IRC log of webappsec on 2012-05-03
Timestamps are in UTC.
- 00:02:49 [bhill2]
- bhill2 has joined #webappsec
- 00:02:55 [bhill2]
- rrsagent make minutes
- 00:03:02 [bhill2]
- \
- 00:32:55 [Zakim]
- Zakim has left #webappsec
- 00:51:05 [dveditz]
- dveditz has joined #webappsec
- 01:43:54 [gopal]
- gopal has joined #webappsec
- 03:27:45 [tanvi]
- tanvi has joined #webappsec
- 03:30:38 [tanvi1]
- tanvi1 has joined #webappsec
- 03:34:56 [tanvi]
- tanvi has joined #webappsec
- 04:53:20 [gopal]
- gopal has joined #webappsec
- 05:25:34 [tanvi]
- tanvi has joined #webappsec
- 05:28:07 [tanvi1]
- tanvi1 has joined #webappsec
- 05:35:01 [tanvi]
- tanvi has joined #webappsec
- 05:51:26 [jrossi1]
- jrossi1 has joined #webappsec
- 06:14:06 [gioma1]
- gioma1 has joined #webappsec
- 15:57:53 [RRSAgent]
- RRSAgent has joined #webappsec
- 15:57:53 [RRSAgent]
- logging to http://www.w3.org/2012/05/03-webappsec-irc
- 15:57:56 [Zakim]
- Zakim has joined #webappsec
- 15:58:08 [bhill2]
- zakim, this will be 92795
- 15:58:08 [Zakim]
- I do not see a conference matching that name scheduled within the next hour, bhill2
- 15:58:14 [ekr]
- I'm heading out now, expect me there in about 15.
- 15:58:31 [bhill2]
- zakim, this will be 92794
- 15:58:32 [Zakim]
- I do not see a conference matching that name scheduled within the next hour, bhill2
- 16:06:03 [Arno_]
- Arno_ has joined #webappsec
- 16:07:50 [anne]
- anne has joined #webappsec
- 16:23:20 [bhill2]
- zakim, this is 92794
- 16:23:20 [Zakim]
- ok, bhill2; that matches SEC_WASWG()12:00PM
- 16:23:25 [bhill2]
- bridge is open for anyone who wants to dial-in
- 16:24:06 [timeless]
- timeless has joined #webappsec
- 16:24:07 [anne]
- is today's agenda available?
- 16:24:54 [bhill2]
- Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0017.html
- 16:25:01 [timeless]
- RRSAgent, draft minutes
- 16:25:01 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 16:25:08 [bhill2]
- we will be starting in five minutes or so
- 16:25:12 [timeless]
- RRSAgent, draft minutes
- 16:25:12 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 16:25:25 [timeless]
- RRSAgent, make logs public
- 16:25:28 [anne]
- thanks bhill2
- 16:25:28 [timeless]
- RRSAgent, draft minutes
- 16:25:28 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 16:25:39 [timeless]
- s|\||
- 16:25:40 [timeless]
- RRSAgent, draft minutes
- 16:25:40 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 16:25:57 [timeless]
- s/I'm heading out now, expect me there in about 15.//
- 16:26:04 [timeless]
- s/rrsagent make minutes//
- 16:26:07 [timeless]
- RRSAgent, draft minutes
- 16:26:07 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 16:26:24 [timeless]
- s/is today's agenda available?//
- 16:26:26 [timeless]
- RRSAgent, draft minutes
- 16:26:26 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 16:27:20 [timeless]
- s/thanks bhill2//
- 16:27:22 [timeless]
- RRSAgent, draft minutes
- 16:27:22 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 16:28:23 [Zakim]
- +??P3
- 16:29:08 [gioma1]
- Zakim, ??P3 is gioma1
- 16:29:08 [Zakim]
- +gioma1; got it
- 16:29:39 [timeless]
- Zakim, who is on the call?
- 16:29:39 [Zakim]
- On the phone I see +1.650.693.aaaa, gioma1
- 16:29:48 [ekr]
- ekr has joined #webappsec
- 16:30:03 [timeless]
- Zakim, aaaa is [Jupiter]
- 16:30:03 [Zakim]
- +[Jupiter]; got it
- 16:30:10 [timeless]
- Zakim, [Jupiter] contains bhill2
- 16:30:10 [Zakim]
- +bhill2; got it
- 16:30:15 [timeless]
- Zakim, [Jupiter] contains dveditz
- 16:30:15 [Zakim]
- +dveditz; got it
- 16:30:32 [timeless]
- Zakim, [Jupiter] contains ekr
- 16:30:32 [Zakim]
- +ekr; got it
- 16:31:02 [timeless]
- Zakim, [Jupiter] contains Arno_
- 16:31:02 [Zakim]
- +Arno_; got it
- 16:31:14 [timeless]
- Zakim, [Jupiter] contains Josh_Soref
- 16:31:14 [Zakim]
- +Josh_Soref; got it
- 16:32:08 [dveditz]
- dveditz has joined #webappsec
- 16:32:19 [timeless]
- Zakim, who is on the call?
- 16:32:19 [Zakim]
- On the phone I see [Jupiter], gioma1
- 16:32:19 [bhill2]
- can those on the phone hear us?
- 16:32:20 [Zakim]
- [Jupiter] has Josh_Soref
- 16:32:55 [JeffH]
- JeffH has joined #webappsec
- 16:33:12 [timeless]
- Zakim, [Jupiter] contains bhill2, dveditz, ekr, Arno_, Josh_Soref
- 16:33:12 [Zakim]
- Josh_Soref was already listed in [Jupiter], timeless
- 16:33:14 [Zakim]
- +bhill2, dveditz, ekr, Arno_; got it
- 16:33:20 [timeless]
- Zakim, who is on the call?
- 16:33:20 [Zakim]
- On the phone I see [Jupiter], gioma1
- 16:33:21 [Zakim]
- [Jupiter] has bhill2, dveditz, ekr, Arno_
- 16:33:42 [bhill2]
- any better on call mic volume?
- 16:34:16 [timeless]
- Zakim, [Jupiter] also has JeffH
- 16:34:16 [Zakim]
- +JeffH; got it
- 16:34:24 [timeless]
- Zakim, who is on the call?
- 16:34:24 [Zakim]
- On the phone I see [Jupiter], gioma1
- 16:34:26 [Zakim]
- [Jupiter] has bhill2, dveditz, ekr, Arno_, Josh_Soref, JeffH
- 16:34:27 [gioma1]
- just static noise and silence for me
- 16:35:12 [timeless]
- Zakim, [Jupiter] also has DanD
- 16:35:12 [Zakim]
- +DanD; got it
- 16:35:43 [gioma1]
- it was me trying to say I heard someone
- 16:35:44 [DanD]
- DanD has joined #webappsec
- 16:36:14 [timeless]
- scribe: Josh_Soref
- 16:36:17 [timeless]
- scribenick: timeless
- 16:36:29 [bhill2]
- we will pass around the wireless mic and we are lucky to have the W3C's best scribe at hand
- 16:36:39 [bhill2]
- we will pass around the wireless mic
- 16:36:47 [bhill2]
- and are lucky to have the top W3C scribe in the room
- 16:36:59 [timeless]
- Zakim, [Jupiter] also has puhley
- 16:36:59 [Zakim]
- +puhley; got it
- 16:37:28 [timeless]
- Chair: BradH
- 16:37:50 [timeless]
- bhill2: Brad Hill, Pay Pal, Co-Chair
- 16:38:19 [timeless]
- puhley: Peleus Uhley, Adobe
- 16:38:38 [timeless]
- DanD: Dan Druta, AT&T
- 16:38:49 [timeless]
- dveditz: Dan Veditz, Mozilla
- 16:39:04 [timeless]
- ekr: Eric Rescorla, Co-Chair
- 16:39:09 [JeffH]
- can u hear gioma1?
- 16:39:16 [gioma1]
- no I cannot
- 16:39:34 [timeless]
- Arno_: Arnaud Braud, France Telecom, observer
- 16:39:57 [JeffH]
- hear better ?
