| < draft-tschofenig-secure-the-web-00.txt | draft-tschofenig-secure-the-web-01.txt > | |||
|---|---|---|---|---|
| Network Working Group M. Hanson | Network Working Group M. Hanson | |||
| Internet-Draft Mozilla | Internet-Draft Mozilla | |||
| Intended status: Informational H. Tschofenig | Intended status: Informational H. Tschofenig | |||
| Expires: April 26, 2012 Nokia Siemens Networks | Expires: November 10, 2012 Nokia Siemens Networks | |||
| S. Turner | S. Turner | |||
| October 24, 2011 | IECA, Inc. | |||
| May 9, 2012 | ||||
| An Inquiry into the Nature and the Causes of Web Insecurity | An Inquiry into the Nature and the Causes of Web Insecurity | |||
| draft-tschofenig-secure-the-web-00.txt | draft-tschofenig-secure-the-web-01.txt | |||
| Abstract | Abstract | |||
| The year 2011 has been quite exciting from a Web security point of | The year 2011 has been quite exciting from a Web security point of | |||
| view: a number of high-profile security incidents have gotten a lot | view: a number of high-profile security incidents have gotten a lot | |||
| of press attention but also new initiatives, such as the National | of press attention but also new initiatives, such as the National | |||
| Strategy for Trusted Identities in Cyberspace (NSTIC), had been | Strategy for Trusted Identities in Cyberspace (NSTIC), had been | |||
| launched to improve the Web identity eco-system. The NSTIC strategy | launched to improve the Web identity eco-system. The NSTIC strategy | |||
| paper, for example, observes problems with Internet security due to | paper, for example, observes problems with Internet security due to | |||
| the widespread usage of low-entropy passwords and the lack of widely | the widespread usage of low-entropy passwords and the lack of widely | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 43 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 26, 2012. | This Internet-Draft will expire on November 10, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 3, line 17 ¶ | skipping to change at page 3, line 17 ¶ | |||
| HTTP is an IETF standard and documented in RFC 2616 [RFC2616] and | HTTP is an IETF standard and documented in RFC 2616 [RFC2616] and | |||
| provides the core foundation of the browser-based platform but is | provides the core foundation of the browser-based platform but is | |||
| also widely used for non-browser-based applications. Like any other | also widely used for non-browser-based applications. Like any other | |||
| specification in the IETF HTTP also comes with various security | specification in the IETF HTTP also comes with various security | |||
| mechanims. Digest authentication support in HTTP was published in | mechanims. Digest authentication support in HTTP was published in | |||
| 1997 with RFC 2069 [RFC2069] and later updated in 1999 by RFC 2617 | 1997 with RFC 2069 [RFC2069] and later updated in 1999 by RFC 2617 | |||
| [RFC2617]. The HTTP state management mechanism, namely cookies, was | [RFC2617]. The HTTP state management mechanism, namely cookies, was | |||
| initially published in 1997 with RFC 2109 [RFC2109], and re-written | initially published in 1997 with RFC 2109 [RFC2109], and re-written | |||
| in 2000 by RFC 2965 [RFC2965]. | in 2000 by RFC 2965 [RFC2965]. | |||
| For client side authentication two different solution tracks had | For client side authentication two different solution tracks have | |||
| therefore been offered from the IETF, namely TLS client side | therefore been offered from the IETF, namely TLS client side | |||
| authenication (at that time using certificates) and also application | authenication (at that time using certificates) and also application | |||
| level authentication via HTTP basic and digest. TLS client | level authentication via HTTP basic and digest. TLS client | |||
| authentication was quite complex for users to configure (and still is | authentication was quite complex for users to configure (and still is | |||
| complex today). HTTP based authentication on the other hand did not | complex today). HTTP based authentication on the other hand did not | |||
| found widespread usage either for a number of reasons. First, the | found widespread usage either for a number of reasons. First, the | |||
| user interface was rendered differently than the orginary Web | user interface was rendered differently than in regular Web | |||
| application form making it less attractive for users. At that time | application form making it less attractive for users. At that time | |||
| HTTP had a semantic that was closer to file system access control and | HTTP had a semantic that was closer to file system access control and | |||
| therefore the decision making process was binary, either the user was | therefore the decision making process was binary, either the user was | |||
| granted access to the resource or it wasn't. With the HTTP 401 there | granted access to the resource or it wasn't. With the HTTP 401 there | |||
| was no way for a user to, for example, recover from a lost password | was no way for a user to, for example, recover from a lost password | |||
| or other forms of failure cases. The authentication and | or other forms of failure cases. The authentication and | |||
| authorization process was not seen as continuium but rather as a | authorization process was not seen as continuium but rather as a | |||
| binary decision. For these reasons form-based authentication | binary decision. For these reasons form-based authentication | |||
