The TAG - w3.org/tag

Tim Berners-Lee (W3C, Chair, “web developer”)
Mark Nottingham (Akamai; http wg chair)
Daniel Appelquist (Invited Expert, Chair)
Yan Zhu (Yahoo!)
Hadley Beeman (W3C Invited Expert)

 

Peter Linss (HP, Chair)
Travis Leithead (Microsoft)
Yves Lafon (W3C, staff contact)
Alex Russell (Google)
David Baron (Mozilla, not shown)

The web needs to clean up its act on security & privacy

Why now?

Because Snowden!!!1!!

Ok, yes… and…

• the web is becoming more powerful
• the web is an essential part of everyday life
• web privacy is a punch line (and that has to change)
• the balance of power on the web is heavily weighted towards big services / big ad networks / big governments
• public wifi hotspots are injecting script
• government surveillance is on the rise
  • there are more than one government
  • these surveillance powers are being abused
• what you “like” can get you tortured and killed

SRINT Workshop

February 2014 in London

https://www.w3.org/2014/strint/

+

“Pervasive Monitoring
is an Attack”

• Pervasive monitoring is “surveillance at widespread observation points, without any particular target in mind at time of surveillance, and without any modification or injection of of network traffic.” - Trammell, et al.
• “The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible.” - Farrell & Tschofenig

It's all about Trust

• The web is supporting more and more of the world’s communications
• Trustworthiness is key
• Pervasive monitoring undermines that trust
• HTTPS was originally deployed so that people could have trust in spending money online
• Now, more and more of what we do online requires that level of trust

Is the web
fit for purpose?

So what's happening?

TAG Finding: Securing the Web

• Moving the Web to https
• Motivations thereof
• Coordinating with the web community

https://www.w3.org/2001/tag/doc/web-https

US Whitehouse Moving US Federal Websites to https

• The Whitehouse proposed to require federal web sites to be https-only
• They posted this proposal to github for comment: https://github.com/GSA/https
• W3C TAG has +1’d this proposal https://github.com/GSA/https/issues/94 

UK Government Data Services

• “It’s very important that this information can’t be intercepted by malicious third parties as it travels over the Internet.”
• “all services accessed through service.gov.uk domains MUST only be accessible through secure connections”
• “use HSTS”

https://www.gov.uk/service-manual/domain-names/https.html

How can we move to a secure web?

Secure Contexts

• Née “Privileged Contexts,” née “Powerful Features”
• Joint work between TAG and Web Apps Security Group

https://w3c.github.io/webappsec/specs/powerfulfeatures/

What's a Powerful Feature?

• The feature provides access to sensitive data
• The feature provides access to sensor data on a user’s device 
• The feature provides access to or information about other devices a user has access to
• The feature exposes temporary or persistent identifiers
• The feature introduces some state for an origin which persists across browsing sessions
• The feature manipulates a user agent’s native UI in some way which could trick the user
• The feature requests user permission 

…and the web is adding more and more of these, all the time!

Some commonly raised objections to HTTPS

(and why they’re wrong)

Credit to Yan Zhu of Yahoo! & member of W3C TAG

1. HTTPS is expensive and hard to set up

• This is getting better
• Many hosting providers already offer point-and-click wizards for setting up TLS
• EFF “LetsEncrypt” initiative in the near future
  • New certificate authority
  • Free certificates
  • New cert management protocol: ACME
  • Entire process < 30 seconds
  • Wide industry support
• Now in public Beta

https://letsencrypt.org

2. There is no value in using HTTPS for public data (e.g. news articles)

• Cousin of the “if you have nothing to hide you have nothing to fear” mindset
• Misses the point that aggregating browser data can reveal a lot
• What’s public and non-controversial in one country may be subversive in another
• What symptoms you search for on health websites are could raise your insurance premiums
• What article you leave a comment on in The Guardian or what you “like” on Facebook can get you thrown in prison