- 16:40:08 [timeless]
- JeffH: Jeff Hill, PayPal
- 16:40:18 [timeless]
- Josh_Soref: Josh Soref, RIM, observer, scribe
- 16:40:20 [bhill2]
- http://www.w3.org/Security/wiki/Clickjacking_Threats
- 16:40:24 [JeffH]
- it's Jeff Hodges
- 16:40:33 [timeless]
- puhley: for those on the phone, there's a click jacking page
- 16:40:45 [timeless]
- s|http://www.w3.org/Security/wiki/Clickjacking_Threats|-">http://www.w3.org/Security/wiki/Clickjacking_Threats|-> http://www.w3.org/Security/wiki/Clickjacking_Threats Clickjacking Threats|
- 16:40:49 [timeless]
- RRSAgent, draft minutes
- 16:40:49 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 16:41:22 [timeless]
- s/Chair: BradH/Chair: BradH, ekr/
- 16:41:50 [timeless]
- [ puhley describes the Clickjacking Threats page ]
- 16:41:55 [timeless]
- [ Content overlays ]
- 16:42:13 [timeless]
- puhley: overlay attacks
- 16:42:22 [timeless]
- ... transparent overlay attacks
- 16:42:23 [caribou]
- s/Jeff Hill/Jeff Hodges/
- 16:42:37 [timeless]
- ... there are basically 4 different attacks
- 16:42:45 [timeless]
- ... flash player has a screen scraping solution
- 16:42:54 [timeless]
- ... it'll write out a dialog to the screen
- 16:43:05 [timeless]
- ... and then it will ask the renderer what's actually shown
- 16:43:13 [timeless]
- ... to see if it's really showing
- 16:43:20 [timeless]
- ... but as we add content separation
- 16:43:31 [timeless]
- ... we don't want to allow content to screen scrape
- 16:43:47 [timeless]
- ... other solutions include X-Frame-Options
- 16:43:49 [timeless]
- ... Frame Busting
- 16:43:51 [timeless]
- ... etc.
- 16:43:57 [timeless]
- ... another type of attack is Scrolling attack
- 16:44:05 [timeless]
- ... in this, the victim content is completely visible
- 16:44:08 [timeless]
- ... top layer of content
- 16:44:19 [timeless]
- ... but you scroll it offscreen so only the answers are visible
- 16:44:25 [timeless]
- ... but you put a fake question to the left
- 16:44:32 [timeless]
- ... "Do you like chocolate"
- 16:44:36 [timeless]
- [ Everyone likes chocolate ]
- 16:44:42 [timeless]
- puhley: a downside
- 16:44:56 [timeless]
- ... of the solution of putting questions in the center of the page
- 16:45:06 [timeless]
- ... is that users think it's coming from the system
- 16:45:17 [timeless]
- ... which means that users trust the question more than it should
- 16:45:25 [timeless]
- dveditz: there are two kinds of questions
- 16:45:39 [timeless]
- ... the browser can relatively easily ensure its content won't be click-jacked
- 16:45:56 [timeless]
- ... but it's harder to protect the correct conveyance of two different web contents
- 16:46:07 [timeless]
- puhley: does the user need to know the origin of content?
- 16:46:20 [timeless]
- ... and making sure the question is tied to the piece of content with which it's associated
- 16:46:25 [timeless]
- ... a reason that flash renders itself
- 16:46:29 [timeless]
- ... instead of a modal dialog
- 16:46:37 [timeless]
- ... is if you're on a page with ads on the side
- 16:46:51 [timeless]
- ... you don't want a malicious ad on the side to convince the user that it's CNN
- 16:46:59 [timeless]
- ... another attack is rapid content replacement
- 16:47:11 [timeless]
- ... make a dialog fully visible, but only for a fraction of a second
- 16:47:21 [timeless]
- ... convince a user to click rapidly
- 16:47:29 [timeless]
- ... then swap in the attack for a short period
- 16:47:33 [timeless]
- ... a countermeasure
- 16:47:42 [timeless]
- ... is to require a dialog be visible for a set number of seconds
- 16:47:48 [timeless]
- ... (Flash Player)
- 16:47:54 [timeless]
- ... it creates a problem for users
- 16:48:02 [timeless]
- dveditz: Mozilla has a counter visible
- 16:48:10 [timeless]
- puhley: there are tradeoffs in any solution
- 16:48:19 [timeless]
- ... another version is repositioning the trusted window
- 16:48:23 [timeless]
- ... you're doing screen scraping
- 16:48:27 [timeless]
- ... the window is visible for 3 seconds
- 16:48:31 [dveditz]
- (the impt point was that users complain about that kind of solution)
- 16:48:32 [timeless]
- ... but in the right hand corner
- 16:48:46 [timeless]
- ... and then you scroll it to the center of the screen
- 16:48:50 [timeless]
- ... and then back to the corner
- 16:49:11 [timeless]
- ... one thing David brings up in his paper is Phantom mouse cursors
- 16:49:19 [timeless]
- ... i'm not sure he sent a link to the demo to the list
- 16:49:29 [timeless]
- ... basically you create a floating div tag with a mouse cursor
- 16:49:40 [timeless]
- ... which is at a fixed offset from the real mouse cursor
- 16:49:53 [timeless]
- ... and the real mouse cursor has an invisible cursor
- 16:50:02 [timeless]
- ... and you get the real mouse cursor over the dangerous dialog
- 16:50:12 [timeless]
- ... but the fake one is over "Do you like chocolate?"
- 16:50:16 [timeless]
- ... Another attack is Drag and drop
- 16:50:27 [timeless]
- ... this is more specific to certain victim windows
- 16:50:50 [timeless]
- ... one of the top 10 web attacks from last year included a DnD attack
- 16:50:58 [timeless]
- ... for people doing frame busting, people play tricks with event handlers
- 16:51:04 [timeless]
- ... using 204 event codes
- 16:51:20 [timeless]
- ... tell the browser "No Content"
- 16:51:31 [timeless]
- ... try to use malicious event handlers
- 16:51:41 [timeless]
- ... if the browser creates a super window
- 16:51:47 [timeless]
- ... can i create a listener to it
- 16:51:49 [timeless]
- s/it/it?/
- 16:51:57 [timeless]
- ... Trusted Dialog extensions
- 16:52:19 [timeless]
- ... Say the dialog is bright yellow
- 16:52:25 [timeless]
- ... you render yellow on the page around it
- 16:52:33 [timeless]
- ... and it looks like your content is part of the trust
- 16:52:56 [timeless]
- ... maybe extending the two lines into a longer fraction of a paragraph
- 16:53:02 [timeless]
- ... Trusted User interfaces
- 16:53:10 [timeless]
- ... any solution needs to be careful about how much trust it conveys
- 16:53:24 [timeless]
- ... that something isn't equivalent to the SSL dialog
- 16:53:38 [timeless]
- ... Brad posted that there's no distinct level of trust
- 16:53:54 [timeless]
- ... for the last one, i recorded a general thing "does the user understand what they're looking at?"
- 16:54:03 [timeless]
- ... I list some possible solutions for some of them
- 16:54:15 [timeless]
- ... this is designed to be the aggregation of ideas
- 16:54:25 [timeless]
- JeffH: this is the problem space
- 16:54:31 [timeless]
- bhill2: status codes and event handlers
- 16:54:42 [timeless]
- ... people are afraid of being able to turn off scripting in iframes
- 16:54:48 [timeless]
- ... since it turns off frame-busting
- 16:55:14 [timeless]
- Meeting: WebAppSec F2F
- 16:56:00 [bhill2]
- gioma1: would you like to discuss your submission, either voice or here on irc?
- 16:56:11 [timeless]
- i/for those on/Topic: Clickjacking threats overview/
- 16:56:13 [bhill2]
- I can project the irc channel for the room
- 16:56:20 [bhill2]
- or we can just go over the paper ourselves
- 16:56:28 [timeless]
- i/Brad Hill, Pay Pal/Topic: Introductions/
- 16:56:37 [timeless]
- RRSAgent, draft minutes
- 16:56:37 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 16:56:54 [gioma1]
- I'm unable in voice, I hear very badly. But I'm open to any question about the paper in IRC.
