Update on the Browser Security Track

[John Wilander]

Hi Summit Heroes and BrowserSec Working Group!

In case you haven't heard, here are the updates on the Browser Security Track:

• New HTML5 session co-chaired by Mario Heiderich (in my book you're no 1 in the world on this subject ;) and Gareth Heyes.
• New EcmaScript 5 session. Mario will hopefully co-chair this one with Juriy Zaytsev (invited) and/or Mike Samuels (invited).
• Jeff Hodges, PayPal has joined. I'm very happy about this since he's the original author of the HSTS spec (http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02, draft expires tomorrow) and a representative of one of the major web apps out there. He will provide his attendee info to me and I'll send it along to Sarah.
• Opera got their fourth invitation today. I'm reaching out to people I know in Norway to see if they can help.
• Facebook got their second invitation yesterday and Jim Manico is helping me out there.
• We still lack connections with Apple's Safari team. Any help would be highly appreciated!
• I would also like help on inviting Twitter and Yahoo. Douglas Crockford from Yahoo regretted he couldn't make it but I think Yahoo have their YUI team in Barcelona so we should be able to get them over easily.

Check out the track info here:

http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track

   Regards, John

--
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com

Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011

Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee

[John Wilander]

2011/1/11 Jim Manico <jim.m...@owasp.org>

Approach the webkit security team - much easier to approach and
communicate with. http://webkit.org/security/security-group-members.html

Will do immediately. Thanks!

The best way to get a-hold of the twitter security team - is via twitter. :)

Doh. OK, I'll poke around and get some messages sent.

This is absolutely necessary and awesome work, JohnWilander++

PS: Yes, I just incremented you, John. :)

And returned the good old John back again. Just like C++ :).

   /John

[Mario Heiderich]

Hey guys. I just CC'd John Adams from Twitter security - hope that's alright for all sides and helps.

Cheers,

.mario

@JohnAdams Still no update on my T-Shirt? ;)

--
_________________________
php-ids.org | @0x6D6172696F
[[ø,_]=!''+'',[,,,$,,,æ]=!_+''+{}][$+æ+_+ø]+_ 

[dinis cruz]

Hey Robert, now that you are confirmed to go to the Summit, here is a good thread to start getting your head around what is going on.

Can somebody do a quick briefing to Robert on:

• where we currently are with this Track and Working Sessions
• what needs to be done
• and more importantly, WHO should be at the Summit for these Working sessions, and that is currently NOT going (like some of the missing browsers) or is yet to be invited (maybe Robert can help)

In terms of the unconfirmed Summit Attendees (i.e. http://www.owasp.org/index.php/Summit_2011_Attendee#Unconfirmed_Summit_Attendees) what is the deal with Ashkan Soltani , Ian Fette? 

Can they go to the Summit if there are funds to cover their costs?

Dinis Cruz

[John Wilander]

2011/1/11 dinis cruz <dinis...@owasp.org>

Hey Robert, now that you are confirmed to go to the Summit, here is a good thread to start getting your head around what is going on.

Can somebody do a quick briefing to Robert on:

• where we currently are with this Track and Working Sessions
• what needs to be done
• and more importantly, WHO should be at the Summit for these Working sessions, and that is currently NOT going (like some of the missing browsers) or is yet to be invited (maybe Robert can help)

Robert and I have been in contact, so whenever or whatever, R. Just shoot. Ideas, questions, suggestions.

We are currently hunting Safari, Opera, Twitter, and Salesforce to send representatives and engaged people. Facebook are responding so there's an established contact there. 

In terms of the unconfirmed Summit Attendees (i.e. http://www.owasp.org/index.php/Summit_2011_Attendee#Unconfirmed_Summit_Attendees) what is the deal with Ashkan Soltani , Ian Fette?

I'm guessing Ian has been busy with being the sole author of ...

http://www.ietf.org/id/draft-ietf-hybi-thewebsocketprotocol-04.txt

... which was released yesterday.

I've emailed him a few times lately but no replies. Maybe Jasvir knows? I think he's coming and that Google covers his travel and ticket though. Busy people, that's all.

   /J

[John Wilander]

Relaying Robert's email since he wasn't in the group yet. See below for an interesting list of further browser sec topics.

Robert: You should have a group invite in your inbox.

