Implementation Challenges With Browser Security Models
High-profile data breaches and security incidents on the Internet are gaining increasing attention from the public and the press. A few examples may illustrate the problems: DigiNotar, a Dutch certificate authority had a security breach had resulted in the fraudulent issuing of certificates. Earlier this year a Comodo affiliate was compromised resulting in the fraudulent issue of certificates. During the first half of 2011 LulzSec, a computer hacker group, claimed responsibility for several attacks, including the compromise of user accounts from Sony.
The IETF has done a significant amount of work in the area of Internet security and for Web security in particular. To pick a few examples: HTTP is documented in RFC 2616 and by 1999/2000 the core Web security specifications had been finalized: HTTP basic and digest authentication were published in RFC 2617 and existing deployments make heavy use of TLS with server-side authentication. The HTTP state management mechanism, namely cookies, was initially published in 1997 as RFC 2109, reworked in 2000 by RFC 2965, and just recently revisited with RFC 6265. For non-Web based applications the work on Kerberos as well as the Simple Authentication and Security Layer (SASL, RFC 4422) as well as the Generic Security Service Application Program Interface (GSS-API, RFC 2743, which are application layer authentication frameworks, have found widespread usage on the Internet.
This raises the obvious question: What has gone wrong?
Are our tools ineffective? Are the available tools used in the appropriate way? Are we developing the right set of tools? What can we do better to improve on the Internet?
At this IAB technical plenary selected experts from the security community will initiate a discussion. For those interested in more details a draft is available: http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00
Short presentations to provide an introduction to the topic for the audience. Then, the audience is asked to share their views about the problems, lessons learned from past and ongoing security efforts, and suggestions about future work at the end.
- Introduction: Eric Rescorla on the current state of Internet and Web security problems
- Aren't our tools sufficient?
- Mike Hanson (Mozilla) on the challenges with password-based authentication
- Russ Housely on PKI problems
- What are we doing?
- Tim Polk on an example project to improve SSO deployments on the Internet (based on NSTIC)
- Sean Turner & Stephen Farrell on IETF and W3C security efforts
- What else could we do? (discussion – all)
Goal of the Plenary
- Illustrate that the IETF is the main venue for doing security standardization for Internet protocols.
- Create more visibility for the work that is currently (RTCWEB Security, WebSec, WebApplicationSec, DANE, etc.)
- Solicit feedback from the audience about possible further work that is needed.
- Advertise the "big picture" draft write-up and announcement of our IAB program on that topic.
Participating IAB Members
Candidates are: Danny, Alissa, Jon, Bernard.