- 16:57:54 [timeless]
- bhill2: There is another attack
- 16:58:01 [timeless]
- ... where you can use the rapid click attack
- 16:58:06 [timeless]
- ... in the context of two browser windows
- 16:58:12 [timeless]
- ... or opening a dialog in the browser context
- 16:58:41 [timeless]
- ... trusted-window underneath untrusted-window
- 16:58:47 [timeless]
- ... and that allows bypass of X-Frame-Options
- 16:59:09 [bhill2]
- gioma1: we'll review the paper here voice, then, and ask questions on irc
- 16:59:26 [timeless]
- bhill2: probably most of us here are familiar with NoScript
- 16:59:54 [timeless]
- ... most prominently it offers the ability to turn off scripts per context
- 17:00:07 [timeless]
- ... it's popular among security conscious individuals
- 17:00:14 [timeless]
- ... it also has ClearClick
- 17:00:26 [timeless]
- ... and it's the most prominent implementation
- 17:00:32 [timeless]
- ... Flash Player has something specific
- 17:00:37 [timeless]
- ... but ClearClick is more general
- 17:01:03 [timeless]
- ... The ClearClick WAS 2012 paper
- 17:01:12 [timeless]
- ... proposes an on-by-default mechanism
- 17:01:26 [gioma1]
- http://noscript.net/downloads/ClearClick_WAS2012.pdf
- 17:01:43 [timeless]
- s|http://noscript.net/downloads/ClearClick_WAS2012.pdf|ClearClick WAS 2012 paper|
- 17:01:58 [timeless]
- bhill2: the ClearClick technology is implemented mostly in terms of HTML5 technology
- 17:02:13 [timeless]
- ... and requires very few browser hooks
- 17:02:30 [timeless]
- ... ClearClick works by registering a listener that captures mouse/keyboard/dnd events
- 17:02:39 [timeless]
- ... so it can see them before they're delivered to browser content
- 17:02:50 [tanvi]
- tanvi has joined #webappsec
- 17:02:52 [timeless]
- ... done with a mozilla specific event
- 17:03:00 [timeless]
- ... the second stage is a Fast-track bypass
- 17:03:13 [timeless]
- ... to check if the window is unlocked
- 17:03:59 [timeless]
- ... i.e. Trusted
- 17:04:20 [gopal]
- gopal has joined #webappsec
- 17:04:29 [timeless]
- s/Trusted/Trustworthy against itself/
- 17:04:43 [timeless]
- ... Parent chain check
- 17:04:50 [timeless]
- ... [PlaceHolder]
- 17:05:01 [timeless]
- ... Rapid Fire check
- 17:05:07 [timeless]
- .. [PlaceHolder2]
- 17:05:15 [timeless]
- ... Obstruction check
- 17:05:22 [tanvi1]
- tanvi1 has joined #webappsec
- 17:05:30 [timeless]
- ... takes a screenshot of reasonably sized (roughly 300x200px)
- 17:06:02 [timeless]
- ... and comparing the content the user clicking
- 17:06:43 [timeless]
- ... with the rendering the user sees
- 17:07:04 [gioma1]
- q+
- 17:07:15 [timeless]
- bhill2: there's no policy-channel between the server and the plugin
- 17:07:39 [timeless]
- ekr: the larger the window the less good things get
- 17:07:43 [timeless]
- ... if all i'm changing is the price
- 17:07:52 [timeless]
- ack gioma1
- 17:07:54 [gioma1]
- I'd like to clarify
- 17:08:05 [gioma1]
- that the size of the screenshot has an upper bound
- 17:08:14 [gioma1]
- of 320x200 for perf reasons,
- 17:08:28 [puhley]
- puhley has joined #webappsec
- 17:08:29 [gioma1]
- but the lower bound is set by the document's inherent size
- 17:08:44 [gioma1]
- (so very tiny button gadgets like "Like!" work)
- 17:08:52 [timeless]
- ekr: the case i'm thinking of
- 17:08:55 [timeless]
- ... Amazon Purchasing
- 17:09:03 [timeless]
- ... the thing being obscured is quite large
- 17:09:08 [timeless]
- bhill2: in the case of a PayPal dialog
- 17:09:17 [timeless]
- ... you could change just the price or the name of the user
- 17:09:38 [timeless]
- ekr: this style strategy seems to require site interaction
- 17:09:46 [timeless]
- ... indicating how much tolerance it has
- 17:10:03 [gioma1]
- btw, the size grows in case of a form to include the whole form
- 17:10:21 [timeless]
- bhill2: that's less of an oversight on the part of ClearClick
- 17:11:00 [timeless]
- Josh_Soref: what tolerance does one get if it's the size of the form
- 17:11:03 [timeless]
- ... is it still x%?
- 17:11:16 [timeless]
- ... the concern is that if only a few pixels (the $$ number) are changed
- 17:11:21 [timeless]
- ... and the form is "very big"
- 17:11:37 [timeless]
- ... then %-wise relative to the protected pixel area, the variation may be below the threshold
- 17:11:43 [timeless]
- q+ gioma1
- 17:12:18 [gioma1]
- it used to be no tolerance
- 17:12:29 [gioma1]
- ATM (3 or 4 weeks) it's 18%, configurable.
- 17:12:48 [timeless]
- s/ATM/At-the-moment/
- 17:12:53 [bhill2]
- configurable by you, or by the target content?
- 17:13:20 [gioma1]
- By the tool even at runtime, so currently by me but...
- 17:13:38 [gioma1]
- a policy channel would be a benefit for several site-customizations which
- 17:13:51 [gioma1]
- would increase both accuracy and sensitivity
- 17:14:59 [timeless]
- bhill2: an additional check gioma1 sent on the mailing list, after he sent the paper.
- 17:15:03 [timeless]
- ... is for phantom-cursor, is that if the cursor has been changed, it triggers
- 17:15:06 [timeless]
- ... ClearClick
- 17:15:30 [timeless]
- ... Generally, when the difference is significant, ClearClick presents the user with a comparison dialog
- 17:15:44 [timeless]
- ... where the user can choose to proceed or stop
- 17:15:51 [timeless]
- ... he's also looking into mozAfterPaint
- 17:15:59 [timeless]
- ... in order to address timing based attacks
- 17:16:04 [timeless]
- ... I'll read his conclusion:
- 17:16:39 [timeless]
- ... [Conclusion]
- 17:16:56 [timeless]
- s/[Conclusion]/[Paper-Section-5]/
- 17:18:10 [bhill2]
- I asked the room who uses ClearClick
- 17:18:14 [bhill2]
- several hands went up
- 17:18:23 [gioma1]
- :)
- 17:18:35 [bhill2]
- people agreed that "used to see false positives a lot, lately it is very very good, don't see them anymore"
- 17:19:06 [bhill2]
- timeless is trying to generate a warning on bugzilla where he had previously seen them
- 17:19:29 [gioma1]
- in facts, it's the effect of the recent tolerance introduction and other tweakings regarding viewport decoration detection.
- 17:19:50 [timeless]
- bhill2: that we haven't seen false positives in a long time
- 17:19:55 [timeless]
- ... is fairly encouraging
- 17:20:07 [timeless]
- ... and then having a way for a site being able to specify what it wants protected
- 17:20:16 [timeless]
- ... we could standardize this
- 17:21:17 [bhill2]
- alternate download: http://lists.w3.org/Archives/Public/public-webappsec/2012May/att-0021/ClearClick_WAS2012.pdf
- 17:22:19 [bhill2]
- we will take a 10 minute break
- 17:22:26 [timeless]
- s/[Paper-Section-5]/The ClearClick module included in the NoScript add-on for the Mozilla Firefox browser is currently the most effective client-side protection against various forms of UI Redressing attacks. It is enabled by default (independently from web author's opt-in), protects plugin content as well as embedded documents and doesn't impose origin restrictions on the nesting hierarchy. Unfor
- 17:22:26 [timeless]
- tunately its main issue is the relative complexity of its implementation, which depends on a few Mozilla specific platform features, even though it's entirely written in JavaScript and mostly relies on portable HTML 5 features./
- 17:22:37 [bhill2]
- back at 32 after the hour
- 17:22:44 [bhill2]
- thanks gioma!
