WebApp Sec mailing list archives
RE: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
From: "Ory Segal" <osegal () watchfire com>
Date: Sat, 11 Aug 2007 07:19:04 +0300
Hi, Wow - I have to admit that I've heard Ivan Ristic talk about some of the techniques mentioned in the SBM proposal before, but never got the chance to read the complete document. Great work Ivan! It seems to me that SBM is an interesting (and almost a "holistic") approach to secure browsing - I would love to see browser and server vendors join hands in making this come to life. -Ory -----Original Message----- From: Ryan Barnett [mailto:rcbarnett () gmail com] Sent: Saturday, August 11, 2007 3:28 AM To: Anurag Agarwal; WASC Forum; Webappsec @securityFocus Subject: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers Ivan Ristic wrote a proposal paper about a year ago called "Secure Browsing Mode" that you might want to look at - http://www.modsecurity.org/blog/archives/Secure_Browsing_Mode_Proposal.p df It also references Gervase's paper. On 8/10/07, Anurag Agarwal <anurag.agarwal () yahoo com> wrote:
I am looking to get views from people on the list about a proposed security restriction in the browsers The browser should check with the webserver which domains it can interact with (load files from or submit post data to, etc) for that website. How the check is implemented is upto the browser. For example: If a page from mybank.com is trying to submit data to attacker.com then before submitting the data, the browser should check
with the mybank.com if it is allowed to do so. Q1. is it reasonable? Q2. What are the pros and cons of this approach? Q3. Would it limit some types of browser attacks (like some xss vectors, etc)? Q4. Would it open any new types of attack vectors? I know there are security researchers, browser vendors, corporate security folks and various other smart webappsec people on this list. I would really appreciate if they can chip in with their 2 cents on
this topic.
Any feedback is highly appreciated Cheers, Anurag Agarwal SEEC - An application security search engine Web: www.attacklabs.com , www.myappsecurity.com Email : anurag.agarwal () yahoo com Blog : http://myappsecurity.blogspot.com
-- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache ------------------------------------------------------------------------ ---- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers James Landis (Aug 15)
- <Possible follow-ups>
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers Amit Klein (Aug 15)
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers Ryan Barnett (Aug 15)
- RE: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers Ory Segal (Aug 15)
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers Amit Klein (Aug 15)
- Message not available