[ParisWeb] Security Take Away


ParisWeb is a french-european event gathering web developers motivated for doing things right : quality, accessibility and standard. Last week the conference was held Place de la Bourse, in Paris downtown. That conference is known to be terrific, as people are sharing their experience, their good practice, their good feelings. Every talk is an opportunity to learn something and meet smart people. Here is a first post, reporting the security conversation that happened in Palais Brongniart. (more…)

First Web Crypto implementations : expecting your imagination to play with !

Being chair of a W3C Working Group puts you in a nice situation that you are aware of any brand new implementations of the specifications your working group is supposed to design. In the case of the Web Crypto WG, I must confess I am quite lucky : the group has started one year ago, the first public working drafts were fired 10 months ago, last call is planned for October (planned, I said, no blood signed promise here) and there are already several implementations and prototypes disclosed :

Which specification are we talking about ?

The Web Cryptography API is an API, edited by Ryan from Google. Once implemented natively in browser, it will provide web apps with primitive for cryptographic operations. Generate strong random number, generate a key (or a key pair), manage data ciphering of data signature with it. This is a nice toy to design the security model of your web application. Identified use cases are data synchronization between client and server, signing legal documents, protecting banking transactions, … See the Web Cryptography Use Cases, edited by Arun from Mozilla, for more information. The Working Group is also working on an API to discover keys available in the key store of the browser, but this API, edited by Mark from Netflix, named Web Cryptography Key Discovery does not have yet any implementation available.

What are the available implementations ?

As several companies have interest in that security feature, several implementations or experiments are made available to web developers.

A polyfill designed by BBN. BBN is a research laboratory sponsored by US government. It has issued a polyfill, a pure javascript implementation of the Web Crypto API (based on the version from December 2012). It is compatible with a large number of browsers, including Chrome, Firefox, Safari, Internet Explorer 10, Opera, iCab. You can grab more by visiting the Polycrypt project : http://polycrypt.net/ and the related github : https://github.com/polycrypt/polycrypt .

A plugin by Netflix for Chrome. Netflix is working hard those day on delivering a complete solution to protect its streamed content over the combination of the Encrypted Media Extension and Web Crypto API (based on the version from April 2013). The current native plug-in has been designed and successfully tested in Chrome on Linux amd64 – but do not dream, it will not allow you to watch Netflix catalog for free ! All material and explanations are available under Netflix github.

A Microsoft IE 11 Preview feature. Microsoft has included the Web Crypto API in Internet Explorer 11 Preview (build date: 6/14/2013). This pre-release version is available to web developers.

A Chromium announced feature. Google has announced that the Web Crypto API would be available in Chromium. If you want to witness the on-going work, you can have a look at the chromium issue tracker.

A Firefox open feature**. Mozilla is working since this spring on the implementation of the Web Crypto API and progresses can be monitored under Bugzilla @ Mozilla tracker.

A teasing implementation from Inventive Designers.

One in another what can you do, now. And what are the limits ?

You can play with those prototypes, which are here to fill the gap, while browser makers embed the final feature in their final products. Note that none of the available plug-in, polyfill, pre-release do rely on Promises, which is the new taste of DOM, while the final version as lots of chance to  : the most recent draft already embeds it, and it is expecting review of the javascript and W3C Technical Architecture Group community. In addition the referenced plug-in, polyfill, pre-release features are relying on old version of the specification which is submitted to changes, as the Working Group is still managing some open issues. Nevertheless by having some tools today, it gives you a chance to play with crypto primitives on different platforms.

Which one to choose ? If your project is just about creating a key and using it for the basic operations such as generate key, sign, encrypt and corresponding operations, then the BBN polyfill will perfectly match. If you want to experience more with key wrapping (in order to protect your keys when being stored in your client), then, the Netflix and Microsoft tools will make the job.

Each of the implementations made some choices in algorithms supported, but in most of the cases, if your project does not require exotic algorithm, you will find what you need inside.

If you are having fun with it, who should you report it to ?

As you may imagine all W3C crypto community and implementers are expecting your report on your experiment. Feel free to tell us more on public-webcrypto-comments@w3.org or by reporting directly to the implementation providers…

You can also read a more recent post related to Web Crypto API development here : https://poulpita.com/2014/08/28/w3c-web-crypto-whats-next/

** Thanks @clochix for the info.

Tokyo experience : W3C web developers meetup

Somewhere in the last days (excuse my approximation, my time reference is in the middle of Tokyo and Marseille), I attended together with around 300 people the W3C Meetup up developer in Tokyo in GREE premises.

w3cdev_roomPicture by Sangwhan Moon sangwhanmoon

Awesome venue, great and experienced speakers, and funny masters of ceremony, all was gathered to have a wonderful event.

w3cdev_costumesPicture by Tomomi ‏@girlie_mac via @ourmaninjapan

During this first W3C meetup in Tokyo ever, the virtue of the web was exposed.

