security

Sensitive to user experience on mobile ? Think about security !

User, user, user. All strategies for consumer services are user centric. Which is a good plan.. User centric design, usability, user convenience, easy user purchase. The key challenge is to differentiate from other service providers, to ward of the terrible disease of this century : customer churn. Keeping a customer is a big deal. Specially when this user is paying to get a service, which is – obviously – supposed to be exclusive, high quality, guaranteed…. When a company is delivering a high quality paid service to a kind consumer, it may insure that :

i) the user is the one he pretends to be – to make sure it can be billed, ii) the user did not – by accident or intentionally – copied his rights for someone else consumption, and iii) the user does not weaken the service because he runs the service in an uncontrolled environment – e.g. a cracked device, with non protected communication…

And this is where security can help.

(more…)

Grasping mood of the security industry during Chip to Cloud

Nice, the italian french town, with its car and boat parking lying in front of gigantic buildings, with amazing sea view. Nice with its old town and its awful modern contrast. Nice, with its World Smart Week [1], made of buzz words such as NFC, identity and cloud, held in Acropolis, offering a common exhibition area, demonstrating maturity of any-form-of-NFC solutions. An interesting initiative was conducted aside, called Université NFC des Territoires [2], allowing different french cities going NFC to share their experience and brainstorm in workshops.

I attended the Chip To Cloud Security Forum which tries every year to show a state of the art in terms of security (hardware, software), or progress on any tricky topics such as authentication (of machine, people, devices) and smart secure distributed services, including cloud. I captured this year, several interesting topics that fed the conversations during the coffee breaks.

(more…)

One step toward interoperable security on the web !

One year ago, discussions about identity and security were crowded in W3C meetings.

Crowded and controversial.

How to bring more security and interoperability in web app ? How to serve use cases such as identity management ? Why not having interoperable features for protecting peer to peer communications ? In case it happens, isn’t it a dream to think that javascript may be secured one day ?

Mozilla was key in those exchanges, driven by their strategy to develop some cryptographic function [1] and roll out their strategy on identity and Persona [2]. But other companies such as Microsoft, Google, Netflix and gemalto – I am with – were also interested to actually move on. After turning the question and gathering contributions, reactions, W3C made his mind and launched a working group with the mission to provide with the developers the basics of cryptography. The charter was defined, the chair was chosen (by chance, me), the W3C team contact assigned (Harry Halpin and Wendy Seltzer) and the group was kicked off in May 2012 [3]. With 19 organizations represented, plus 11 invited experts [4], the working group has been working 4 months on a very regular basis, including summer, investing 20 hours of conference call, 2 days of face to face meeting, and almost 1000 mails exchanged, and the result is here : the Web Crypto AP is now going for First Public Working Draft [5]. The particular dedication of Ryan Sleevi, one of the editor from Google, was key to define this API and offer it to the web developers.

But what is exactly offered there ? Basic tools for generating random, generating key, and performing basic cryptographic operation such as cipher and sign. This will allow any webapp to build its own security policy, in addition to HTTPS usage.

Is it perfect ? No. Of course there is a room for improvements, stories about key transfer, key cloning, key identifiers, access control on the key, need to be elaborated. The working group is already engaged in solving those issues, in addition to analyzing  comments from the industry – which is exactly the purpose the the First Public Working Draft in W3C process. This is a basis, on which the industry concerned with security and interoperability can start discussing with, testing, and argue !

If you feel this javascript API is important, read it ! If you find it awful, say it ! The working group and the chair will be definitely be happy to hear more from you on the public mailing list public-webcrypto-comments@w3.org !

[1] DOM Crypto by Mozilla; [2] Persona by Mozilla ; [3] W3C Web Crypto WG wiki  ; [4] Web Crypto WG participants  ; [5] Web Crypto API for comments

One day, Mobile WebApps will be Super WebApps !

A new step in the evil strategy to have the open web platform becoming the universal development framework for mobile app developers has been unveiled this summer by the World Wide Web Consortium (W3C).

Up to now ,W3C plan was to have mobile web app executed in smartphone and tablet browsers, offering features based on HTML5, CSS and some additional javascript features developed by the Device API Working Group (so called DAP for the people attending this club). Features like : network information – (how is the device connected ? 3G, 2G, Wifi…), battery status information, service discovery (is there any payment webapp on the device another webapp can use ?), vibration capability (bzzz, bzzz), management of media from the webapp … A complete list of items and corresponding specifications are publicly available on DAP wiki [1]. And in addition, if you want to follow when this will land in your favorite browsers, Dominique Hazaël-Massieux @dontcallmedom from W3C Office, is maintaining all devices and browsers implementing the standard HTML and javascript APIs [2]. Great. That was 2012 year plan roll out.

(more…)

Can I drive my smartphone safely ?

On the matter of safety, it may happen that the old and established car industry has things to teach to the young and dynamic mobile industry.

 Middle social class passengers getting into their car do not even think that their car security may be a problem. This peace of mind was not given from the beginning of this industry. We all know that first cars were dangerous. But due to citizen and governments pressure – driven by a willpower to protect lives and save national health budget – combined with automotive manufacturing collaboration – agreeing on a minimal barrier to access the safe and comfortable car market – a vehicle has now to survive several security steps, including crash tests, before being driven by a smiling father of a family (well know that only fathers are conducting in families, right ?).

(more…)