Approach the webkit security team - much easier to approach and
communicate with. http://webkit.org/security/security-group-members.html
The best way to get a-hold of the twitter security team - is via twitter. :)
This is absolutely necessary and awesome work, JohnWilander++
PS: Yes, I just incremented you, John. :)
Hey Robert, now that you are confirmed to go to the Summit, here is a good thread to start getting your head around what is going on.Can somebody do a quick briefing to Robert on:
- where we currently are with this Track and Working Sessions
- what needs to be done
- and more importantly, WHO should be at the Summit for these Working sessions, and that is currently NOT going (like some of the missing browsers) or is yet to be invited (maybe Robert can help)
In terms of the unconfirmed Summit Attendees (i.e. http://www.owasp.org/index.php/Summit_2011_Attendee#Unconfirmed_Summit_Attendees) what is the deal with Ashkan Soltani , Ian Fette?
Sounds good. Thanks again for the invite. It looks like you have a good chunk of the key players. Microsoft, Mozilla and Google. I’d probably go out of my way to invite Apple as well, given their stake in the OS market, and mobile computing. Window would probably know the right person from the technical side to invite as my main contact there recently moved on.
As far as other working groups, I’m sure there’s a ton to talk about and we’ll come up with more, but here’s what I’d like to talk about (note, I’m not inviting everyone to make me a chair on each of these – but I’d be happy to take a few of them):
1) Donottrack – I love the idea but dislike the proposed implementation. I have an idea that might increase its effectiveness/usefulness. This may be a short discussion but it’s one worth having, especially in light of the FTC stuff.
2) DNSSec – I think this could solve a ton of problems around man in the middle and cost of certificates. I’ve got some ideas on how to push this forward a little as well. This probably deserves its own working group.
3) Ad block by default in browsers – This caused a lot of back and forth at Bluehat, but I think it’s seriously important to consider. This goes into a bigger discussion about corporate motives behind browser technology, and so on. But I think it’s one of the most important features we should be discussing. Not sure if this needs a working group or not, but it can take a while to explain it and convince people it’s a good idea. Again, this will become more important because of the recent FTC guidance.
4) CSRF – we still haven’t come up with a viable defense against this other than nonces, but there really should be a concerted effort to give webmasters an easy way to make sure it can’t happen (at least cross domain). If you can stop CSRF a huge chunk of the worst attacks against browsers stop working. This also probably deserves its own working group.
5) Speeding up browsers (a la performance primitives), and diverting some of the increase in efficiency towards security (E.g. Ad blocking). This may be a side-bar conversation, but no one from the browser side has given any commitments about how they will use their increases in performance over time. I’d love to get some commitment – say, 25% of all performance increases will be given to their respective security teams to use as necessary. I really want to stop the back and forth about whether security is too expensive from a processor/time/memory footprint/pageload perspective. Let’s give the security teams a budget (25% or whatever it is) and make them stick to that – whatever they can do within that allotted time is fair game going forward.
6) Acid test for browser security – we talked about this last time, but we need someone clever (Gareth or Mario or someone similar – although maybe not Gareth if he’s now affiliated with Microsoft to keep it free of the fear of collusion) to build an acid test to define how good or bad each browser is from a security perspective and give them scores accordingly. Yes, we may have get some sponsorship for this project, because I really doubt we could get this for free.
… and other stuff. That’s probably good for starters.
Robert Hansen, CISSP
CEO -- SecTheory Ltd
Cell: (530) 521-2542
FAX: (512) 628-6299