HTML5. Mike Smith, codename Michael[tm] Smith @sideshowbarker reported the recent HTML5 stories, focusing on the template element.

Mobile webapps. The recent features to build attractive mobile web appwere developped by Tomomi from Nokia @girlie_mac. She covered all recent features and gave details about their implementations in the different mobile version browsers [slides]

Test the web. Earlier in the day, there was a Test The Web Forward event, a kind of great coding party where you test the web from top to bottom. It was a great opportunity here to have Tobie from Facebook and W3C fellow @tobie explaining us the main testing essence of the web [slides]

Security. I made a status on the web crypto API working group. Promoting how we could save the world (or at least support a better evoting user experience – with a bit of Paris and women power inside) [slides]

Design. Alan Stearns @alanstearns from Adobe made a fabulous CSS demo  [slides]

Gaming. Kazuho Oku @kazuho presented JSX allowing to improve performance for game coding [slides]

Panel. A panel ended the conference, trying to get from the participants how the japanese community could be present in the standardization of the web. Participants were Mike Smith from W3C @sideshowbarker, Fumi Yamazaki from google @Fumi, Richard Ishida from W3C Internationalization @r12a, Tomomi from Nokia @girlie_mac, Kensaku Komatsu from NTT Com and Shumpei Shiraishi from HTML5J @Shumpei. In a mixing of japanese and english – which was not a problem as there was a bi-language real time translation, they stated the following :

Community ? The Twitter community of this W3C dev Meetup can be explored with the Bluenod application, and it looks something like this


Party. And because we all worked hard, our host offered a nice cake after a great japanese buffet …

w3cdev_cakePicture by @gihyoreport


Yeah, I wanna be a W3C AB !

What’s up ?
Those days my friends are suffering conversations with me related to W3C, W3C and W3C. One of the reasons for that is that there is a nano-event happening (nano at the scale of the boiling web planet) : W3C is currently trying to renew part of its Advisory Board. Advisory Board members are 9 people interacting with W3C management on the questions of process, strategy, conflict. Even if ABs do have a limited power, there are part of the mechanics to make sure that W3C office stays connected with their membership.

Election. So what !
Where this election is becoming interesting is that there are 12 nominees in total for 4 available seats, a record in the history of W3C. Demonstrating the traction of that organization. Most of them are experienced smart people from big corporations. Some of them made public their application, such as Tantek from Mozilla, Chris from Google, Chaals from Yandex, and David from Apple. And I am part of the ones who would like to seat there. My two years in W3C planet, representing my company, and also chairing Web Crypto Working Group were such an experience that I would be delighted to use it to support migration of W3C.

What is at stake ?
To my point of view, W3C is getting transformed: it is getting bigger, welcoming so much members every year, it is getting more ambitious, covering more market such as mobile, automotive, payment, and members are bringing more and more ideas… In such changing time, it is key to stay a solid, delivery oriented, flexible organization. Challenges for the next team will be to progress on the evolution of W3C process (everyone is blaming W3C to be a slow delivery machine), dealing with open licensing of W3C documentation, potentially rethinking the AB itself (as some member do require it), and listen to the W3C members ideas to make that organization better. There will be also effort to maintain on the learning curve of new members, capturing the innovations in specifications, keeping the W3C culture (collaborative, sharing), and of course being the guardian of the open web platform ‘openness’.

Why me ?
I have heard a lot of enthusiasm around my application – actually more then expected. Here is a list of funny things I heard about the quality people believe I have : I am new to W3C and can have a fresh look, I am a chair (understand a chairperson, not an object), I am a woman (yes, I am representing a minority in W3C), I know well the mobile industry (one of the major playground area for the web), I am European (while W3C is highly US centric), I am interested in document open licensing, I am representing an industry that may save the web (which lacks of security we-all-know-that).

All of this may be true, but I must confess that those were not the first skills I thought about when running the election. I am firstly committed to *contribute* to the AB. I do want the W3C machine to become efficient, progressing on all the items mentioned above. Being reasonably connected to the web community and members, I am able to report the good ideas, actually transforming it efficiently in W3C arena, making the best effort to roll out the promise of the open web platform.

When will this end ?
The adventure of politic is really interesting and even by trying to play that game I learnt a lot of things. Election results will be announced beginning of June. Will keep you informed about it.
By the way, If you want to join the @poulpita fanclub, just share that post on your favorite social media networks and tell any AC Rep in W3C you meet that they should choose me in their top 4 candidates !

Note : if you want to know more about open licensing document, here is a good summary of the situation, by David Baron from Mozilla http://dbaron.org/log/20130522-w3c-licensing

How I became digital !

This will be a Friday confession. I have been entering the digital world two years ago. Yes only two years ago. I mean, I started working with internet in 1994 when studying at the university, sharing with other researchers, flirting with my boyfriend via talk and mails, but I have been exploiting the digital innovation and social media intensively since 2 years. And I must say it changed my life – and probably the one of my relatives.What is it that is so attractive to make me jumping and staying in this area ?