3. TLS is Slow

• Mostly not
• Modern versions optimize away most of the performance issues
• c.f. https://istlsfastyet.com (spoiler: it is)
• HTTP/2 also offers performance gains

4. TLS breaks feature “X”

• Usually having to do with “mixed content”
• Yes, there is more work to do than just switching to https
• Modern developer tools can help you debug these issues
• “https everywhere” tool also can help to debug issues
• Does this break the web?
• probably still the thorniest issue

Upgrade Insecure Requests

In development, here:

https://w3c.github.io/webappsec-upgrade-insecure-requests/

• There's a lot of legacy content out there in file systems, databases, etc...
• A CSP directive
• Makes it easier for site owners to transition to https
• Directs the browser to change insecure requests to secure ones

5. HTTPS offers “false sense of security”

• …compared to what?
• Yes, there are holes in the current CA system, these are being addressed
• It’s better than the alternative which is no encryption
• It mitigates against pervasive monitoring
• It minimizes the data “on the wire”

Asking Permission

Permissions API

https://w3c.github.io/permissions/

Finer-grained control over permissions-requesting APIs

For example:

You can't tell whether a website already has geolocation permission before you try to use it.

A permissions anti-pattern

Ask permission
for a purpose

Multiple permissions requests can be a mess

Permissions API

• Finer-Grained Control for the Web developer
• Compose permissions asks together
• Allows developer to lead the user through the permissions-granting process
• More meaningful permissions dialog with the user

https://w3c.github.io/permissions/​

Finding: End-to-End Encryption

• A follow-up to “securing the web”
• Adding our voice to advocates of e2e encryption
• Wading slightly into policy territory – intentionally and (we think) appropriately

• https://www.w3.org/2001/tag/doc/encryption-finding/

Finding: Unsanctioned Web Tracking

Explicitly calling out inappropriate use of web technology for tracking purposes as harmful and against web architecture

https://www.w3.org/2001/tag/doc/unsanctioned-tracking/

Side note:

Don't do this!

Credentials API

Draft W3C Credentials Management API (f/Google) (http://w3c.github.io/webappsec-credential-management/) evolves current password-based browser mechanisms focusing on federated sign-on.

Fido

Fido, also from Google (& friends), have submitted a spec to the W3C and want to integrate the Fido approach into the web:

http://www.w3.org/Submission/fido-web-api/

A Tale of Two Approaches to Web Authentication and Credentials

That “s” – and some of the web's other greatest mistakes

• Tim Berners-Lee challenged the web security community: could we move towards a TLS-encrypted http world? http://www.w3.org/DesignIssues/Security-NotTheS.html
• Dovetails with work in the http wg on opportunistic encryption
• Issues such as: would a https TLS-negotiated session be semantically equivalent to a http TLS-negotiated session?
• What about when full TLS cannot be negotiated?
• cf http://discourse.wicg.io/t/is-https-everywhere-harmful/821, http://discourse.wicg.io/t/getting-a-little-bit-formal-about-securing-all-the-web/835
• At last TAG f2f we agreed to try to set up a session on this topic at W3C TPAC meeting in Sapporo

Opportunistic Encryption

https://httpwg.github.io/http-extensions/encryption.html

Maybe coming to a browser near you…

HTTP/2

Another Powerful Feature

• http/2 is here and you are already using it
• It offers great performance gains over ubiquitously deployed http/1.1 (especially for mobile)
• Derived from Google’s SPDY project
  • is binary, instead of textual
  • is fully multiplexed
  • can therefore use one connection for parallelism
  • uses header compression to reduce overhead
  • allows servers to “push” proactively
• Browsers are only implementing http/2 over HTTPS
• If you’re not already working with it, you should be

Demos: http://www.http2demo.io, https://http2.akamai.com/demo

Site: https://http2.github.io​

This is our web

• The web is now a part of every aspect of our daily lives
• Think progressively about security and privacy
• ​Move towards an encrypted web
• Embrace web superpowers but wield them carefully

Thanks!

Daniel Appelquist

@torgo – @w3ctag