Re: Remove paths from CSP? from Sigbjørn Vik on 2014-02-13 (public-webappsec@w3.org from February 2014)

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Thu, 13 Feb 2014 09:50:48 +0100
To: Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Odin Hørthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <bhill@paypal-inc.com>, Michal Zalewski <lcamtuf@google.com>, Garrett Robinson <grobinson@mozilla.com>
Message-ID: <52FC8768.4010003@opera.com>

On 12-Feb-14 15:27, Mike West wrote:
>
> Just for clarity up top, I understand your concrete suggestions to be:
>
> 1. Remove reporting.
> 2. Block resources in such a way as to make the page believe that the
> load was successful (for example, by populating
> 'naturalWidth'/'naturalHeight' for blocked images).

Yes. The page doesn't have to believe the load is successful, just
indistinguishable from a normal load attempt (which might fail for other
reasons).

> * let's say http://service.com/sekritimage.jpg redirects to
> http://service.com/login if you're not logged in. Loading that via an
> <img> element will reveal whether you're logged in or not, as the former
> URL is an image, and the latter isn't. It will do so regardless of CSP,
> for that matter. This is not uncommon.
>
> * style's "interaction" with the page are trivially detectable by
> querying the CSSOM to get element style details.
>
> * script's "interaction" with the page changes the environment in ways
> that are generally detectable (globals, event handlers, effects on DOM,
> etc).

These kind of resources are already detectable on vulnerable websites,
without CSP. Websites which care, may fix this. That many websites have
such holes, is not an argument that we should build this hole into
browsers. What CSP does is to automate this attack, and make it
impossible for web sites to fix this. However, these kind of resources
are not important.

> You agree at the bottom of the email that some effects will be
> detectable, but claim that detection will be heuristics-based and flaky.
> I think you're underestimating sites' ability to query their own state.

Data resources, such as HTML documents and JSON do need login
protection. These are harder to detect if they have loaded, and
detection of these is flaky, and relying on side channels. CSP as
currently specced would change this. Sites need to protect such
documents, and cannot avoid the problem introduced by CSP.

Even if positive detection (site loaded) might be possible, negative
detection (site not loaded) is a much harder problem to solve. Timeouts
increase the attack time manyfold, and there may be other reasons for
loading failure than CSP. By giving direct access to negative detection,
CSP makes this much easier.

I stand by my statement that detecting meaningful (i.e. data) cross
domain loads is flaky and heuristics based.

> Additionally, I think you're incorrect to claim that anything we're
> discussing here "prevent[s] great security". The worst-case scenario
> we're discussing is reading redirection target paths cross-origin. The
> bad-case scenario we're discussing is reading redirection target origins
> cross-origin. I agree that these are bad things.

If they are bad, then they must surely prevent greatness? (For suitable
definitions of bad and great.)

> We should fix them.
> That said, even if we end up with both of these, fully exploitable,
> forever, I'd still claim mitigation of XSS to be more important. :)

Facts first:
XSS prevention is important. CSP will not prevent XSS, but will make XSS
prevention easier. XSS prevention is possible without CSP. CSP (as
specced today) will open a new hole in the same domain policy, which
cannot be closed by web sites. Many web sites have this hole already.
CSP can be made without this hole, although with less error reporting
functionality. Forever is a long time.

Phishing is bigger problem than XSS, according to experts[1][2][3].
Knowing where a user is logged in aids phishing. CSP as currently
specced makes this possible. We don't know which direction the web will
involve in, new attack forms may (will) be developed.

My conclusion:
Opening up the new hole is not worth it. What we lose is error reporting
functionality and implementation simplicity.

[1]
http://www.scmagazine.com/phishing-remains-most-reliable-cyber-fraud-mechanism/article/248998/
[1] http://www.proofpoint.com/uk/topten/index-roi.php
[2]
http://www.invincea.com/wp-content/uploads/Invincea-spear-phishing-watering-hole-drive-by-whitepaper-5.17.13.pdf

-- 
Sigbjørn Vik
Opera Software

Received on Thursday, 13 February 2014 08:51:18 UTC