- 17:22:44 [timeless]
- s|tunately its main issue is the relative complexity of its implementation, which depends on a few Mozilla specific platform features, even though it's entirely written in JavaScript and mostly relies on portable HTML 5 features./||
- 17:22:51 [timeless]
- s/Unfor/Unfortunately its main issue is the relative complexity of its implementation, which depends on a few Mozilla specific platform features, even though it's entirely written in JavaScript and mostly relies on portable HTML 5 features./
- 17:22:55 [timeless]
- RRSAgent, draft minutes
- 17:22:55 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 17:32:11 [timeless]
- Topic: Introductions continued
- 17:32:35 [gopal]
- +gopal
- 17:32:43 [timeless]
- s/+gopal//
- 17:33:02 [timeless]
- Zakim, [Jupiter] also has gopal
- 17:33:02 [Zakim]
- +gopal; got it
- 17:33:19 [timeless]
- gopal: Gopal Raghavan, Nokia
- 17:33:40 [timeless]
- Zakim, [Jupiter] also has tanvi1
- 17:33:40 [Zakim]
- +tanvi1; got it
- 17:33:50 [timeless]
- tanvi1: Tanvi Vyas, Mozilla
- 17:34:08 [tanvi]
- changed my nick back to tanvi
- 17:34:18 [timeless]
- s/tnavi1/tanvi/G
- 17:34:29 [timeless]
- Topic: Protected Interactive Elements
- 17:34:47 [timeless]
- bhill2: this is another approach i proposed on the list a couple of months ago
- 17:34:56 [timeless]
- ... it's much less comprehensive than ClearClick
- 17:35:01 [timeless]
- ... the basic idea is that
- 17:35:19 [timeless]
- ... the Web Application could declare -this control is clickjacking protected-
- 17:35:28 [timeless]
- ... it could have a countdown, or a slider
- 17:35:37 [timeless]
- ... while it's being interacted with, it would have to be topmost
- 17:35:49 [timeless]
- ... visible, static(unmoving)
- 17:36:02 [timeless]
- s/static(unmoving)/stationary/
- 17:36:24 [timeless]
- ... examples could be a new element type, or add a new attribute
- 17:36:40 [DanD]
- DanD has joined #WebAppsec
- 17:36:48 [timeless]
- ... examples of how this might work
- 17:36:54 [timeless]
- Zakim, tanvi1 is tanvi
- 17:36:54 [Zakim]
- sorry, timeless, I do not recognize a party named 'tanvi1'
- 17:37:48 [timeless]
- s/changed my nick back to tanvi//
- 17:38:22 [timeless]
- ... the action the user needs to do to confirm the action is Slide
- 17:38:28 [timeless]
- dveditz: that's a problem for a Screen Reader
- 17:38:45 [timeless]
- bhill2: i think a lot of these attacks aren't applicable to screen readers
- 17:38:59 [timeless]
- ... luckily/unluckily they aren't a target
- 17:39:08 [timeless]
- ... but there would be the ability to degrade gracefully
- 17:39:19 [timeless]
- ... it could act as a normal button
- 17:40:01 [timeless]
- ... or the AA could support the feature
- 17:40:13 [timeless]
- DanD: what happens if you have two competing protected elements
- 17:40:25 [JeffH]
- JeffH has joined #webappsec
- 17:40:32 [timeless]
- bhill2: they only have to be topmost while your click is being delivered to an element
- 17:40:41 [JeffH]
- what is link to list of this meeting's reg'd attendees ?
- 17:40:43 [timeless]
- ... the click is only being delivered to one element at a time
- 17:40:49 [JeffH]
- and is there a link to what Brad is presenting now ?
- 17:42:49 [JeffH]
- thx
- 17:42:54 [timeless]
- s|and is there a link to what Brad is presenting now ?|-> http://www.w3.org/Security/wiki/Anti-Clickjacking_Protected_Interactive_Elements Clickjacking Protected Interactive Elements|
- 17:42:58 [timeless]
- s/thx//
- 17:43:07 [timeless]
- RRSAgent, draft minutes
- 17:43:07 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html timeless
- 17:43:42 [timeless]
- ekr: i'm just starting to think about the underlying theory of the mechanism
- 17:43:53 [timeless]
- ... it seems to be force the user to take some time to see it
- 17:43:57 [timeless]
- ... and take some time to watch it
- 17:44:02 [timeless]
- bhill2: yes, and have the ability to abort
- 17:44:16 [timeless]
- ekr: i wonder how much drop off you'd get
- 17:44:22 [timeless]
- bhill2: i don't have user studies on this yet
- 17:44:39 [timeless]
- ... what would be feasible, and what would UAs be willing to do
- 17:44:50 [timeless]
- ... it isn't applicable to everything
- 17:44:58 [timeless]
- dveditz: it doesn't fix DnD
- 17:45:01 [timeless]
- bhill2: right
- 17:45:11 [timeless]
- ... but it has low battery/perf overhead
- 17:45:22 [timeless]
- puhley: for an html element
- 17:45:26 [timeless]
- ... you set up a div tag
- 17:45:28 [timeless]
- ... with content in it
- 17:46:18 [timeless]
- bhill2: you could have a new request
- 17:46:24 [timeless]
- ... but if you're on a laggy network
- 17:46:30 [timeless]
- ... you don't want to click and wait for a resource
- 17:46:45 [timeless]
- Zakim, [Jupiter] also has paulc
- 17:46:45 [Zakim]
- +paulc; got it
- 17:46:56 [timeless]
- paulc: as your host, i'm noting there are sweets outside
- 17:47:03 [timeless]
- ... and once the html group gets there, they'll be gone
- 17:47:10 [timeless]
- Zakim, [Jupiter] no longer has paulc
- 17:47:10 [Zakim]
- -paulc; got it
- 17:47:21 [timeless]
- ekr: are there other legitimate reasons
- 17:47:26 [timeless]
- ... for why it would be obscured
- 17:47:42 [timeless]
- ... it almost seems like
- 17:47:51 [timeless]
- ... if it would have changed when i click the control
- 17:47:55 [timeless]
- ... it's probably a bad case
- 17:48:00 [timeless]
- bhill2: the difference is
- 17:48:05 [timeless]
- ... you have less complexity
- 17:48:15 [timeless]
- ... i was trying to have to do constant monitoring
- 17:48:21 [timeless]
- ... constant screen shots
- 17:48:31 [timeless]
- ... that's an unacceptable requirement
- 17:48:36 [timeless]
- ... on a mobile device
- 17:48:41 [timeless]
- ekr: i put my finger on this slider
- 17:48:51 [timeless]
- ... and you do a Reflow
- 17:48:59 [timeless]
- ... you redraw that section of the screen
- 17:49:22 [timeless]
- ... and we expect the user to figure out what changed
- 17:49:34 [timeless]
- Josh_Soref: that's sort of like what clearclick's compare-dialog does
- 17:49:47 [timeless]
- [ bhill2 scrolls to example 2 ]
- 17:49:59 [timeless]
- q?
- 17:50:06 [timeless]
- q- gioma
- 17:50:08 [timeless]
- q- gioma1
- 17:50:30 [timeless]
- bhill2: here there's a clown store text with a like below
- 17:50:35 [timeless]
- ... but clicking the like button
- 17:50:44 [timeless]
- ... then can show "Slide to like Acme Inc."
- 17:50:54 [timeless]
- ekr: in this case, there's a reason why we'd want to change the content
- 17:51:12 [Zakim]
- + +1.858.485.aabb
- 17:51:19 [timeless]
- DanD: you may have a different approach, as a two factor user interaction
- 17:51:23 [timeless]
- Zakim, where is +1858?
- 17:51:24 [Zakim]
- North American dialing code 1.858 is California
- 17:51:57 [timeless]
- ... using two actions
- 17:52:07 [timeless]
- bhill2: why couldn't an overlay site train you to do that?
- 17:52:28 [timeless]
- DanD: i'd be happy to have something that surfaces out of an overlay
- 17:52:56 [timeless]
- ... the user would hopefully say "i won't trust that page,
- 17:53:16 [timeless]
- ... if the trusted element is different"
- 17:53:25 [timeless]
- puhley: if the slider slides instead of the finger
- 17:53:28 [timeless]
- ... is that trusting?
- 17:53:42 [timeless]
- bhill2: we had comments from michal zalewski
- 17:53:51 [timeless]
- dveditz: what if who changes it?
