if this is a tangled mess
18:57:09 [timeless]
bhill2: how conservative do we have to be in terms of not breaking anything else out there?
18:57:12 [timeless]
dveditz: relatively
18:57:16 [timeless]
bhill2: i lean to very
18:57:30 [timeless]
... we could certainly lean to a mechanism that is only opt in
18:57:38 [timeless]
... and maybe we could later apply by default
18:57:58 [timeless]
dveditz: if we had an opt in mechanism, we could get pretty radical
18:58:07 [timeless]
bhill2: you could monitor but not enforce for all pages
18:58:12 [timeless]
... and you could get a ton of data
18:58:13 [dveditz]
(and if it sucks then people won't opt-in)
18:58:25 [timeless]
... and calculate false positive rates
18:58:39 [timeless]
... if you already have to build the technology for some sites
18:58:54 [timeless]
dveditz: gioma1 mentioned he has an 18% tolerance
18:59:05 [timeless]
... he could track what it would be at 5% / 10% / 20% / ...
18:59:14 [timeless]
... and he wouldn't need to collect the sites
18:59:26 [timeless]
... just "of the sites i fired, how many would i have fired at this level"
18:59:34 [gioma1]
how? by randomizing the tolerance?
19:00:16 [JeffH]
can u hear dveditz's verbal response?
19:00:18 [bhill2]
dvetitz: assume you compare, get a number and compare to your tolerance
19:00:32 [bhill2]
dveditz: report what the difference rates are as a population
19:00:36 [timeless]
s/dvetitz/dveditz/
19:00:42 [gioma1]
No I didn't hear. oh, I get it, by recomparing at different rates.
19:00:47 [gioma1]
(maybe in background)
19:01:01 [dveditz]
I assume you compare once and get a "difference number"
19:01:12 [bhill2]
so we could start the technology as opt-in and only apply it to sites that provide policy/hints
19:01:14 [gioma1]
ok
19:01:18 [gioma1]
clear
19:01:21 [dveditz]
which you then say "if (diff < tolerance) warning();"
19:01:30 [dveditz]
but you can save that diff in buckets
19:01:31 [bhill2]
but run it in the background and get really large telemetry numbers on how often it would trigger on the rest of the web
19:01:34 [bhill2]
at different sensitivities
19:01:51 [bhill2]
and use that to later make a decision as to whether to opt-in the entire web, and at what sensitivity
19:02:08 [bhill2]
and perhaps collect, voluntarily, what sites would break and have a compatibility opt-out list baked-in
19:02:27 [gioma1]
bhill2, wait, someone did something similar
19:02:31 [gioma1]
let me find the paper...
19:02:39 [timeless]
s/diff < tolerance/diff > tolerance/
19:02:58 [gioma1]
http://www.iseclab.org/papers/asiaccs122-balduzzi.pdf
19:03:19 [gioma1]
these guys built a scanner based on ClearClick to analyze Clickjacking's prevalence on the web
19:03:36 [gioma1]
(I discovered it last night while refining my references)
19:04:24 [bhill2]
so giorgio, would you be willing to begin working on a w3c draft describing the clearclick technology in a browser-agnostic manner
19:04:33 [JeffH]
good paper to reference, thanks gioma1
19:05:00 [bhill2]
with mechanisms for resource owners to provide hints/policy to the enforcement mechanism, and a way for the mechansim to report back to the resource owner
19:05:19 [gioma1]
bhill2, I'd like it (be soft on deadline, though :) )
19:05:29 [bhill2]
:)
19:05:41 [bhill2]
we can look for a co-editor - that's usually a good idea, anyway
19:06:16 [gioma1]
bhill2, you?
19:06:48 [bhill2]
I'd be willing to do it, but have to consult w/w3c staff on whether that is a conflict with my job as co-chair
19:07:19 [bhill2]
so we are going to break for lunch for the moment
19:07:30 [bhill2]
I think we should summarize this on the list, make a proposal
19:07:53 [bhill2]
and I'd like to propose gioma1 as an initial editor, and find another co-editor
19:08:21 [bhill2]
I think a browser person might be a better choice than myself since they'd know the guts of the implementation details
19:08:33 [bhill2]
but let's solicit on the list. David Huang might also be a better choice than I if he's free.
19:08:44 [bhill2]
thanks very much, Giorgio.
19:08:53 [gioma1]
bhill2, my pleasure
19:09:26 [bhill2]
we're going to be doing test development following lunch, so you can get some sleep if it's' that time of day there.
19:09:27 [bhill2]
:)
19:28:43 [bhill2]
rrsagent, make minutes
19:28:43 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html bhill2
19:28:50 [bhill2]
rrsagent, set logs public-visible
19:36:12 [Zakim]
-gioma1
19:38:22 [Arno_]
Arno_ has joined #webappsec
19:38:31 [Zakim]
- +1.858.485.aacc
19:43:18 [timeless]
scribe: bhill2
19:48:30 [odinho]
odinho has joined #webappsec
20:04:20 [tanvi1]
tanvi1 has joined #webappsec
20:07:09 [timeless]
present+ Josh_Soref
20:07:36 [timeless]
Zakim, Josh_Soref has left [Jupiter]
20:07:36 [Zakim]
-Josh_Soref; got it
20:07:52 [anne]
anne has joined #webappsec
20:12:24 [tanvi]
i'm working on the csp tests
20:13:18 [gopal]
https://dvcs.w3.org/hg/webappsec
20:13:30 [puhley]
I am working on converting CGIs to PHP. I started on the bottom of the list and I am working my way back up.
