Hi,
Wow - I have to admit that I've heard Ivan Ristic talk about some of the
techniques mentioned in the SBM proposal before, but never got the
chance to read the complete document.
Great work Ivan!
It seems to me that SBM is an interesting (and almost a "holistic")
approach to secure browsing - I would love to see browser and server
vendors join hands in making this come to life.
-Ory
-----Original Message-----
From: Ryan Barnett [mailto:rcbarnett@gmail.com]
Sent: Saturday, August 11, 2007 3:28 AM
To: Anurag Agarwal; WASC Forum; Webappsec @securityFocus
Subject: Re: [WEB SECURITY] Seeking feedback on proposed security
restriction in the browsers
Ivan Ristic wrote a proposal paper about a year ago called "Secure
Browsing Mode" that you might want to look at -
http://www.modsecurity.org/blog/archives/Secure_Browsing_Mode_Proposal.p
df
It also references Gervase's paper.
On 8/10/07, Anurag Agarwal <anurag.agarwal@yahoo.com> wrote:
I am looking to get views from people on the list about a proposed
security restriction in the browsers
The browser should check with the webserver which domains it can
interact with (load files from or submit post data to, etc) for that
website. How the check is implemented is upto the browser.
For example: If a page from mybank.com is trying to submit data to
attacker.com then before submitting the data, the browser should check
with the mybank.com if it is allowed to do so.
Q1. is it reasonable?
Q2. What are the pros and cons of this approach?
Q3. Would it limit some types of browser attacks (like some xss
vectors, etc)?
Q4. Would it open any new types of attack vectors?
I know there are security researchers, browser vendors, corporate
security folks and various other smart webappsec people on this list.
I would really appreciate if they can chip in with their 2 cents on
this topic.
Any feedback is highly appreciated
Cheers,
Anurag Agarwal
SEEC - An application security search engine
Web: www.attacklabs.com , www.myappsecurity.com Email :
anurag.agarwal@yahoo.com Blog : http://myappsecurity.blogspot.com
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