- 17:53:58 [timeless]
- ... we can only protect mixed origin
- 17:54:00 [abarth]
- abarth has joined #webappsec
- 17:54:06 [timeless]
- ... if we only have one origin, and that page moves
- 17:54:20 [timeless]
- dveditz: in current browsers, you can create a dragging attack
- 17:54:32 [timeless]
- bhill2: my requirements forced the control to be stationary
- 17:54:48 [timeless]
- ... now, what if the protected element is rendered offscreen?
- 17:55:01 [timeless]
- dveditz: the nice thing is that the browser could have a hint about how to re-render
- 17:55:23 [timeless]
- gopal: are you also considering orientation changes?
- 17:55:43 [timeless]
- bhill2: does it shift while your finger is down?
- 17:55:45 [timeless]
- gopal: no
- 17:56:03 [timeless]
- bhill2: I proposed we could take you to a lightbox experience
- 17:56:14 [timeless]
- dveditz: that's fine with checking out
- 17:56:21 [timeless]
- ... but if it's a like button
- 17:56:24 [timeless]
- ... or click an ad
- 17:56:28 [timeless]
- ... then it's more disruptive
- 17:56:39 [timeless]
- ... but those probably aren't using forms
- 17:56:57 [timeless]
- ... click fraud on an ad wants to get you there as fast as possible
- 17:57:23 [timeless]
- bhill2: having backchannels with the site communicating what it wants to protect
- 17:57:28 [timeless]
- DanD: did you do user studies?
- 17:57:32 [timeless]
- bhill2: i have not yet
- 17:57:35 [timeless]
- q?
- 17:57:49 [timeless]
- Topic: Server-side approaches to clickjacking detection
- 17:58:50 [timeless]
- dveditz: those slides don't appear to be on the archive
- 17:58:54 [timeless]
- bhill2: let me send that out
- 17:59:41 [timeless]
- [ Drawbacks of X-Frame-Options ]
- 18:00:13 [timeless]
- bhill2: sometimes you don't want to share information to some parties
- 18:00:25 [timeless]
- ... Allow-From doesn't help
- 18:00:36 [timeless]
- ... the merchant that could generate a clickjack
- 18:00:45 [timeless]
- ... is the same that would be generating a sale
- 18:01:09 [timeless]
- RRSAgent, pointer
- 18:01:09 [RRSAgent]
- See http://www.w3.org/2012/05/03-webappsec-irc#T18-01-09
- 18:01:51 [timeless]
- bhill2: the person embedding the +1/like button
- 18:01:56 [timeless]
- ... is the person who benefits
- 18:02:08 [timeless]
- dveditz: can you embed a like for someone else?
- 18:02:19 [timeless]
- bhill2: i think you can
- 18:02:42 [timeless]
- http://developers.facebook.com/docs/reference/plugins/like/
- 18:03:23 [timeless]
- s|http://developers.facebook.com/docs/reference/plugins/like/||
- 18:03:45 [timeless]
- bhill2: sometimes iframes are better
- 18:03:53 [timeless]
- ... the screenshot approach is sometimes nice
- 18:04:05 [timeless]
- ... but sometimes your attention is elsewhere
- 18:04:12 [timeless]
- ... there's a problem with false positives
- 18:04:15 [timeless]
- ... that can be reduced
- 18:04:21 [timeless]
- ... and interactions are hard
- 18:04:28 [timeless]
- ... we tolerate ClearClick compare dialogs
- 18:04:39 [timeless]
- ... but people outside this room have no idea what it means
- 18:04:44 [timeless]
- ... we have low deployment rates
- 18:05:41 [timeless]
- ... ClearClick probably has 1‱
- 18:05:44 [timeless]
- ... it's very small
- 18:05:56 [timeless]
- dveditz: if ClearClick was split out from NoScript, it could probably have higher deployment
- 18:06:05 [timeless]
- bhill2: Adaptive UI randomization
- 18:06:11 [timeless]
- ... click jacking depends on same-origin
- 18:06:18 [timeless]
- ... it depends on consistent layout
- 18:06:25 [timeless]
- ... if you randomize the UI
- 18:06:33 [timeless]
- ... you can impinge the ability of the attacker
- 18:06:40 [timeless]
- ... that was proposed by Bill Curry (PayPal)
- 18:06:50 [timeless]
- ... one of the first proposals to the list
- 18:07:00 [Arno_]
- Arno_ has joined #webappsec
- 18:07:02 [timeless]
- ... but the attacker can send clicks to multiple locations
- 18:07:20 [timeless]
- dveditz: deployment on NoScript is a bit over 1%, but less than 2%
- 18:07:25 [timeless]
- bhill2: that's quite impressive
- 18:07:47 [timeless]
- ... and successful attacks in 1% of cases is still a profitable business
- 18:08:03 [timeless]
- ... Refining Randomization
- 18:08:09 [timeless]
- ... we can do recording of clicks
- 18:08:25 [timeless]
- ... and do analysis to detect fraud
- 18:08:34 [timeless]
- ... / clickjacking
- 18:08:48 [timeless]
- ... on the backend we create a bucket based on target
- 18:08:49 [dveditz]
- the most popular "user-chosen" add-on has around 10% deployment
- 18:09:02 [timeless]
- ... for like, the likee
- 18:09:05 [timeless]
- ... for pay, the payee
- 18:09:18 [timeless]
- ... look at first click miss rates bucket-by-bucket
- 18:09:21 [dveditz]
- there are some ride-along add-ons that are more popular, that users didn't really select. e.g. the Java Console add-on
- 18:09:26 [timeless]
- ... assume some natural rate
- 18:09:57 [timeless]
- ... this protects against popunder and close attacks
- 18:10:06 [timeless]
- ... we can't distinguish one-off attacks from random noise
- 18:10:12 [timeless]
- ... but we can identify campaigns
- 18:10:23 [timeless]
- ... if they start doing click jacking
- 18:10:29 [timeless]
- ... we'll see the first click rates jump
- 18:10:35 [dveditz]
- don't quote me on the numbers, I'm not one of our metrics guys. Just trying to eyeball the published "users" number on addons.mozilla.org but I don't know if they're measured the same way we measure Firefox users
- 18:10:39 [timeless]
- ... Sensitivity of Detection
- 18:11:09 [timeless]
- [ Graphic: Sensitivity of Clickjacking Detection ]
- 18:13:18 [timeless]
- dveditz: this isn't preventing fraud
- 18:13:26 [timeless]
- bhill2: it's detecting after the fact
- 18:13:44 [timeless]
- Josh_Soref: they can do more
- 18:13:49 [timeless]
- ... they can reverse the charges/likes
- 18:13:52 [timeless]
- ... and penalize the account
- 18:14:06 [timeless]
- ekr: the enclosing page can track the mouse
- 18:15:28 [timeless]
- bhill2: if the user doesn't see this interface
- 18:15:34 [timeless]
- ... they're seeing an overlay
- 18:15:42 [timeless]
- ... they'll have a 66% miss rate
- 18:15:46 [timeless]
- ... if it's only getting clickjacks
- 18:15:53 [timeless]
- ... and we can distinguish at the backend
- 18:16:08 [timeless]
- DanD: this is an analytics capability
- 18:16:27 [timeless]
- bhill2: Results
- 18:16:43 [timeless]
- ... assuming everything else works
- 18:17:00 [timeless]
- ... you can reduce the natural conversion rate to as little as 1% through clickjacking
- 18:17:07 [timeless]
- ... with 3 or 4 positions
- 18:17:13 [timeless]
- ... Adaptive Responses
- 18:17:27 [timeless]
- ... what if i try to put my competitor's store into the dog house?
- 18:17:40 [timeless]
- ... If you detect this, you can have a graduated response
- 18:17:50 [timeless]
- ... popup with X-Frame-Options
- 18:17:58 [timeless]
- ... Add a CAPTCHA or re-verify credentials
- 18:18:09 [timeless]
- dveditz: do you guys check referers?
