[Cryptography] Using crypto to address clickjacking (was "Re: Augmented Reality Encrypted Displays")

Sun Aug 30 19:06:08 EDT 2015

On Sat, Aug 29, 2015 at 11:13 AM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

> > The web may be *forced* into using something like "visual
> > cryptography" in order to get around "clickjacking", whereby
> > the user is tricked into clicking on the wrong button (or the
> > right button for the wrong reasons).  It's getting harder &
> > harder for a web site to know & guarantee that what it thinks
> > is being displayed is actually what a user sees & is agreeing
> > to.  See Dan Kaminsky's recent DEFCON talk for more info:
>
> Slightly OT for crypto, but I'll toss this out. I just think crypto
> is overkill for addressing clickjacking attacks.
>

100% agree with this.

> Just about every recent version of every modern browser supports
> the X-Frame-Options HTTP response header which, when used
> correctly and consistently, is effective in preventing all known
> clickjacking (aka, UI redress) attacks.

There are a few deficiencies with X-Frame-Options which is what Dan
Kaminsky's talk was about.

X-Frame-Options: DENY is the nuclear option to prevent clickjacking. This
prevents content embedding. But what if we want to embed a clickable widget
in another page, but prevent clickjacking?

What's really needed is a way for iframes to reason about how they're being
embedded in other content. This was the actual subject matter of Dan
Kaminsky's talk. He presented a concept called "IronFrame", but more recent
W3C work seems to be around a Position Observer API:

https://github.com/slightlyoff/PositionObserver/blob/master/explainer.md

Anyway, no crypto necessary. And that's good: I am all for solving web
security problems *without* crypto!

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150830/6c9f8478/attachment.html>