Data and tools

Why am I on the net ? Because I am trying to understand where our world is going, what are the evolutions the human being is currently living and how it is surviving to it. Great program, is not it ? And if you wanna get that information, you may have interest to be someone in the digital arena, be someone to join communities, have the information coming to you or be able to build a common understanding with others. And tools are there. I should say user friendly, free and easy to manage applications are available here and around. How to create your digital identity, how to understand the other one’s, how to record or track data, how to curate information. All is here, one click far from you. And even if I have a bias view due to the security environment I have the default to work for, I am able to have a digital life using those tools, taking care of my own privacy and security. I am concentrating myself on Twitter, blog with WordPress, LinkedIn, and playing with about.me and Klout – still trying to find what does those bring to me. But lets be frank, this is not tools that pushed me to stay digital. The others did. (more…)

W3C : this is all about spirit, tools and fun

For people doing me the favor to visit my blog, they know that I am a big fan of W3C. Not by principle, but because W3C as an organization brings a lot, in a good spirit. Let me explain you a bit how, sharing with you an amazing experience : the  W3C TPAC meeting. TPAC (Technical Plenary and Advisory Council) is the W3C yearly general assembly, combined with a large number of Working Group meetings – the actual specifications writers. This is where all W3C members meet, with an amazing mixing of population, engineers, strategist, representing startup, big companies, public organizations. The event gathered this year 480 people attending the technical plenary and 30 Working Groups. And the magic relies in the fact that this group of human, gathered once a year, fully benefit from that by constantly sharing, talking, learning, being all equals.

A spirit. Anyone you speak to here is nice, this is just a mindset that anyone naturally endorse. The reason for that is that any exchange is valuable here, and people are looking for it.


One step toward interoperable security on the web !

One year ago, discussions about identity and security were crowded in W3C meetings.

Crowded and controversial.

How to bring more security and interoperability in web app ? How to serve use cases such as identity management ? Why not having interoperable features for protecting peer to peer communications ? In case it happens, isn’t it a dream to think that javascript may be secured one day ?

Mozilla was key in those exchanges, driven by their strategy to develop some cryptographic function [1] and roll out their strategy on identity and Persona [2]. But other companies such as Microsoft, Google, Netflix and gemalto – I am with – were also interested to actually move on. After turning the question and gathering contributions, reactions, W3C made his mind and launched a working group with the mission to provide with the developers the basics of cryptography. The charter was defined, the chair was chosen (by chance, me), the W3C team contact assigned (Harry Halpin and Wendy Seltzer) and the group was kicked off in May 2012 [3]. With 19 organizations represented, plus 11 invited experts [4], the working group has been working 4 months on a very regular basis, including summer, investing 20 hours of conference call, 2 days of face to face meeting, and almost 1000 mails exchanged, and the result is here : the Web Crypto AP is now going for First Public Working Draft [5]. The particular dedication of Ryan Sleevi, one of the editor from Google, was key to define this API and offer it to the web developers.

But what is exactly offered there ? Basic tools for generating random, generating key, and performing basic cryptographic operation such as cipher and sign. This will allow any webapp to build its own security policy, in addition to HTTPS usage.

Is it perfect ? No. Of course there is a room for improvements, stories about key transfer, key cloning, key identifiers, access control on the key, need to be elaborated. The working group is already engaged in solving those issues, in addition to analyzing  comments from the industry – which is exactly the purpose the the First Public Working Draft in W3C process. This is a basis, on which the industry concerned with security and interoperability can start discussing with, testing, and argue !

If you feel this javascript API is important, read it ! If you find it awful, say it ! The working group and the chair will be definitely be happy to hear more from you on the public mailing list public-webcrypto-comments@w3.org !

[1] DOM Crypto by Mozilla; [2] Persona by Mozilla ; [3] W3C Web Crypto WG wiki  ; [4] Web Crypto WG participants  ; [5] Web Crypto API for comments

One day, Mobile WebApps will be Super WebApps !

A new step in the evil strategy to have the open web platform becoming the universal development framework for mobile app developers has been unveiled this summer by the World Wide Web Consortium (W3C).

Up to now ,W3C plan was to have mobile web app executed in smartphone and tablet browsers, offering features based on HTML5, CSS and some additional javascript features developed by the Device API Working Group (so called DAP for the people attending this club). Features like : network information – (how is the device connected ? 3G, 2G, Wifi…), battery status information, service discovery (is there any payment webapp on the device another webapp can use ?), vibration capability (bzzz, bzzz), management of media from the webapp … A complete list of items and corresponding specifications are publicly available on DAP wiki [1]. And in addition, if you want to follow when this will land in your favorite browsers, Dominique Hazaël-Massieux @dontcallmedom from W3C Office, is maintaining all devices and browsers implementing the standard HTML and javascript APIs [2]. Great. That was 2012 year plan roll out.