Month: November 2016

Is Hardware Based Secure Web Services a lost quest ? No. Well…

typewritting

As co-chair of the W3C community group aiming to offer to web developers the possibility to access to services provided by hardware token, I am receiving some questions on a regular basis about where does this work go …

Well. Executive summary. The good reasons for allowing a web app to access to secure services stored in a harware token, and the possible ways to implement that in browsers are ready. But this is still not in the W3C planet. This is in a form of a report, edited by Sébastien Bahloul, a Morpho guy, and discussed with W3C Community Group members.

In details. The good reasons for allowing a web developers to access to keys stored in a hardware toke, or to trigger a signature which can not be repudiated are detailed in the report. There are some specific industry examples, such as government e-services, or e-banking services, or commercial transaction, which requires legal binding, such as online signature. The potential users of this feature are legions. Basically, the european regulation, named eIDAS “regulates electronic signatures, electronic transactions, involved bodies and their embedding processes to provide a safe way for users to conduct business online like electronic funds transfer or transactions with public services”. To deploy such services on the web, the web developer needs to have some mean to access hardware token (or the web will miss that digital european trust promise). Other countries such as Bolivia, Uruguay, Argentina and Peru are also requiring similar technology.

The technical aspects. The technical proposal embedded in this report is made of two technical features. First. A way to implement the W3C Web Crypto API in hardware token. this is to allow the generation and the usage of a cryptographic key inside a token belonging to the user. Second. A way to digitally sign a transaction with a a key, again stored in a hardware token, and performing the signature confirmation via an interface the user can trust. Those two services are some of the building blocks to have a trusted web, where the user is in control of the credentials used to cipher or sign some data.

So what is wrong ? Well. This set of usages and technical feature were presented to a large group of W3C members during last W3C TPAC. And, nothing amazing happened. The browser makers were kindly requested to have a look at it. But they demonstrated low interest, while this topic has been discussed since september 2014. There might have a cultural problem here behing the slow progress of this topic in W3C. The online access to european government services is not a priority for the major browser makers. In addition most of the actors of the security have managed some hacks to be able to use smart cards or hardware token, like plugins. But this era is over, as plugins maintenance and attacks are getting more sensitive.

And what is next ? Next is about gathering the companies and countries interested in that feature, and start to demonstrate W3C that there is an important question here : do we want the web to get in the secure services, as requested by online signature and government services ? So if you are part of the actors believing this web feature is key, join the Hardware Based Secure Services CG, so that we can collectively work on creating a Working Group in W3C…

What’s happening with the W3C Web Crypto API ?

Well. The specification is finished !

[here a cheering to Ryan Sleevi, Mark Watson, Harry Halpin, who actually led the editorial stuff during this 4 years work].

Where is it ? You can read the most recent version here. It is this version that will be submitted to the W3C Director (Tim Berners Lee), in order to make it a real W3C recommendation. Crossing fingers.

Is it real ? Yes. During the lifetime of the spec we got major browser makers contributing and monitoring, aka, Google, Microsoft, Mozilla. Thus it is implemented. See http://caniuse.com/#feat=cryptography

Where is the interoperability proof ? The test coverage can be found here.

So. What is the future ? Consider things are moving on, and the group will soon enter its maintenance mode. the next action, once the specification is a Recommendation will be to listen to the market and add any new algorithm that will be widely used.

Thanks ! That was a long and passionated work in W3C. Thanks to all members and individuals who contributed…

Fall Gribouille

Middle Life Crisis Toolbox : anger screwdriver

doisneau_les-pieds-au-mur

“Anger is how we seek to create an illusion of control where we feel none.” Martha Nussbaum

I have been looking after anger and anger this week. Here is what I found and liked.

On what is happening in our body when we get angry. This is where we should know the basics of the race happening between cortex and amygdala. The interesting part of this article relates also to the time requested during the anger pic and our return to a calm state. This is where we are still vulnerable to anger again. Well, read that and understand your body : https://www.mentalhelp.net/articles/physiology-of-anger/

On how to get angry a lot. That video is a list of common tricks to put ourselves into great anger. Garanteed result. Funny and so true…

[human] How to Get Angry a Lot https://t.co/TPKd6DnZH1 via @alaindebotton

— virginie galindo (@poulpita) 6 novembre 2016

On the reasons why we get angry. “Anger begins with the many imperfections of existence“. In this section of the “Book of Life”, one can understand where anger starts and why it should get all our attention, and support. As you may get, expressing anger is expressing suffering. And the best thing to do, may be to try to understand (and relax a bit, too). http://www.thebookoflife.org/why-you-get-so-angry-even-though-you-are-nice/

On the bridge between anger and creativity. This is a set of wise views on anger. One I like is “The internal living flame of anger always illuminates what we belong to, what we wish to protect and what we are willing to hazard ourselves for.” David Whyte. Some other interesting philosophical thoughts can be read here https://www.brainpickings.org/2016/11/04/may-sarton-anger/

On anger, forgiveness, and lovers. I can not refrein myself to reference another post from Brain Picking, about Martha Nussbaum views, which deals with anger in the specific context of lovers, where trust and links give a special sense and violence to anger. One can also find in this post, that anger and self respect, which have been linked for a lot of philosopher is challenged. Please have a read here : https://www.brainpickings.org/2016/05/03/martha-nussbaum-anger-and-forgiveness/

Hope it helps !

