IETF Logo Mail Archive

Re: [Uta] Treating Javascript developers like they are stupid.

"Orit Levin (LCA)" <oritl@microsoft.com> Mon, 03 February 2014 20:00 UTC

Return-Path: <oritl@microsoft.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D42E1A0242 for <uta@ietfa.amsl.com>; Mon, 3 Feb 2014 12:00:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rdqEjQzK9XAc for <uta@ietfa.amsl.com>; Mon, 3 Feb 2014 12:00:55 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0239.outbound.protection.outlook.com [207.46.163.239]) by ietfa.amsl.com (Postfix) with ESMTP id 5935F1A0247 for <uta@ietf.org>; Mon, 3 Feb 2014 12:00:50 -0800 (PST)
Received: from BL2PR03MB290.namprd03.prod.outlook.com (10.141.68.19) by BL2PR03MB289.namprd03.prod.outlook.com (10.141.68.12) with Microsoft SMTP Server (TLS) id 15.0.873.10; Mon, 3 Feb 2014 20:00:49 +0000
Received: from BL2PR03MB290.namprd03.prod.outlook.com ([10.141.68.19]) by BL2PR03MB290.namprd03.prod.outlook.com ([10.141.68.19]) with mapi id 15.00.0873.009; Mon, 3 Feb 2014 20:00:48 +0000
From: "Orit Levin (LCA)" <oritl@microsoft.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Alyssa Rowan <akr@akr.io>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] Treating Javascript developers like they are stupid.
Thread-Index: AQHPHncYO34pJO1GOkaFCclIpl8am5qgZ5sAgAGCZ4CAAgLCYA==
Date: Mon, 03 Feb 2014 20:00:48 +0000
Message-ID: <77096ccfc99d481eb5314364fdb7866d@BL2PR03MB290.namprd03.prod.outlook.com>
References: <3E30BD89-AB78-4378-83AD-A1D4AD59E03D@edvina.net> <52ECF7CA.40902@akr.io> <52EE3BED.9000001@gmail.com>
In-Reply-To: <52EE3BED.9000001@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [98.247.123.117]
x-forefront-prvs: 01110342A5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(51704005)(54524002)(13464003)(24454002)(377454003)(479174003)(164054003)(199002)(189002)(50986001)(92566001)(76796001)(47976001)(47736001)(49866001)(74706001)(551544002)(74316001)(74366001)(65816001)(56816005)(90146001)(66066001)(80022001)(4396001)(86612001)(76576001)(85852003)(83072002)(76786001)(31966008)(81542001)(15202345003)(54356001)(94316002)(19580395003)(86362001)(81686001)(93516002)(81816001)(93136001)(85306002)(74502001)(51856001)(94946001)(69226001)(46102001)(47446002)(74662001)(2656002)(87936001)(53806001)(63696002)(74876001)(19580405001)(80976001)(83322001)(77982001)(79102001)(59766001)(54316002)(33646001)(56776001)(76482001)(81342001)(87266001)(15975445006)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB289; H:BL2PR03MB290.namprd03.prod.outlook.com; CLIP:98.247.123.117; FPR:8B78F1F7.AFD2E359.FED0B3F7.4329C171.204D9; InfoNoRecordsA:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [Uta] Treating Javascript developers like they are stupid.
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 20:00:57 -0000

My interpretation of this case is that there is a major difference today in "treating" native vs. Javascript application developers due to the existing web security model, with websockets and webrtc leading the pressure for change.

This could have been a topical paper for STRINT (where IETF and W3C experts will meet), unless it is already there.

If not, I don't see any harm of writing and submitting a draft (to UTA) with specific suggestions for changes in the error codes being delivered (through APIs) to web applications using TLS. Time permitting, we may have the right people in and/or outside the room to bounce ideas off each other. Most helpful would be to have a list of allowed codes with justification for each  including an explanation for why it wouldn't lead to additional vulnerabilities already existing using other "techniques".

Orit.

> -----Original Message-----
> From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Yaron Sheffer
> Sent: Sunday, February 02, 2014 4:37 AM
> To: Alyssa Rowan; uta@ietf.org
> Subject: Re: [Uta] Treating Javascript developers like they are stupid.
> 
> Hi Alyssa,
> 
> Yes, there's a trade-off here but I agree with Olle that there's a lot
> of value in exposing TLS behavior and errors to the app layer. Besides,
> malicious apps can use timing information as a (less informative)
> oracle, e.g. to distinguish between a non-existent host, a failed TCP
> and connection a failed TLS handshake.
> 
> And it is more than just errors. Some things I would like to see in the
> interface are:
> 
> - Errors, including TLS alerts.
> - The ability to know what identity the server is claiming, so as to
> make policy decisions.
> - The ability to control TLS policy, such as what protocol version is
> being negotiated (so that the app can avoid SSLv3 even if the browser is
> misconfigured).
> - An app should be able to extract channel binding data from TLS, to
> facilitate crypto-binding of the app messages with the transport channel.
> - Control of credentials being used for client authentication: client
> certs, symmetric keys used with TLS-PSK, passwords used with TLS-SRP and
> similar. For symmetric keys and passwords, credentials should be pulled
> from a browser-specific "password manager", so the app should never see
> them.
> 
> Thanks,
> 	Yaron
> 
> 
> On 02/01/2014 03:34 PM, Alyssa Rowan wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > On 31/01/2014 11:24, Olle E. Johansson wrote:
> >> Caused by a discussion about web sockets I've looked into
> >> Javascript a bit. In the web sockets specification they state
> >> clearly that ALL errors - dns, network errors, TLS - is just a
> >> connection error. The developer should not know, and it is stated a
> >> security risk if he gets the information about why a connection
> >> failed. It's all up to the browser.
> >
> >>  From the specification at http://dev.w3.org/html5/websockets/:
> >> ========================
> >>> Allowing a script to distinguish these cases would allow a script
> >>> to probe the user's local network in preparation for an attack.
> >
> > I think it's not treating JavaScript developers like they're stupid,
> > so much as (correctly) treating them like they're possibly malicious.
> > This is a defensive, but sensible and correct approach in practice,
> > given the most common use case by far: running code from random
> > websites which users visit, many of which are not even protected en
> > route by TLS, and many of which transclude IFRAMEs from ad networks
> > and heaven knows where else, too.
> > [...]
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email