TrustedAuthority: Difference between revisions

See http://www.codemud.net/~thinker/en/GinGin_CGI.py/show_id_doc/15

Trusted Authority is a kind of services that users delegate decision making for security to. Users are usually poor on making decisions of security, they even don't understand the questions. Now, UAs ask users for if a web page could use privilege APIs annoying, and is proved not working. Delegating decision making to a professional trusted authority would reduce/solve the problem.

API for Trusted Authority

When a page access one or more privilege APIs, the UA would create a request object to ask Trusted Authority to authorize the access.

request

{
  APIs: ["name", "of", "APIs"],
  location: "page url", // The page is loaded.
  hash: "SHA256(content of the page)",
  resources: [          // Resources being accessed by the page.
    {location: "URL of the resource 1", hash: "SHA256(content1)", executable: true},
    {location: "URL of the resource 2", hash: "SHA256(content2)", executable: false},
    {....}....]
}

response

{
  authorizeLocation: "page url",
  APIs: ["name", "of", "APIs"],
  characteristicResources: [ "URL of", "resources"],
  validBefore: "Valid before the date time"
}

The Trusted Authority can authorize more APIs than requested for performance reason. The UA needs to redo authorization for loading more executable resources (JS code). (How about loading more non-executable resources?)

If the UA keeps the response in a local cache, it should check |validBefore| and make sure all resources in |characteristicResources| having the same hash code/not being changed before grant APIs to the page.

The Trusted Authority would be run as an addon or service page at local, but talk to remote server hosted by the Trusted Authority.

function handler(request) {
  checkRequstAtRemoteOrLocalDataCache(request);
  if (the request is denied) {
    return;
  }
  ...
  return {... reponse ...};
}
TrustedAuthority.registerAuthorizingHandler(handler);

Remove all authorized requests of given URLs.

TrustedAuthority.revokeAuthorization(["URL", "of", "pages", ....]);

Remove all authorized requests with given prefixes.

TrustedAuthority.reovkePrefixAuthorization(["prefix", "pathes", ...]);

Responsibility

Trusted Authorities are responsible for checking and making sure the page and resources safe to use the API. A Trusted Authority may review the page and code, backup the site content for later checking, or make a contract with the site to make sure the site following the policy made by the Trusted Authority.

Users would choose a Trusted Authority trusted by himself. They may paid for the service provided by the Trusted Authority, or for free.

Security

• The Trusted Authority can track activities of users on sites calling privilege APIs.
  • Attack the UA by revoking requests frequently to track how frequent the user visit a site.
  • The UA could monitor how often the Trusted Authority revoking requests and warn the user.
• How do Trusted Authorities make sure that a site is safe?
  • Code review
  • Sign a contract with the sites to make sure the sites following the policy and rules made by the authority.
  • Revoke requests of sites as soon as possible once any malicious behavior is reported.
  • Backup the content of sites for reputation.
• Load more JS code after being authorized.
  • Forbid?