IETF
websec@jabber.ietf.org
Monday, 25 July 2011< ^ >
stpeter has set the subject to: WebSec WG | http://tools.ietf.org/wg/websec/
Room Configuration

GMT+0
[09:37:00] Bjoern joins the room
[16:48:08] yone joins the room
[16:52:45] jimsch joins the room
[16:57:03] Ted joins the room
[16:57:25] sm joins the room
[16:57:28] <Ted> Howdy. If you need something said into the mic, please put MIC: at the start of the line.
[16:57:42] <Ted> I will proxy it into the room.
[17:01:27] ogud joins the room
[17:03:13] yuioku joins the room
[17:03:17] ChrisWeber joins the room
[17:03:41] Barry Leiba joins the room
[17:04:28] resnick joins the room
[17:04:53] yoiwa joins the room
[17:05:53] lef_jp joins the room
[17:06:00] <resnick> It's spookily quiet in the room. Very secure. Only secure communication.
[17:06:14] resnick looks about shiftily.
[17:07:09] <Bjoern> V pbhyq fnl fbzrguvat, ohg V jbhyq unir gb rapelcg vg.
[17:07:12] bkihara.l joins the room
[17:07:12] nx joins the room
[17:07:23] stpeter joins the room
[17:07:52] <stpeter> I like that, "jabber proxy"
[17:07:56] Chris Newman joins the room
[17:08:00] <Ted> Reminder: preface comments for the room with MIC:
[17:08:35] simo.veikkolainen joins the room
[17:09:09] josephyee joins the room
[17:09:10] hildjj joins the room
[17:09:50] netwerkeddude joins the room
[17:10:17] netwerkeddude leaves the room
[17:10:25] =JeffH joins the room
[17:10:48] rlbob joins the room
[17:11:01] sftcd joins the room
[17:11:28] Satoru Kanno joins the room
[17:15:47] linuxwolf joins the room
[17:16:04] <resnick> Is a comment like, "Just having the algorithm without an explanation of what the algorithm is doing and why is *not* reasonable and needs to be fixed in the sniff document" going to be met with much resistance from the WG?
[17:16:58] <stpeter> resnick: do you need someone to proxy that to the mic
[17:17:02] <stpeter> +?
[17:17:14] <resnick> No, I was asking the question here.
[17:17:23] <resnick> I don't want to talk about it in the room today.
[17:17:27] <resnick> Maybe on the list later.
[17:17:33] <stpeter> ok
[17:19:22] <resnick> (I skulk here in the back of the room, trying to look ominous.)
[17:20:23] sftcd leaves the room
[17:21:08] sftcd joins the room
[17:26:18] linyi joins the room
[17:28:16] hk9565@gmail.com joins the room
[17:29:28] <resnick> <pedantry>Those questions aren't being begged. They're being brought up. Dammit.</pedantry>
[17:31:33] <hk9565@gmail.com> i'm here
[17:31:36] <hk9565@gmail.com> -> abarth
[17:32:07] <Ted> Hi Adam. Did you want that reflected to the room?
[17:32:28] <hk9565@gmail.com> he just said that no browser implementors were here, which isn't quite true :)
[17:32:54] josephyee leaves the room
[17:33:27] <Barry Leiba> Pete: HUGE peeve of mine, as well. But we've lost the battle.
[17:35:17] <stpeter> hk9565@gmail.com: howdy, we can channel your comments to the mic
[17:35:35] <hk9565@gmail.com> thx
[17:35:53] <hk9565@gmail.com> this list thing is a big hack :(
[17:36:01] <stpeter> heh
[17:36:17] <stpeter> hk9565@gmail.com: prefix with "MIC" or somesuch if you'd like us to channel
[17:36:25] <hk9565@gmail.com> k
[17:42:32] <=JeffH> yes it is a "big hack" -- tho to use another bootstrap means, such as SecureDNS, we need to solve the "secure dns last mile" problem, which is going to take a while
[17:42:39] Karen O'Donoghue joins the room
[17:43:00] <stpeter> =JeffH: ya think?
[17:43:37] g.e.montenegro joins the room
[17:43:40] <ogud> JeffH: run DNS validtor in the local box then you only need to secure the box
[17:44:01] <hk9565@gmail.com> there's some resistance to shipping a DNSSEC client in the browser
[17:44:06] <hk9565@gmail.com> i don't fully understand why
[17:44:08] sm leaves the room
[17:44:15] <hk9565@gmail.com> but i think its a bunch of code size
[17:44:33] sm joins the room
[17:45:50] <sftcd> what's the timing attack?
[17:46:04] <Ted> Do you wish that reflected to Thomas?
[17:46:06] <Ted> and the room?
[17:46:33] <sftcd> no, i'm here, I'm just wondering what timing attack this mitigates that can't be done by looking at traffic anyway
[17:47:12] <hk9565@gmail.com> html running in the browser can't look at traffic on the network
[17:47:17] <hk9565@gmail.com> it's a different threat model
[17:49:03] <resnick> @Barry: "Lost" as in we would clearly be in the rough?