- 18:18:19 [timeless]
- ... i'm curious as to whether a reliable origin header is useful
- 18:18:37 [timeless]
- ... if you're trying to attack a rival
- 18:18:53 [timeless]
- bhill2: the button would have to encode the refering frame
- 18:19:03 [timeless]
- dveditz: you may or may not get a referer on that today
- 18:19:30 [timeless]
- Josh_Soref: if there's no referer, the server can require more UI
- 18:19:40 [timeless]
- bhill2: you can't use this for WebMail, or the FlashControlPanel
- 18:19:43 [timeless]
- ... or Nascar
- 18:19:57 [timeless]
- ... if you can't bucketize your targets
- 18:20:04 [timeless]
- ... for webmail/flashcontrolpanel
- 18:20:15 [timeless]
- ... it's expensive, you need to be able to do the analytics
- 18:20:23 [timeless]
- JeffH: or already have it existing
- 18:20:33 [timeless]
- bhill2: a lot of the targets already have the capabilities in house
- 18:20:46 [timeless]
- ... david hong said the attacker could try to disperse the attack
- 18:21:03 [timeless]
- ... some of this involves determining the natural misclick rate independently
- 18:21:12 [timeless]
- ... instead of case-by-case calculation
- 18:21:21 [timeless]
- bhill2: the biggest attack is the partial reveal attack
- 18:21:45 [timeless]
- ... "Click the Sleepy Frog to Win"
- 18:21:58 [timeless]
- ... but ClearClick will find that in a heartbit
- 18:22:02 [timeless]
- s/bit/beat/
- 18:22:19 [timeless]
- ... combining the statistical backend bucketization
- 18:22:23 [timeless]
- ... and apply it to clearclick
- 18:22:36 [timeless]
- ... the page could say "if you think you're going to have a ClearClick warning"
- 18:22:45 [timeless]
- ... "send the report to a feedback URI"
- 18:23:26 [timeless]
- ... a policy hint saying "report clickjacking to url" where the url encodes the transaction
- 18:23:32 [timeless]
- ... Advantages:
- 18:23:37 [timeless]
- ... that makes false positives disappear
- 18:23:42 [timeless]
- ... you never stop users from interacting
- 18:23:48 [timeless]
- ... they can learn
- 18:23:53 [timeless]
- ... no confusing dialogs
- 18:24:02 [timeless]
- ... small install base can protect everyone
- 18:24:26 [timeless]
- ... penalize the account commiting fraud based on highly sensitive information
- 18:24:31 [timeless]
- ... Conclusions:
- 18:24:35 [timeless]
- ... randomization isn't for everyone
- 18:24:41 [timeless]
- ... high cost, only usable in certain UIs
- 18:24:55 [timeless]
- ... primary targets are in its "sweet spot"
- 18:25:03 [timeless]
- ... Combines well with client-side techniques
- 18:25:25 [timeless]
- ... reporting loop + backend- fraud analsysi approach can remove some weaknesses of heuristic client-side techniques
- 18:25:43 [timeless]
- s/analsysi/analysis/
- 18:25:54 [timeless]
- DanD: it could be chatty
- 18:26:01 [timeless]
- bhill2: it could be pretty simple
- 18:26:08 [timeless]
- ... instead of a dialog in ClearClick
- 18:26:15 [timeless]
- ... it's a single Ping with a unique identifier
- 18:26:31 [timeless]
- dveditz: a META with a report URI
- 18:26:38 [timeless]
- bhill2: META clickjack-report uri
- 18:26:47 [timeless]
- dveditz: browsers that know do it
- 18:26:50 [timeless]
- ... browsers that don't ignore it
- 18:27:04 [timeless]
- bhill2: the report isn't much difference from CSP
- 18:27:09 [Zakim]
- - +1.858.485.aabb
- 18:27:10 [timeless]
- ... we only ship on violation
- 18:27:22 [timeless]
- ... that hasn't been a problem in bandwidth
- 18:32:00 [timeless]
- Topic: What are we protecting
- 18:32:16 [timeless]
- puhley: we're assuming a page that has already CSFP
- 18:32:49 [timeless]
- ... for PayPal, you have 1-click buys
- 18:33:16 [timeless]
- ... what does paypal need to encode?
- 18:33:32 [timeless]
- bhill2: payee, amount
- 18:34:36 [timeless]
- bhill2: the no-opt-in has the high bar
- 18:34:41 [timeless]
- ... the web is complicated
- 18:34:43 [tanvi1]
- tanvi1 has joined #webappsec
- 18:34:49 [timeless]
- ... how do we know we aren't breaking a large part of the web
- 18:34:59 [timeless]
- ... does gioma1 have telemetry on false positives?
- 18:35:18 [timeless]
- puhley: for the submit button/slider
- 18:35:26 [dveditz]
- I doubt it, people would scream about tracking or somesuch
- 18:35:30 [timeless]
- ... the page would have to be designed to fit the slider protection
- 18:35:36 [tanvi]
- tanvi has joined #webappsec
- 18:35:40 [gioma1]
- I've got *voluntary* reports, could try to extract some stats for next meeting.
- 18:36:20 [dveditz]
- the population of people interested in NoScript is almost exactly the sort that would notice and complain about extra connection attempts unrelated to their task at hand
- 18:37:06 [timeless]
- bhill2: gioma1, it would be really cool if we could get the overall rate of warning dialogs
- 18:37:15 [timeless]
- ... what percentage of sites generate warning dialogs
- 18:37:27 [timeless]
- ... and how many times / year does the average (opt-in) user see a dialog
- 18:37:38 [gioma1]
- bhill, I could extrapolate from people who uses the "Report" button
- 18:37:40 [dveditz]
- that kind of non-specific telemetry is generally accepted
- 18:38:05 [gioma1]
- are you suggesting to instrument current ClearClick to send anonymous usage stats?
- 18:38:49 [timeless]
- puhley: for the use case
- 18:38:51 [timeless]
- ... who would use it
- 18:38:57 [timeless]
- ... we didn't define a User Persona
- 18:39:03 [JeffH]
- gioma1: i think the short answer is "sure"
- 18:39:06 [timeless]
- ... we were talking about <input type
- 18:39:10 [timeless]
- ... ....
- 18:39:15 [timeless]
- ... you have a PayPal page
- 18:39:19 [timeless]
- ... and a pay now button
- 18:39:29 [timeless]
- ... the assumption is the attacker is using an iframe
- 18:39:36 [timeless]
- ... the victim page is by definition iframes
- 18:39:39 [timeless]
- s/iframes/iframed/
- 18:39:53 [timeless]
- ... how does the page define that it's opting into the click-jack protection
- 18:39:57 [timeless]
- ... it could just be a header
- 18:40:07 [timeless]
- ... but the page has to define which button is click-jack protected
- 18:40:16 [timeless]
- ... would <input type="clickjackprotected">
- 18:40:22 [timeless]
- ... be sufficient instead of a page header
- 18:40:36 [timeless]
- ... there are pay now buttons on very large pages
- 18:40:40 [timeless]
- ... with full reciepts
- 18:40:48 [timeless]
- s/reciepts/receipts/
- 18:41:04 [timeless]
- ... in clickjacking, a fraction of the page has been rendered
- 18:41:16 [timeless]
- dveditz: are we only talking about opt in at this point?