Note : Picture “les pieds au mur” (foot on the wall) by Robert Doisneau

Note : other more general Middle Life Crisis ressources are available here

Non-violent security talk for small and medium business @ BlendWebMix

In december, I was in a web conference, named #BlendWebMix, which gathers all kind of actors of the web economy, from investors to tech, including designers, influencers, politics, startupers, … Very diverse type of talks were given, 80, and 1800 people attended the event. I was selected to give a very short presentation on privacy and security. My challenge was : convincing a broad audience that the privacy was something each of us, as workers, should take action for, in 13 minutes. Here is the core of my message.

I am fed up with the usual talk in security which says ‘provide privacy by implementing some security or you will burn in the hell of bad reputation companies, together with Madison, Target, Yahoo, and potentially bankrupts”. You know, that Fear Uncertainty and Doubt (FUD). I tried another angle. I tried the non-violent path. And I believe there are at least two good reasons why people should give a chance (and budget and effort) to the privacy.

winogrand_banc

The first reason can be found on the optimistic side of the life. The good reputation. I have the feeling that in this digital storm of hacks, global attacks, social media bashing, the companies taking action to preserve the privacy of the users are playing a good game. And the user may know. And the user may appreciate it. And it may be a competitive advantage to invest and get rewarded for it.

garry_winogrand_mayor_john_lindsay_with_new_york_city_police_1969__printed_1970s_gwf_13_1000x232_q80

The second reason is the data protection, as defined by the european comission. There is a new directive that mandates every company to allow its user to keep an eye on their data. It is the result of long discussions related to the value of the citizen privacy in our digital world. That regulation will be applicable in May 2018, to all European companies or all non-european companies handling some European citizen data. Well, yes, 2018 is after tomorrow. Which gives you only tomorrow to ramp up in good practices and get ready. The threat; if you are not compliant with the regulation, will directly touch your wallet, as fees could go up to 4% of your benefits, as a company. Universities and public services are also submitted to this regulation.

What does this regulation say ? It says that users will have to explicitly opt-in for registering their data, they will be able to control what you are doing with the data, they will have the right to modify and delete their data. In addition the data portability will have to be provided. Finally, users will have to be informed about any breach related to their data. Data in this context, means any piece of information which characterized the user, name, address, but also geo-localisation, social media activity, any digital evidence left by the user that you are collecting.

Who is submitted to this regulation ? Any company which collects, processes, transmits, stores the data. This means, you, but also anyone touching the data closely or by far. For example, the monetization partners (ads), or your cloud providers. Now you see what could be the impact !

Duing the talk, I started a new technic for getting the audience sensitive to the message. I asked them to pause a second, to close their eyes, to breathe, and think about one of their user. Lea, 30 years old, digital, agile, conscious citizen, caring about her privacy. I asked the audience to answer in the secret of their mind and heart, eyes still closed, the following questions : do you know what are the data from Lea that you are taking in your super-super application or service ? Do you know where are Lea’s data stored ? When was the last time you had a conversation about privacy and security at work ? I mean, not on Twitter, being scandalized by the global surveillance of the states, but wondering, in your own framework. Some of the people in the audience smiled, and I felt some of the questions touched of them. What about you ?.

Targeting to convince the audience in a smooth way to take action for the privacy of their users. I reminded that it was important for them to identify the data, understand their life cycle in their own service life cycle, define some weak points (aka, any entry point, transfert, storage…) and protect those points. The thing is that of you are a small company, you may not know where to start. My key message was. Well. Start with pragmatic stuff.

First. Talk about security, create conversation around it. For example. Make a 2 hours meeting with the project manager or whoever in the company coded the solution, with a global view. And together make a status of the different security measures done up to know. Make an accurate status.

Second. Look for security champion(s) in your team. Basically the one(s) who had a security training at school or who had the chance to work on a security sensitive project in the past and may share with others.

Third. Write a process. It could be a paper sheet on the cafeteria reminding, i) before you ship a new feature, ask John (the security champion) to have a code review, ii) before you sign a deal with a company, check its track record in security, …. Or it could be a professional methodology for bigger companies. Well, the objective is just to make sure that the question of the security is handled in the product life cycle, at company scale, and taken into account in the delays and deals. This relates to create a security company culture.

Fourth. Engage conversation with your partners, providers, ask them the basic question on their security investment. They might be able to prove that they actually take care of it. With certification, or being able to tell you a nice story about their effort in that matter. Just like any company should be prepared to.

Fifth. Crash test your product. Some bug bounties platform are now existing. You can submit your product, it will be attacked by some hackers, and if some security vulnerabilities are found, you will be informed. The next level or complementary action could be to perform an audit of your code, or have actual security certification (but I guess that if you are on a market where security certification scheme exists, you might already be a security aware company).

Sixth. Have a monitoring of the security news. Read some newspapers specialize din sec, or some forum alerting on vulnerabilities. It would be a pity if your service bim-bam-boum were based on a framework which has been seriously hacked, and that you are not aware of.

In the end. Six possible concrete actions. To be rolled out by any non-expert security. I asked again the audience to close their eyes. And to pick in that list one action, just one action. And promise, in the secret of their mind to do it, Monday morning, when coming back in the office.Hoping next Monday some SMB will enter the way of improving privacy of their services….