Wednesday, December 29, 2010

Poll Time - What One Problem in Web Security Do You Want to Fix?


It is poll time. Doing a little planning and trying to figure out what people view as the biggest architectural weaknesses on the web security wise. I'm mainly focused on things within HTTP and HTML/JS/CSS themselves, not things at the TLS layer.

There is a small poll on the right hand side of the blog. If you have other ideas, pleas stick them in the comments.

A few things I didn't include as I wasn't sure what to do with them:
  • Fixing XSS. Change core web protocols/technologies to provide a much cleaner code/data separation. Maybe CSP does this well enough?
  • Fixing CA's and how they work. I consider this a related but separate problem.
  • Fixing CSRF. It could make the list and there are several options architecturally such as scope-cookies and/or the Origin header.
[UPDATE-1] - I'm interested in fixing to webservers, browsers, core protocols, etc. Not what individuals writing web apps should do to make their own apps more secure. So, for example, fixing Struts/Spring/etc. would be out of scope for this survey.

[UPDATE-2] - The item in the poll for improving authentication is partially about the HTTP protocol, but also about web browser UI, how auth data gets handled in the Chrome, etc.

5 comments:

James said...

I voted for authentication, because I include SSL auth in that. DNSSEC will help, but the current PKI nightmare we have needs major work.

Anonymous said...

I was tempted to go for the XSS focused options you had but I wanted to vote other to make my idea clearer.

I think if you focused on Input Validation and Output Validation/Encoding as a potential fix to XSS you would also fix a lot of other issues at the same time.

J. Antonio Ruíz said...

In my particular point of view I think, that should be remedied vulnerabilities in web design and development are:

-Lack of input validation on user input.
-Lack of Sufficient logging Mechanism.
-Fail-open error handling
-Not Properly closing the database connection

And with these vulnerabilities remediated properly, we can achieve a secure website application or eliminating XSS attacks, CSRF, SQLi, Improper Handling Errors and XPATH Injection

Anonymous said...

I voted for improving HTTP Authentication in the hope that it makes a lot of (all?) attempts to beat the cookie nightmare obsolete ;-)

Markus Jakobsson said...

1. Close the gap between what the user thinks happens and what actually happens. Yes, this is a tall order -- an immediate consequence would be to eradicate phishing. To be realistic, we should aim for special cases of the problem, or aim to reduce the size of the gap instead of hoping to close it entirely.

2. Recognize that we cannot always port security solution to mobile environments. The different constraints require different solutions.