web-key: Mashing with Permission

http://waterken.sf.net/web-key/

Highlights and examples from the paper, and an open discussion

Security vs. the Web

• Casualties of the username/password:– Global identification

• Sharing a resource by passing a URL

– Orthogonality• Hypertext can refer to a resource by URL only

– Global scope• A URL means the same thing everywhere

• Got us the Same Origin Policy

Security vs. the Web

• … and often doesn’t actually result in the security we wanted– Loss of global identification

• User revolt to “something you know”

– Loss of orthogonality• Pervasive prompting => phishing

– Loss of global scope• XSRF: this global identifier means something

different when you use it– My Access Control List doesn’t control access?

The Web with security

• What security properties can we add to the Web without breaking it and would they be useful in real applications?– A URL is a lot like a reference.– Capability-security gets its security from

enforcing the properties of references.– Check the protocols and clients to see if it’s a

good fit.

The Web as capability system

• Referer header almost makes the Web a dynamically scoped language

• Some referential integrity from HTTPS

• Windowing API in the browser is hysterical– Survivable, but does require some care

• Address bar shows reference bits– Can mitigate or ignore if no one’s looking

https://yurl.net/-/#kzqxsxbub4742a

• Global Id, Orthogonality, Global Scope

• Global id = Just click

• Orthogonality = No prompting

• Global scope = no XSRF

• Global scope = no need for Same Origin

• Global id = fine grained access for mashup