pseudomonas: per bend sinister azure and or a chameleon counterchanged (Default)
pseudomonas ([personal profile] pseudomonas) wrote in [site community profile] dw_suggestions2009-08-27 12:56 pm
  • Add Memory
  • Share This Entry
Entry tags:

Restrict leakage of private information via sites known or thought likely to be compromised

Title:
Restrict leakage of private information via sites known or thought likely to be compromised

Area:
security

Summary:
As the DW code spreads and with more cross-site reading, it may become desirable to prevent sites with unpatched known security issues from reading locked entries.

Description:
If I have granted access to my locked entries to subscribers on a number of different DW-codebase sites, the compromising of one of those sites leads to the compromising of all my locked content.

Obviously I rely on trust when I grant access, and there are numerous ways that a remote server may be compromised. On the other hand, if a version/patch-level of DW is known to have a security problem (of a variety that allows an attacker to log in as another user), it might be preferable to prevent a site running that code from accessing my locked content. (perhaps only after a patch has been available for a given interval)

This could be done by remote sites advertising their version in headers when requesting content.

Advantages
* This might apply significant social pressure to remote sites to keep their code patched.
* This might flag up stagnant sites that are being improperly maintained.
* Sites with obsolete DW code might well be poorly-maintained with respect to other components as well (and indeed they could also advertise other software versions in the same way)
* Might prevent users dealing with this by fiddling with their personal access controls on too frequent a basis.

Disadvantages:
* Might complicate social arrangements at a time when it's more important to grow the community of sites using DW code than to ensure strict access controls.
* Might give false sense of security.
* A sufficiently bad security hole (eg arbitrary code execution) could allow an attacker to cause the site to lie about their versions.

I'm not sure what the analogous behaviour is with an OpenID provider that is known to be vulnerable to impersonation.

Poll #1105 Restrict leakage of private information via sites known or thought likely to be compromised
Open to: Registered Users, detailed results viewable to: All, participants: 32

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
4 (12.5%)

Should be implemented with changes. (please comment)
3 (9.4%)

Shouldn't be implemented.
8 (25.0%)

(I have no opinion)
15 (46.9%)

(Other: please comment)
2 (6.2%)

Flat | Top-Level Comments Only
zarhooie: Girl on a blueberry bramble looking happy. Text: Kat (Default)

[personal profile] zarhooie 2009-08-27 04:14 pm (UTC)(link)
I like this in theory but I don't think there is any plausible or reasonable execution plan.
Flat | Top-Level Comments Only