At the O'Reilly Fluent Conference in San Francisco, participants laid out an infrastructure, called Seif, which promotes a new approach for building Web applications that includes trust as forethought. Crockford said a lot of the activity around adding new standards for security and trust only adds to the complexity of developing applications. Even worse than that are the problems of insecurity, because there are a lot of important Web creations that cause new security problems. These include cross-site scripting attacks, cross-site request forgery, click jacking and the dependence on passwords.
Crockford said he believes the roots of these problems go back to the beginning of the Web, with RFC 1738, which introduced the notion of the URL. Modern applications send usernames and passwords to a website as part of a URL. These can only be secured when the data is encrypted using Transport Layer Security, which has a history of vulnerabilities.
"The idea of the use of URLs that could be used as passwords is unwise," Crockford said. The Seif infrastructure will also promote trust management in the cloud, using pet names. This helps overcome the challenge of getting people to remember 521 bit-keys.
There are five parts to the Seif project:
1. The Seif Node is a module adding cryptographic services to Node.js. It adds elliptical curve cryptography, AES-256 and has great support for random numbers. One of the challenges with creating random numbers is in seeding the algorithms with noise, so that two computers don't accidentally generate the same numbers. To address this issue, Seif Node includes support for collecting noise from a computer's microphone and camera. This data is not meant to be sent to the server, and Crockford even recommended taping over the camera for privacy, which still allows good noise generation.
2. The Seif Protocol provides an improvement to HTTP and HTTPS over TCP. It transmits sessions securely using JSON packets over TCP. One advantage is that this allows full duplex connections, and thus promotes a broader class of applications. Today, developers often face a lot of encoding headaches in making JSON work over HTTP. The Seif Protocol uses 521 bit elliptical keys. Passwords are secured using public keys as unique identifiers.
3. Seif Resource Management uses computed hash values, rather than URLs based on location. With Seif Resource Management, a client will request resources using a hash computed with a user's private key. This approach will make it more difficult for third parties to modify resources that have been requested using man-in-the-middle attacks. This will also make it easier to distribute secure content to edge caches to improve performance using content distribution network services.
4. Seif Apps is a platform for delivering applications. This will allow developers to create apps without using HTML. It is built on top of Node.js and Qt. The Node.js code is used for network processing and state management. Qt provides a nice framework for creating UI logic that can talk to the GPU. Crockford said there is a tendency in Web development to get layer confusion, because there is not good separation between components or good architectural patterns.
5. Seif Helper Apps will pave the way for the introduction of Seif to modern browsers. Helper App features are still included in modern browsers from the early Web, when add-ons were needed for things such as displaying PNG files. A Seif Helper App will make it possible for businesses with a high need for security, like banks, to get started right away. Crockford said he expects that Seif mode applications will be faster and won't ask the user for passwords.
We have been fixing problems in [Secure Sockets Layer] for almost 20 years, and we are still finding issues.
Many end users may lack the technical acumen or willingness to install a helper application. So, the Seif team needs to convince at least one progressive browser maker to integrate Seif into the browser. Then, they need to convince at least one secure site to require customers to use that browser. Once this is in place, he said he believes the desire for risk mitigation will drive other banks and stores to adopt Seif infrastructure.
It could take a few years to get Seif right. Crockford said he expects some vulnerabilities are likely to be discovered in early implementations that could prove embarrassing. But in the long run, he said he believes only a minimal approach, such as Seif, can solve security issues in an efficient and effective manner. "We have been fixing problems in [Secure Sockets Layer] for almost 20 years, and we are still finding issues," Crockford said. "The Seif system, by comparison, is really simple, and by its simplicity, eventually, we will get it right."
What types of mechanisms do you employ to deliver secure and trusted applications? Let us know.
Web security vs. email security gateways
How Chrome's extension policy can improve Web security
Looking at cloud providers' Web security scanners