20:14:08 [jrossi]
jrossi has joined #webappsec
20:14:18 [jrossi]
jrossi has left #webappsec
20:16:02 [odinho]
http://w3c-test.org/webappsec/tests/cors/submitted/cors1.0/cors-tests.html
20:16:04 [odinho]
Hmm
20:16:05 [odinho]
wrog
20:16:09 [odinho]
https://bitbucket.org/ms2ger/test-runner/src
20:16:23 [odinho]
s/Hmm//
20:16:28 [odinho]
s/wrog//
20:16:36 [odinho]
s|http://w3c-test.org/webappsec/tests/cors/submitted/cors1.0/cors-tests.html||
20:17:03 [odinho]
s|https://bitbucket.org/ms2ger/test-runner/src|-">https://bitbucket.org/ms2ger/test-runner/src|-> https://bitbucket.org/ms2ger/test-runner/src Ms2Ger's testharness.js testrunner
20:17:14 [odinho]
RRSAgent: draft minutes
20:17:14 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html odinho
20:17:35 [odinho]
present+ Odin_Horthe_Omdal
20:18:34 [Arno_]
Arno_ has joined #webappsec
20:18:46 [puhley]
I am working on access-control-sandboxed-iframe-denied.cgi, access-control-sandboxed-iframe-allow.cgi, and access-control-basic-whitelist-response-headers.cgi
20:20:09 [odinho]
i/i'm working on the csp tests/Topic: Testjam session
20:29:16 [gopal]
CORS has similar tests in opera and webkit folder. Our goal is it consolidate the tests and bring one set of tests to cors1.0 folder.
20:29:45 [gopal]
I am working on testRunner, this will help us runn all the rest with one click.
20:29:59 [gopal]
s/runn/run
20:40:30 [odinho]
I'm working on opera/js/basic.htm I*m removing it from using resources/cors-headers.php, because I just want all the tests to use cors-makeheader.php instead.
20:40:33 [Zakim]
-[Jupiter]
20:40:35 [Zakim]
SEC_WASWG()12:00PM has ended
20:40:35 [Zakim]
Attendees were +1.650.693.aaaa, gioma1, bhill2, dveditz, ekr, Arno_, Josh_Soref, JeffH, DanD, puhley, gopal, tanvi1, paulc, +1.858.485.aabb, +1.858.485.aacc
20:57:17 [puhley]
Moving on to access-control-sandboxed-iframe-denied-without-wildcard.cgi
20:58:21 [dveditz]
dveditz has joined #webappsec
21:03:38 [odinho]
I can review stuff if anyone wants.
21:35:21 [tanvi]
tanvi has joined #webappsec
21:45:35 [anne]
anne has joined #webappsec
21:59:50 [gopal]
apt-get install hgview if you want some visualization of hg repo
22:04:06 [gopal]
Try out the testRunner
22:04:28 [gopal]
hg pull, you should have webappsec/tests/testRunner
22:04:56 [gopal]
in your vm, add a symlink, ln -s /home/webappsec/tests/testRunner
22:05:20 [gopal]
then http://www.w3c-test.org/testRunner/index.html
22:06:04 [gopal]
I assume you have www.w3c-test.org in your /etc/hosts.
22:07:10 [gopal]
If you add your .html file to MANIFEST, testRunner will pick it up automatically.
22:09:56 [odinho]
If someone wants to help me with converting sync tests to async ones. THat'd be A+. Just ask, I'll point you to places to start.
22:12:00 [odinho]
Hmmm. Actually CORS DOES work with Firefox(!), but withCredentials does not. Wat?
22:12:03 [odinho]
Anyone know anything?
22:17:57 [gopal]
For testing we should be using the following hosts and ports:
22:18:11 [gopal]
The following are "live" e.g. for testing:
22:18:11 [gopal]
https://www.w3c-test.org/
22:18:12 [gopal]
http://www.w3c-test.org/
22:18:12 [gopal]
http://www1.w3c-test.org/
22:18:12 [gopal]
http://www2.w3c-test.org/
22:18:13 [gopal]
The following ports are "live" e.g. for testing:
22:18:14 [gopal]
http://www.w3c-test.org:81/
22:18:17 [gopal]
http://www.w3c-test.org:82/
22:18:18 [gopal]
http://www.w3c-test.org:83/
22:18:29 [gopal]
source http://www.w3.org/2008/webapps/wiki/Testing_Requirements
22:19:14 [gopal]
Add these hosts to your /etc/hosts and /etc/apache2/ports.conf
22:32:02 [Zakim]
Zakim has left #webappsec
22:32:04 [tanvi]
hg push is giving me a connecction timeout
22:41:08 [ekr]
ekr has joined #webappsec
22:50:42 [ekr]
ekr has left #webappsec
22:52:19 [tanvi]
tanvi has joined #webappsec
23:34:48 [tanvi1]
tanvi1 has joined #webappsec
23:36:02 [tanvi1]
tanvi1 has joined #webappsec
23:37:23 [tanvi]
tanvi has joined #webappsec
23:37:26 [tanvi]
tanvi has joined #webappsec