---------- Forwarded message ----------
From: Robert Hansen <rob...@sectheory.com>

 

                Sounds good.  Thanks again for the invite.  It looks like you have a good chunk of the key players.  Microsoft, Mozilla and Google.  I’d probably go out of my way to invite Apple as well, given their stake in the OS market, and mobile computing.  Window would probably know the right person from the technical side to invite as my main contact there recently moved on.

 

                As far as other working groups, I’m sure there’s a ton to talk about and we’ll come up with more, but here’s what I’d like to talk about (note, I’m not inviting everyone to make me a chair on each of these – but I’d be happy to take a few of them):

 

1)      Donottrack – I love the idea but dislike the proposed implementation.  I have an idea that might increase its effectiveness/usefulness.  This may be a short discussion but it’s one worth having, especially in light of the FTC stuff.

2)      DNSSec – I think this could solve a ton of problems around man in the middle and cost of certificates.  I’ve got some ideas on how to push this forward a little as well.  This probably deserves its own working group.

3)      Ad block by default in browsers – This caused a lot of back and forth at Bluehat, but I think it’s seriously important to consider.  This goes into a bigger discussion about corporate motives behind browser technology, and so on.  But I think it’s one of the most important features we should be discussing.  Not sure if this needs a working group or not, but it can take a while to explain it and convince people it’s a good idea.  Again, this will become more important because of the recent FTC guidance.

4)      CSRF – we still haven’t come up with a viable defense against this other than nonces, but there really should be a concerted effort to give webmasters an easy way to make sure it can’t happen (at least cross domain).  If you can stop CSRF a huge chunk of the worst attacks against browsers stop working.  This also probably deserves its own working group.

5)      Speeding up browsers (a la performance primitives), and diverting some of the increase in efficiency towards security (E.g. Ad blocking).  This may be a side-bar conversation, but no one from the browser side has given any commitments about how they will use their increases in performance over time.  I’d love to get some commitment – say, 25% of all performance increases will be given to their respective security teams to use as necessary.  I really want to stop the back and forth about whether security is too expensive from a processor/time/memory footprint/pageload perspective.  Let’s give the security teams a budget (25% or whatever it is) and make them stick to that – whatever they can do within that allotted time is fair game going forward.

6)      Acid test for browser security – we talked about this last time, but we need someone clever (Gareth or Mario or someone similar – although maybe not Gareth if he’s now affiliated with Microsoft to keep it free of the fear of collusion) to build an acid test to define how good or bad each browser is from a security perspective and give them scores accordingly.  Yes, we may have get some sponsorship for this project, because I really doubt we could get this for free.

 

… and other stuff.  That’s probably good for starters.

 

Robert Hansen, CISSP

CEO -- SecTheory Ltd

Cell: (530) 521-2542

FAX: (512) 628-6299

[dinis cruz]

The way the final Working Sessions schedule will be created is that we will give the big rooms to the Working Sessions that have more attendees (the less popular can occur on smaller locations at either a set-time or at a more organic set-up (i.e. when all interested parties happen to be at the same place holding a beer :) )).

We still have not figured out the best way for attendees to vote (i.e. select) which working sessions they want to go, BUT, I would recommend that some of Robert's ideas are made into Working Sessions, since some of them (lets say the CSRF one) have much wider interest (and could attract a good crowd) 

Dinis Cruz

[John Wilander]

Yeah, and nobody needs to feel that the Browser Sec session "own" its topics. If any of you want to do 48 hours of say EcmaScript 5 security and think at least a handful would join you then we can create a stand-alone session.

That said, we can also use the Browser Sec session as a focal point and do break-out sessions if some of the attendees need to go beyond what is scheduled.

   /J

2011/1/12 dinis cruz <dinis...@owasp.org>

[dinis cruz]

Hey Portugal has really good coffee and the beer is good too, 

... we can keep you guys going :)

... if you can hold an EcmaScript 5 security codeathon, there will be place for it :)

Dinis Cruz

[Mario Heiderich]

Do you guys still need a sec contact at Opera? I have some (which might not be too surprising :P)

Let me know!

.mario

[John Wilander]

Send them over or email them cc:ing me. Thanks!

/John

Sent from my iPad

[Mario Heiderich]

You can address Sigbjørn Vik - sigb...@opera.com - he should be
responding quite quickly. If that doesn't work let me know plz :)

Cheers,
.mario