| mechanisms had found widespread acceptance by the Web application | mechanisms had found widespread acceptance by the Web application | |||
| developer community. To add to this problem cookies were and still | developer community. To add to this problem cookies were and still | |||
| skipping to change at page 17, line 34 ¶ | skipping to change at page 17, line 34 ¶ | |||
| [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | |||
| April 2011. | April 2011. | |||
| [RFC2965] Kristol, D. and L. Montulli, "HTTP State Management | [RFC2965] Kristol, D. and L. Montulli, "HTTP State Management | |||
| Mechanism", RFC 2965, October 2000. | Mechanism", RFC 2965, October 2000. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [I-D.ietf-oauth-v2] | [I-D.ietf-oauth-v2] | |||
| Hammer-Lahav, E., Recordon, D., and D. Hardt, "The OAuth | Hammer-Lahav, E., Recordon, D., and D. Hardt, "The OAuth | |||
| 2.0 Authorization Protocol", draft-ietf-oauth-v2-22 (work | 2.0 Authorization Framework", draft-ietf-oauth-v2-26 (work | |||
| in progress), September 2011. | in progress), May 2012. | |||
| [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, | [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, | |||
| April 2010. | April 2010. | |||
| [I-D.ietf-websec-origin] | [I-D.ietf-websec-origin] | |||
| Barth, A., "The Web Origin Concept", | Barth, A., "The Web Origin Concept", | |||
| draft-ietf-websec-origin-06 (work in progress), | draft-ietf-websec-origin-06 (work in progress), | |||
| October 2011. | October 2011. | |||
| [I-D.ietf-websec-strict-transport-sec] | [I-D.ietf-websec-strict-transport-sec] | |||
| Hodges, J., Jackson, C., and A. Barth, "HTTP Strict | Hodges, J., Jackson, C., and A. Barth, "HTTP Strict | |||
| Transport Security (HSTS)", | Transport Security (HSTS)", | |||
| draft-ietf-websec-strict-transport-sec-02 (work in | draft-ietf-websec-strict-transport-sec-07 (work in | |||
| progress), August 2011. | progress), May 2012. | |||
| [RFC2069] Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., | [RFC2069] Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., | |||
| Luotonen, A., Sink, E., and L. Stewart, "An Extension to | Luotonen, A., Sink, E., and L. Stewart, "An Extension to | |||
| HTTP : Digest Access Authentication", RFC 2069, | HTTP : Digest Access Authentication", RFC 2069, | |||
| January 1997. | January 1997. | |||
| [I-D.ietf-abfab-arch] | [I-D.ietf-abfab-arch] | |||
| Howlett, J., Hartman, S., Tschofenig, H., and E. Lear, | Howlett, J., Hartman, S., Tschofenig, H., and E. Lear, | |||
| "Application Bridging for Federated Access Beyond Web | "Application Bridging for Federated Access Beyond Web | |||
| (ABFAB) Architecture", draft-ietf-abfab-arch-00 (work in | (ABFAB) Architecture", draft-ietf-abfab-arch-01 (work in | |||
| progress), July 2011. | progress), March 2012. | |||
| [I-D.ietf-httpbis-p7-auth] | [I-D.ietf-httpbis-p7-auth] | |||
| Fielding, R., Gettys, J., Mogul, J., Nielsen, H., | Fielding, R., Lafon, Y., and J. Reschke, "HTTP/1.1, part | |||
| Masinter, L., Leach, P., Berners-Lee, T., Reschke, J., and | 7: Authentication", draft-ietf-httpbis-p7-auth-19 (work in | |||
| Y. Lafon, "HTTP/1.1, part 7: Authentication", | progress), March 2012. | |||
| draft-ietf-httpbis-p7-auth-16 (work in progress), | ||||
| August 2011. | ||||
| [I-D.tschofenig-post-standardization] | [I-D.tschofenig-post-standardization] | |||
| Tschofenig, H., Aboba, B., Peterson, J., and D. McPherson, | Aboba, B., McPherson, D., Tschofenig, H., and J. Peterson, | |||
| "Trends in Web Applications and the Implications on | "Trends in Web Applications and the Implications on | |||
| Standardization", draft-tschofenig-post-standardization-00 | Standardization", draft-tschofenig-post-standardization-01 | |||
| (work in progress), March 2011. | (work in progress), October 2011. | |||
| [I-D.ietf-rtcweb-overview] | [I-D.ietf-rtcweb-overview] | |||
| Alvestrand, H., "Overview: Real Time Protocols for Brower- | Alvestrand, H., "Overview: Real Time Protocols for Brower- | |||
| based Applications", draft-ietf-rtcweb-overview-02 (work | based Applications", draft-ietf-rtcweb-overview-03 (work | |||
| in progress), September 2011. | in progress), March 2012. | |||
| [I-D.ietf-rtcweb-security] | [I-D.ietf-rtcweb-security] | |||
| Rescorla, E., "Security Considerations for RTC-Web", | Rescorla, E., "Security Considerations for RTC-Web", | |||
| draft-ietf-rtcweb-security-00 (work in progress), | draft-ietf-rtcweb-security-02 (work in progress), | |||
| September 2011. | March 2012. | |||
| Authors' Addresses | Authors' Addresses | |||
| Mike Hanson | Mike Hanson | |||
| Mozilla | Mozilla | |||
| Phone: | Phone: | |||
| Email: mhanson@mozilla.com | Email: mhanson@mozilla.com | |||
| Hannes Tschofenig | Hannes Tschofenig | |||
| Nokia Siemens Networks | Nokia Siemens Networks | |||
| Linnoitustie 6 | Linnoitustie 6 | |||
| Espoo 02600 | Espoo 02600 | |||
| Finland | Finland | |||
| Phone: +358 (50) 4871445 | Phone: +358 (50) 4871445 | |||
| Email: Hannes.Tschofenig@gmx.net | Email: Hannes.Tschofenig@gmx.net | |||
| URI: http://www.tschofenig.priv.at | URI: http://www.tschofenig.priv.at | |||
| Sean Turner | Sean Turner | |||
| IECA, Inc. | ||||
| 3057 Nutley Street, Suite 106 | ||||
| Fairfax, VA 22031 | ||||
| USA | ||||
| Phone: | Phone: | |||
| Email: turners@ieca.com | Email: turners@ieca.com | |||
| End of changes. 16 change blocks. | ||||
| 25 lines changed or deleted | 28 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||