- 18:41:23 [gioma1]
- q+
- 18:41:24 [timeless]
- ... the nice thing about ClearClick is that it doesn't require opt in
- 18:41:34 [timeless]
- ... only Facebook/PayPal will do it
- 18:41:38 [whitech]
- whitech has joined #webappsec
- 18:41:43 [timeless]
- puhley: we have 3 levels
- 18:41:48 [timeless]
- ... optin
- 18:41:51 [timeless]
- ... slider
- 18:41:53 [timeless]
- ... server side
- 18:42:13 [timeless]
- ... 1. clearclick - browser for all pages
- 18:42:18 [gioma1]
- q-
- 18:42:20 [timeless]
- ... 2. opt in "this is a sensitive page"
- 18:42:27 [timeless]
- ... -- slider
- 18:42:34 [timeless]
- ... 3. server side with heuristics
- 18:42:50 [timeless]
- bhill2: 1.5, opt in for all pages, with policy channel to refine it
- 18:43:05 [timeless]
- ... not sure if there's a precedent for @w3 level
- 18:43:13 [timeless]
- ... a compatibility list like ie8
- 18:43:30 [timeless]
- ... deliberately fallback to ie7 mode
- 18:43:42 [timeless]
- ... i wonder if we could identify that certain sites always generate warnings
- 18:43:46 [timeless]
- ... and opt them out
- 18:43:52 [Zakim]
- + +1.858.485.aacc
- 18:43:53 [timeless]
- ... i'm tossing ideas out
- 18:44:17 [timeless]
- DanD: the challenge is to educate the user community
- 18:44:20 [timeless]
- ... on the real
- 18:44:25 [timeless]
- JeffH: that will never happen
- 18:44:35 [timeless]
- DanD: having multiple options with UI implications will have user confusion
- 18:44:44 [timeless]
- puhley: https in the location bar is an indication
- 18:44:54 [timeless]
- ... we changed once every 5 years and still confuse users
- 18:44:59 [timeless]
- DanD: the protected element
- 18:45:04 [timeless]
- ... is a good way to give to a developer
- 18:45:09 [timeless]
- ... but it can be abused
- 18:45:14 [timeless]
- ... someone may overuse it
- 18:45:19 [timeless]
- ... and not realize they're causing harm
- 18:45:35 [timeless]
- bhill2: that just means genuine sites get to show their own ui
- 18:45:42 [timeless]
- ... but it doesn't protect
- 18:45:52 [timeless]
- ... fraud sites
- 18:46:06 [timeless]
- ... the risk is that the end user will assume the right site is involved
- 18:46:19 [timeless]
- dveditz: most click jacking is based on size of frame
- 18:46:26 [timeless]
- ... could we do something based on frame size?
- 18:46:34 [timeless]
- ... if the page is too small
- 18:46:42 [timeless]
- ... it might play with protected content
- 18:46:48 [timeless]
- ... it could be in CSP
- 18:47:01 [timeless]
- bhill2: something like ClearClick with Hints+Policy+Feedback
- 18:47:08 [timeless]
- ... we could get very good for the whole web
- 18:47:27 [timeless]
- ... but what do you do when there's the "This is BAD"
- 18:47:39 [timeless]
- ... that's fine for PayPal/Facebook
- 18:47:53 [timeless]
- ... we could have the dialog for ClearClick
- 18:48:00 [timeless]
- bhill2: i love the technology
- 18:48:03 [timeless]
- ... i hate the failure mode
- 18:48:11 [timeless]
- puhley: i could say "deliver+give report"
- 18:49:09 [bhill2]
- timeless: instead of showing a warning, redirect to a browser-hosted page that can't be attacked, which explains the situation
- 18:49:37 [bhill2]
- timeless: there is no harm
- 18:49:47 [bhill2]
- bhill2: unless it's a false positive, then the user is really freaked out
- 18:50:02 [bhill2]
- timeless: browser vendors can use that to improve huristics
- 18:50:19 [timeless]
- s/timeless:/Josh_Soref:/G
- 18:50:33 [timeless]
- bhill2: if we do ClearClick and opt in
- 18:50:37 [timeless]
- ... that's a tiny percentage of the web
- 18:50:42 [timeless]
- ... if we opt everyone in by default
- 18:51:00 [timeless]
- s/redirect to/redirect framed page to/
- 18:51:05 [timeless]
- ... is there a way we can
- 18:51:20 [timeless]
- ... Could we have browser manufacturers to investigate false positives?
- 18:51:26 [timeless]
- ... or just add a hard block?
- 18:51:40 [timeless]
- puhley: i haven't used ClearClick enough
- 18:51:56 [timeless]
- ... majority of pages are simple
- 18:52:03 [timeless]
- ... it's just Hulu/Gaming sites
- 18:52:22 [gioma1]
- the default tolerance (in ClearClick terms) for opt-out standalone deployments could be set relatively high
- 18:52:28 [gioma1]
- (like the current 18%, which looks to be doing very well)
- 18:52:41 [gioma1]
- and websites who care could tweak it to be stricter
- 18:52:43 [timeless]
- gopal: does the slider consider touch events?
- 18:54:06 [bhill2]
- timeless: it's a mock-up, browser implementer could choose how to do that
- 18:54:08 [timeless]
- JeffH: how big a problem is clickjacking per se?
- 18:54:19 [timeless]
- ... puhley notes that most web pages are "simple"
- 18:54:31 [timeless]
- ... how much this is an issue on a global issue should inform this
- 18:54:39 [timeless]
- bhill2: maybe it's nice to opt in by default
- 18:54:48 [timeless]
- ... but maybe the only people who care would be willing to opt in
- 18:54:56 [timeless]
- puhley: there's a small number of sites who are concerned
- 18:55:01 [timeless]
- ... but they have a large number of users
- 18:55:08 [timeless]
- JeffH: but that can inform how it's approached
- 18:55:22 [timeless]
- ... thinking about the userbase and the entire set of sites
- 18:55:40 [timeless]
- ... v. scoping to high value/high expertise sites
- 18:55:44 [timeless]
- ... and what's sufficient to hand them
- 18:55:50 [timeless]
- ... may be less work for a group such as this
- 18:56:02 [timeless]
- ... if this is a tangled mess
- 18:57:09 [timeless]
- bhill2: how conservative do we have to be in terms of not breaking anything else out there?
- 18:57:12 [timeless]
- dveditz: relatively
- 18:57:16 [timeless]
- bhill2: i lean to very
- 18:57:30 [timeless]
- ... we could certainly lean to a mechanism that is only opt in
- 18:57:38 [timeless]
- ... and maybe we could later apply by default
- 18:57:58 [timeless]
- dveditz: if we had an opt in mechanism, we could get pretty radical
- 18:58:07 [timeless]
- bhill2: you could monitor but not enforce for all pages
- 18:58:12 [timeless]
- ... and you could get a ton of data
- 18:58:13 [dveditz]
- (and if it sucks then people won't opt-in)
- 18:58:25 [timeless]
- ... and calculate false positive rates
- 18:58:39 [timeless]
- ... if you already have to build the technology for some sites
- 18:58:54 [timeless]
- dveditz: gioma1 mentioned he has an 18% tolerance
- 18:59:05 [timeless]
- ... he could track what it would be at 5% / 10% / 20% / ...
- 18:59:14 [timeless]
- ... and he wouldn't need to collect the sites
- 18:59:26 [timeless]
- ... just "of the sites i fired, how many would i have fired at this level"
- 18:59:34 [gioma1]
- how? by randomizing the tolerance?
- 19:00:16 [JeffH]
- can u hear dveditz's verbal response?
- 19:00:18 [bhill2]
- dvetitz: assume you compare, get a number and compare to your tolerance
- 19:00:32 [bhill2]
- dveditz: report what the difference rates are as a population
- 19:00:36 [timeless]
- s/dvetitz/dveditz/
- 19:00:42 [gioma1]
- No I didn't hear. oh, I get it, by recomparing at different rates.
- 19:00:47 [gioma1]
- (maybe in background)
- 19:01:01 [dveditz]
- I assume you compare once and get a "difference number"
- 19:01:12 [bhill2]
- so we could start the technology as opt-in and only apply it to sites that provide policy/hints
- 19:01:14 [gioma1]
- ok
- 19:01:18 [gioma1]
- clear
- 19:01:21 [dveditz]
- which you then say "if (diff < tolerance) warning();"
- 19:01:30 [dveditz]
- but you can save that diff in buckets
- 19:01:31 [bhill2]
- but run it in the background and get really large telemetry numbers on how often it would trigger on the rest of the web
- 19:01:34 [bhill2]
- at different sensitivities
- 19:01:51 [bhill2]
- and use that to later make a decision as to whether to opt-in the entire web, and at what sensitivity
- 19:02:08 [bhill2]
- and perhaps collect, voluntarily, what sites would break and have a compatibility opt-out list baked-in
- 19:02:27 [gioma1]
- bhill2, wait, someone did something similar
- 19:02:31 [gioma1]
- let me find the paper...
