What happens to the XML P3P policy file - Does it need to validate the
DTD at w3c or similar ? I have seen some amuzing applications that will
just stop when they can't validate a DTD. Basing checking privacy preferences
on DNS wouldnt seem appropriate if it does !

---- Jeremiah Grossman <jeremiahwhitehatsec.com> wrote:
> P3P 1.0
>
> http://www.w3.org/TR/2001/WD-P3P-20010928/
> The Platform for Privacy Preferences 1.0 (P3P1.0) Specification
>
>
> As browsers such as IE6 start to implement these standards,
> I thought it only reasonable to start to point out potential problems
> within the spec.
>
> While reading through the specifications, I noticed a lot of good
> things that were being attempted, but I also saw potential for
> P3P security bypass.
>
> Uh-oh new COV? ;)
>
> Anyway, I am reprinting some of the sections and my thoughts on
> them below the section.
>
>
> ----------------------------------------------------------------
> P3P Specification:
>
> 1. Introduction
>
> The Platform for Privacy Preferences Project (P3P) enables
> Web sites to express their privacy practices in a standard
> format that can be retrieved automatically and interpreted
> easily by user agents.
>
>
> ** One potential weak-point. User-Agents have always been
> fooled and manipulated. How does the user no the difference
> between a P3P dialog and a JS pop-up?
>
>
> P3P user agents will allow users to
> be informed of site practices (in both machine- and human-
> readable formats) and to automate decision-making based on
> these practices when appropriate.
>
>
> ** Machine readable and human readable. Ok, human weakness,
> user have always been tricked. Automated decisions! Yikes.
> I think this means if the policy is ok'd by the user-agent
> for whatever the reason, out goes your personal info.
>
>
> Thus users need not read the privacy policies at every site
> they visit.
>
> ** Do they anyway? I surely don't.
>
>
> Although P3P provides a technical mechanism for ensuring
> that users can be informed about privacy policies before
> they release personal information, it does not provide a
> technical mechanism for making sure sites act according to
> their policies.
>
>
>
> ** Ahh, so out data is still at the mercy of unscrupulous
> web site hosters. I just knew it! ;) So if I am right,
> P3P is about giving the web sites and the users an automated
> process of stating what they SAY they are going to use you
> data for.
>
>
> 1.1.1 Goals and Capabilities of P3P1.0
> The goal of P3P version 1.0 is twofold. First, it allows
> Web sites to present their data-collection practices in a
> standardized, machine-readable, easy-to-locate manner.
>
> ** Yah we got that.
>
>
> Second, it enables Web users to understand what data will
> be collected by sites they visit, how that data will be
> used, and what data/uses they may "opt-out" of or "opt-in"
> to.
>
>
> ** Ok, once again, as users, we really have no idea what
> they are going to be doing with the data. But, as professionals
> responsible for checking to make sure this standard is as
> free as possible from flaws..I think it is possible to
> manipulate these P3P policies on both the server and the
> user-agent side. Nowwe just gotta figure out how.
>
>
>
> 2.2 Locating Policy Reference Files
>
> The location of the policy reference file can be indicated
> using one of three mechanisms. The policy reference file may
> be located in a predefined "well-known" location, or a
> document may indicate a policy reference file through
> an HTML link tag, or through an HTTP header.
>
> ** Hmm. Possible policy manipulation
>
> ** The user-agent gets the policy by three different mechanisms.
> - Well-Known Location. Just some URL
> - HTTP Header
> - LINK HTML Tag
>
>
> ** Ok, the first one would be hard to manipulate unless you
> compromised the webserver or got some man-in-the-middle
> attack going. Sure possible, but not really web app sec.
>
> ** HTTP Header, hard to manipulate on the client-side.
>
> ** The LINK Tag sparks interest. I am thinking that if a site
> does not or even DOES have a P3P policy available, a good CSS
> attack may be able to modify the policy in question and
> steal user data. Hmm, is your private data stored in IE
> to give up to sites you are inline with your policy.
> Lots of things to look at there.
>
>
>
>
> Anyway, there is some discussion material and perhaps I should
> verify some of my claims. :) I think I might have time
> when IE 8 comes out. HAH
>
>
>
>
> regards,
>
> Jeremiah Grossman
>
>

__________________________________________________
FREE voicemail, email, and fax...all in one place.
Sign Up Now! http://www.onebox.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]