[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
- From: "Ory Segal" <osegal@xxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
- Date: Sat, 11 Aug 2007 07:19:04 +0300
Hi,
Wow - I have to admit that I've heard Ivan Ristic talk about some of the
techniques mentioned in the SBM proposal before, but never got the
chance to read the complete document.
Great work Ivan!
It seems to me that SBM is an interesting (and almost a "holistic")
approach to secure browsing - I would love to see browser and server
vendors join hands in making this come to life.
-Ory
-----Original Message-----
From: Ryan Barnett [mailto:rcbarnett@xxxxxxxxx]
Sent: Saturday, August 11, 2007 3:28 AM
To: Anurag Agarwal; WASC Forum; Webappsec @securityFocus
Subject: Re: [WEB SECURITY] Seeking feedback on proposed security
restriction in the browsers
Ivan Ristic wrote a proposal paper about a year ago called "Secure
Browsing Mode" that you might want to look at -
http://www.modsecurity.org/blog/archives/Secure_Browsing_Mode_Proposal.p
df
It also references Gervase's paper.
On 8/10/07, Anurag Agarwal <anurag.agarwal@xxxxxxxxx> wrote:
> I am looking to get views from people on the list about a proposed
> security restriction in the browsers
>
> The browser should check with the webserver which domains it can
> interact with (load files from or submit post data to, etc) for that
> website. How the check is implemented is upto the browser.
>
> For example: If a page from mybank.com is trying to submit data to
> attacker.com then before submitting the data, the browser should check
> with the mybank.com if it is allowed to do so.
>
> Q1. is it reasonable?
> Q2. What are the pros and cons of this approach?
> Q3. Would it limit some types of browser attacks (like some xss
> vectors, etc)?
> Q4. Would it open any new types of attack vectors?
>
>
> I know there are security researchers, browser vendors, corporate
> security folks and various other smart webappsec people on this list.
> I would really appreciate if they can chip in with their 2 cents on
this topic.
>
>
> Any feedback is highly appreciated
>
> Cheers,
>
> Anurag Agarwal
>
> SEEC - An application security search engine
> Web: www.attacklabs.com , www.myappsecurity.com Email :
> anurag.agarwal@xxxxxxxxx Blog : http://myappsecurity.blogspot.com
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|