- 19:02:39 [timeless]
- s/diff < tolerance/diff > tolerance/
- 19:02:58 [gioma1]
- http://www.iseclab.org/papers/asiaccs122-balduzzi.pdf
- 19:03:19 [gioma1]
- these guys built a scanner based on ClearClick to analyze Clickjacking's prevalence on the web
- 19:03:36 [gioma1]
- (I discovered it last night while refining my references)
- 19:04:24 [bhill2]
- so giorgio, would you be willing to begin working on a w3c draft describing the clearclick technology in a browser-agnostic manner
- 19:04:33 [JeffH]
- good paper to reference, thanks gioma1
- 19:05:00 [bhill2]
- with mechanisms for resource owners to provide hints/policy to the enforcement mechanism, and a way for the mechansim to report back to the resource owner
- 19:05:19 [gioma1]
- bhill2, I'd like it (be soft on deadline, though :) )
- 19:05:29 [bhill2]
- :)
- 19:05:41 [bhill2]
- we can look for a co-editor - that's usually a good idea, anyway
- 19:06:16 [gioma1]
- bhill2, you?
- 19:06:48 [bhill2]
- I'd be willing to do it, but have to consult w/w3c staff on whether that is a conflict with my job as co-chair
- 19:07:19 [bhill2]
- so we are going to break for lunch for the moment
- 19:07:30 [bhill2]
- I think we should summarize this on the list, make a proposal
- 19:07:53 [bhill2]
- and I'd like to propose gioma1 as an initial editor, and find another co-editor
- 19:08:21 [bhill2]
- I think a browser person might be a better choice than myself since they'd know the guts of the implementation details
- 19:08:33 [bhill2]
- but let's solicit on the list. David Huang might also be a better choice than I if he's free.
- 19:08:44 [bhill2]
- thanks very much, Giorgio.
- 19:08:53 [gioma1]
- bhill2, my pleasure
- 19:09:26 [bhill2]
- we're going to be doing test development following lunch, so you can get some sleep if it's' that time of day there.
- 19:09:27 [bhill2]
- :)
- 19:28:43 [bhill2]
- rrsagent, make minutes
- 19:28:43 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html bhill2
- 19:28:50 [bhill2]
- rrsagent, set logs public-visible
- 19:36:12 [Zakim]
- -gioma1
- 19:38:22 [Arno_]
- Arno_ has joined #webappsec
- 19:38:31 [Zakim]
- - +1.858.485.aacc
- 19:43:18 [timeless]
- scribe: bhill2
- 19:48:30 [odinho]
- odinho has joined #webappsec
- 20:04:20 [tanvi1]
- tanvi1 has joined #webappsec
- 20:07:09 [timeless]
- present+ Josh_Soref
- 20:07:36 [timeless]
- Zakim, Josh_Soref has left [Jupiter]
- 20:07:36 [Zakim]
- -Josh_Soref; got it
- 20:07:52 [anne]
- anne has joined #webappsec
- 20:12:24 [tanvi]
- i'm working on the csp tests
- 20:13:18 [gopal]
- https://dvcs.w3.org/hg/webappsec
- 20:13:30 [puhley]
- I am working on converting CGIs to PHP. I started on the bottom of the list and I am working my way back up.
- 20:14:08 [jrossi]
- jrossi has joined #webappsec
- 20:14:18 [jrossi]
- jrossi has left #webappsec
- 20:16:02 [odinho]
- http://w3c-test.org/webappsec/tests/cors/submitted/cors1.0/cors-tests.html
- 20:16:04 [odinho]
- Hmm
- 20:16:05 [odinho]
- wrog
- 20:16:09 [odinho]
- https://bitbucket.org/ms2ger/test-runner/src
- 20:16:23 [odinho]
- s/Hmm//
- 20:16:28 [odinho]
- s/wrog//
- 20:16:36 [odinho]
- s|http://w3c-test.org/webappsec/tests/cors/submitted/cors1.0/cors-tests.html||
- 20:17:03 [odinho]
- s|https://bitbucket.org/ms2ger/test-runner/src|-">https://bitbucket.org/ms2ger/test-runner/src|-> https://bitbucket.org/ms2ger/test-runner/src Ms2Ger's testharness.js testrunner
- 20:17:14 [odinho]
- RRSAgent: draft minutes
- 20:17:14 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/05/03-webappsec-minutes.html odinho
- 20:17:35 [odinho]
- present+ Odin_Horthe_Omdal
- 20:18:34 [Arno_]
- Arno_ has joined #webappsec
- 20:18:46 [puhley]
- I am working on access-control-sandboxed-iframe-denied.cgi, access-control-sandboxed-iframe-allow.cgi, and access-control-basic-whitelist-response-headers.cgi
- 20:20:09 [odinho]
- i/i'm working on the csp tests/Topic: Testjam session
- 20:29:16 [gopal]
- CORS has similar tests in opera and webkit folder. Our goal is it consolidate the tests and bring one set of tests to cors1.0 folder.
- 20:29:45 [gopal]
- I am working on testRunner, this will help us runn all the rest with one click.
- 20:29:59 [gopal]
- s/runn/run
- 20:40:30 [odinho]
- I'm working on opera/js/basic.htm I*m removing it from using resources/cors-headers.php, because I just want all the tests to use cors-makeheader.php instead.
- 20:40:33 [Zakim]
- -[Jupiter]
- 20:40:35 [Zakim]
- SEC_WASWG()12:00PM has ended
- 20:40:35 [Zakim]
- Attendees were +1.650.693.aaaa, gioma1, bhill2, dveditz, ekr, Arno_, Josh_Soref, JeffH, DanD, puhley, gopal, tanvi1, paulc, +1.858.485.aabb, +1.858.485.aacc
- 20:57:17 [puhley]
- Moving on to access-control-sandboxed-iframe-denied-without-wildcard.cgi
- 20:58:21 [dveditz]
- dveditz has joined #webappsec
- 21:03:38 [odinho]
- I can review stuff if anyone wants.
- 21:35:21 [tanvi]
- tanvi has joined #webappsec
- 21:45:35 [anne]
- anne has joined #webappsec
- 21:59:50 [gopal]
- apt-get install hgview if you want some visualization of hg repo
- 22:04:06 [gopal]
- Try out the testRunner
- 22:04:28 [gopal]
- hg pull, you should have webappsec/tests/testRunner
- 22:04:56 [gopal]
- in your vm, add a symlink, ln -s /home/webappsec/tests/testRunner
- 22:05:20 [gopal]
- then http://www.w3c-test.org/testRunner/index.html
- 22:06:04 [gopal]
- I assume you have www.w3c-test.org in your /etc/hosts.
- 22:07:10 [gopal]
- If you add your .html file to MANIFEST, testRunner will pick it up automatically.
- 22:09:56 [odinho]
- If someone wants to help me with converting sync tests to async ones. THat'd be A+. Just ask, I'll point you to places to start.
- 22:12:00 [odinho]
- Hmmm. Actually CORS DOES work with Firefox(!), but withCredentials does not. Wat?
- 22:12:03 [odinho]
- Anyone know anything?
- 22:17:57 [gopal]
- For testing we should be using the following hosts and ports:
- 22:18:11 [gopal]
- The following are "live" e.g. for testing:
- 22:18:11 [gopal]
- https://www.w3c-test.org/
- 22:18:12 [gopal]
- http://www.w3c-test.org/
- 22:18:12 [gopal]
- http://www1.w3c-test.org/
- 22:18:12 [gopal]
- http://www2.w3c-test.org/
- 22:18:13 [gopal]
- The following ports are "live" e.g. for testing:
- 22:18:14 [gopal]
- http://www.w3c-test.org:81/
- 22:18:17 [gopal]
- http://www.w3c-test.org:82/
- 22:18:18 [gopal]
- http://www.w3c-test.org:83/
- 22:18:29 [gopal]
- source http://www.w3.org/2008/webapps/wiki/Testing_Requirements
- 22:19:14 [gopal]
- Add these hosts to your /etc/hosts and /etc/apache2/ports.conf
- 22:32:02 [Zakim]
- Zakim has left #webappsec
- 22:32:04 [tanvi]
- hg push is giving me a connecction timeout
- 22:41:08 [ekr]
- ekr has joined #webappsec
- 22:50:42 [ekr]
- ekr has left #webappsec
- 22:52:19 [tanvi]
- tanvi has joined #webappsec
- 23:34:48 [tanvi1]
- tanvi1 has joined #webappsec
- 23:36:02 [tanvi1]
- tanvi1 has joined #webappsec
- 23:37:23 [tanvi]
- tanvi has joined #webappsec
- 23:37:26 [tanvi]
- tanvi has joined #webappsec