P3P 1.0

http://www.w3.org/TR/2001/WD-P3P-20010928/
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification

As browsers such as IE6 start to implement these standards,
I thought it only reasonable to start to point out potential problems
within the spec.

While reading through the specifications, I noticed a lot of good
things that were being attempted, but I also saw potential for
P3P security bypass.

Uh-oh new COV? ;)

Anyway, I am reprinting some of the sections and my thoughts on
them below the section.

----------------------------------------------------------------
P3P Specification:

1. Introduction

The Platform for Privacy Preferences Project (P3P) enables
Web sites to express their privacy practices in a standard
format that can be retrieved automatically and interpreted
easily by user agents.

** One potential weak-point. User-Agents have always been
fooled and manipulated. How does the user no the difference
between a P3P dialog and a JS pop-up?

P3P user agents will allow users to
be informed of site practices (in both machine- and human-
readable formats) and to automate decision-making based on
these practices when appropriate.

** Machine readable and human readable. Ok, human weakness,
user have always been tricked. Automated decisions! Yikes.
I think this means if the policy is ok'd by the user-agent
for whatever the reason, out goes your personal info.

Thus users need not read the privacy policies at every site
they visit.

** Do they anyway? I surely don't.

Although P3P provides a technical mechanism for ensuring
that users can be informed about privacy policies before
they release personal information, it does not provide a
technical mechanism for making sure sites act according to
their policies.

** Ahh, so out data is still at the mercy of unscrupulous
web site hosters. I just knew it! ;) So if I am right,
P3P is about giving the web sites and the users an automated
process of stating what they SAY they are going to use you
data for.

1.1.1 Goals and Capabilities of P3P1.0
The goal of P3P version 1.0 is twofold. First, it allows
Web sites to present their data-collection practices in a
standardized, machine-readable, easy-to-locate manner.

** Yah we got that.

Second, it enables Web users to understand what data will
be collected by sites they visit, how that data will be
used, and what data/uses they may "opt-out" of or "opt-in"
to.

** Ok, once again, as users, we really have no idea what
they are going to be doing with the data. But, as professionals
responsible for checking to make sure this standard is as
free as possible from flaws..I think it is possible to
manipulate these P3P policies on both the server and the
user-agent side. Nowwe just gotta figure out how.

2.2 Locating Policy Reference Files

The location of the policy reference file can be indicated
using one of three mechanisms. The policy reference file may
be located in a predefined "well-known" location, or a
document may indicate a policy reference file through
an HTML link tag, or through an HTTP header.

** Hmm. Possible policy manipulation

** The user-agent gets the policy by three different mechanisms.
 - Well-Known Location. Just some URL
 - HTTP Header
 - LINK HTML Tag

** Ok, the first one would be hard to manipulate unless you
compromised the webserver or got some man-in-the-middle
attack going. Sure possible, but not really web app sec.

** HTTP Header, hard to manipulate on the client-side.

** The LINK Tag sparks interest. I am thinking that if a site
does not or even DOES have a P3P policy available, a good CSS
attack may be able to modify the policy in question and
steal user data. Hmm, is your private data stored in IE
to give up to sites you are inline with your policy.
Lots of things to look at there.

Anyway, there is some discussion material and perhaps I should
verify some of my claims. :) I think I might have time
when IE 8 comes out. HAH

regards,

Jeremiah Grossman

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]