[17:49:20] <hk9565@gmail.com> http://abortz.net/papers/timingweb.pdf
[17:49:32] <hk9565@gmail.com> ^^^ examples of timing attacks
[17:50:40] <ogud> can't hear comment can someone repeat in the mic
[17:51:22] <Ted> He said that Thomas had already mentioned Frame Options
[17:52:03] <sftcd> @kh9565 - thanks, not clear to me that the mitigation proposed here would be very effective but I'll have a read
[17:54:03] hk9565@gmail.com leaves the room
[17:54:09] hk9565@gmail.com joins the room
[17:54:11] <hk9565@gmail.com> @sftcd those attacks work even without the new WebTiming feature, but the WebTiming folks are worried about creating more vulnerabilities of that sort
[17:54:25] josephyee joins the room
[17:54:39] <sftcd> fair enough I guess
[17:55:39] <Ted> <also pedantry>The URI includes the scheme and port</also pedantry>
[17:56:17] Torsten joins the room
[17:58:44] <hk9565@gmail.com> MIC We've had a bad experience with varying response headers based on requests because "Vary" has bad caching interactions with existing implementations (e.g., proxies, old versions of IE)
[17:59:03] <hk9565@gmail.com> (e.g., that's how CORS works and it's a big problem in practice)
[17:59:10] <stpeter> Ted is going to channel
[18:01:38] Karen O'Donoghue leaves the room
[18:03:01] <hk9565@gmail.com> implementations match very closely. the main difference is the error experience
[18:03:42] <hk9565@gmail.com> (oh, I didn't know about the second blog post)
[18:04:10] <stpeter> hk9565@gmail.com: it seems to have been well-hidden...
[18:09:34] <=JeffH> i will look it up here....
[18:09:53] Karen O'Donoghue joins the room
[18:10:19] <=JeffH> E. Lawrence. Combating ClickJacking With X-Frame-
Options. Online, March 2010. http://blogs.
msdn.com/b/ieinternals/archive/2010/03/30/
combating-clickjacking-with-x-frame-options.aspx
[18:10:45] <=JeffH> that is the "second" blog post
[18:10:56] <=JeffH> the first (on X-frame-options)...
[18:11:13] <=JeffH> E. Lawrence. IE8 Security Part VII: ClickJacking Defenses. Online, January
2009. http://blogs.msdn.com/ie/archive/2009/01/27/
ie8-security-part-vii-clickjacking-defenses.aspx
[18:16:40] g.e.montenegro leaves the room
[18:17:24] Torsten leaves the room
[18:23:14] <stpeter> http://www.ietf.org/id/draft-pettersen-subtld-structure-08.txt
[18:23:36] <stpeter> that's the draft Yngve Pettersen just mentioned
[18:24:36] <ogud> MIc: The DNS wg told him it is a bad idea
[18:25:13] <sm> You mean "a problem that cannot be solved within the WG" ...
[18:26:16] <ogud> A problem that can not be sovled due to how cookies are specified in the first place
[18:26:28] <Ted> is that also for the mic: ?
[18:26:31] <ogud> no
[18:26:54] sftcd leaves the room
[18:27:04] <sm> Olafur, wasn't the DNS WG reluctant to touch the public suffix issue?
[18:27:23] sftcd joins the room
[18:27:31] <ogud> DNSext rulted this draft out of scope and DNSOP did not want to adopt
[18:28:12] <sm> It's still being done outside the IETF
[18:30:54] Barry Leiba leaves the room
[18:31:00] sftcd leaves the room
[18:31:10] yoiwa leaves the room
[18:31:10] linuxwolf leaves the room
[18:31:21] ogud leaves the room
[18:31:22] simo.veikkolainen leaves the room
[18:31:25] Ted leaves the room
[18:31:36] bkihara.l leaves the room
[18:32:01] yuioku leaves the room
[18:32:16] hildjj leaves the room: Disconnected.
[18:32:20] yone leaves the room
[18:32:38] linyi leaves the room
[18:34:34] simo.veikkolainen joins the room
[18:34:59] Karen O'Donoghue leaves the room
[18:35:07] simo.veikkolainen leaves the room
[18:35:29] hildjj joins the room
[18:36:08] hk9565@gmail.com leaves the room
[18:36:12] =JeffH leaves the room
[18:36:44] Satoru Kanno leaves the room
[18:36:59] jimsch leaves the room
[18:37:03] sm leaves the room
[18:42:24] lef_jp leaves the room
[18:50:24] rlbob leaves the room
[18:50:45] rlbob joins the room
[18:52:54] rlbob leaves the room
[18:56:04] hildjj leaves the room: Disconnected.
[18:56:57] Chris Newman leaves the room
[19:04:10] Ted joins the room
[19:05:50] resnick leaves the room
[19:06:31] josephyee leaves the room
[19:10:55] Karen O'Donoghue joins the room
[19:11:46] Ted leaves the room
[19:22:56] hildjj joins the room
[19:22:56] Bjoern leaves the room
[19:25:50] linuxwolf joins the room
[19:30:59] hildjj leaves the room: Disconnected.
[19:35:11] rlbob joins the room
[19:43:25] hildjj joins the room
[19:48:12] ChrisWeber leaves the room
[19:49:19] Chris Newman joins the room
[19:50:49] Chris Newman leaves the room
[19:52:18] hildjj leaves the room: Disconnected.
[19:52:45] Karen O'Donoghue leaves the room
[19:58:02] stpeter leaves the room
[20:07:18] nx leaves the room
[20:13:26] rlbob leaves the room
[20:34:42] hildjj joins the room
[20:37:09] hildjj leaves the room
[20:50:44] rlbob joins the room
[23:09:12] rlbob leaves the room
[23:09:12] linuxwolf leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!