pseudomonas: per bend sinister azure and or a chameleon counterchanged (Default)
pseudomonas ([personal profile] pseudomonas) wrote in [site community profile] dw_suggestions2009-08-27 12:56 pm
  • Add Memory
  • Share This Entry
Entry tags:

Restrict leakage of private information via sites known or thought likely to be compromised

Title:
Restrict leakage of private information via sites known or thought likely to be compromised

Area:
security

Summary:
As the DW code spreads and with more cross-site reading, it may become desirable to prevent sites with unpatched known security issues from reading locked entries.

Description:
If I have granted access to my locked entries to subscribers on a number of different DW-codebase sites, the compromising of one of those sites leads to the compromising of all my locked content.

Obviously I rely on trust when I grant access, and there are numerous ways that a remote server may be compromised. On the other hand, if a version/patch-level of DW is known to have a security problem (of a variety that allows an attacker to log in as another user), it might be preferable to prevent a site running that code from accessing my locked content. (perhaps only after a patch has been available for a given interval)

This could be done by remote sites advertising their version in headers when requesting content.

Advantages
* This might apply significant social pressure to remote sites to keep their code patched.
* This might flag up stagnant sites that are being improperly maintained.
* Sites with obsolete DW code might well be poorly-maintained with respect to other components as well (and indeed they could also advertise other software versions in the same way)
* Might prevent users dealing with this by fiddling with their personal access controls on too frequent a basis.

Disadvantages:
* Might complicate social arrangements at a time when it's more important to grow the community of sites using DW code than to ensure strict access controls.
* Might give false sense of security.
* A sufficiently bad security hole (eg arbitrary code execution) could allow an attacker to cause the site to lie about their versions.

I'm not sure what the analogous behaviour is with an OpenID provider that is known to be vulnerable to impersonation.

Poll #1105 Restrict leakage of private information via sites known or thought likely to be compromised
Open to: Registered Users, detailed results viewable to: All, participants: 32

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
4 (12.5%)

Should be implemented with changes. (please comment)
3 (9.4%)

Shouldn't be implemented.
8 (25.0%)

(I have no opinion)
15 (46.9%)

(Other: please comment)
2 (6.2%)

  • Add Memory
  • Share This Entry
(15 comments)

Post a comment in response:

If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.