What is Read-Only Web for Application Controls?

book

Article ID: 167282

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Contents of this FAQ


What is Read-Only Web?

Read-Only Web (ROW) is an initiative to provide users with the option to provide read-only access to Web Applications using Blue Coat Application Controls. Several of Blue Coat’s customers, primarily financial institutions, understandably have very strong Data Loss Prevention (DLP) concerns. ROW is Blue Coat’s initiative to address these concerns.

Read-only operations are all actions an end user might take that do not change application state in a meaningful way. For example, reading an email, browsing posts, or downloading files typically do not present a DLP concern, although a user may also choose to block the downloading of files for security reasons. Write-only operations are all actions an end user might take that do change application state in a meaningful way. For example, posting comments, naming an object, sending an email, or uploading a file all present a serious DLP concern.

What ROW means, in practical terms, is that users will be limited to performing read-only operations. For example, they would be able to check their external inboxes for new messages, follow social networking posts, or browse photos online, but they would not be able to send private messages through external email applications like Gmail or Yahoo! Mail, or post messages and comments in social networking applications like Facebook or Twitter.

How Do I Use Read-Only Web

Strategy 1: Block Write Request Methods

The first Read-Only Web strategy is based on a common convention in many popular Web Applications (Desktop Browser) where read operations are denoted by the HTTP GET, TRACE, HEAD, or OPTIONS request methods and write operations are denoted by the HTTP POST, PUT, or DELETE request methods. Read and write request methods are defined in the HTTP 1.1 specification (specifically RFC 2616).

Advantages

Blocking write request methods has the following advantages:

  • It is simple to implement and maintain.
  • It covers a lot of ground.
  • For applications that honor the read/write convention, it covers all application write functionality and may cover future write functionality.

Disadvantages

Blocking write request methods has the following disadvantages:

  • It may block too much (overblock) or too little (underblock).
  • There is no guarantee that Web Applications won’t adopt a different read/write convention. For example, Mobile Web (Mobile Browser) and Mobile Apps (Mobile device-based) typically use JSON or XML remote procedure calls using the POST request method for both read and write operations.

Strategy 2: Block Write Operations

Advantages

Blocking write operations has the following advantages:

  • Operations allow for granular control of applications by functionality by type. So, for instance, an administrator could allow end users to watch videos on YouTube (e.g., allow “Play Videos”), but not post comments (e.g., deny “Post Messages”).
  • It allows for the possibility of Read-Only Web for Mobile Web (Mobile Browser) and Mobile Applications (Mobile device-based) that typically use JSON or XML remote procedure calls using the POST request method for both read and write operations.

Disadvantages

Blocking write operations has the following disadvantages:

  • Implementing ROW using operations requires a comprehensive set of operations encompassing all of an application’s write functionality. To date, Blue Coat hasn’t defined operations for every possible write operation. For example, there is no operation for naming an object like a photo album or a group.
  • Blue Coat may define additional operations in the future, which would necessitate updating policy.
  • Due to the tight coupling of operations to application implementation, operations are inherently fragile and require a significant amount of initial research and ongoing maintenance.

Write Operations (as of 2/20/2013*)

  • Manage Profile
  • Manage Settings
  • Modify Files
  • Post Messages
  • Send Email
  • Upload Attachment
  • Upload Files
  • Upload Media
  • Upload Pictures
  • Upload Videos

*For an up-to-date list, please see Operation Descriptions.

Which Apps Support Read-Only Web by Request Method?

Blocking write request methods is a suitable DLP solution if an application meets two criteria:

  1. Coverage - Blocking write request methods successfully blocks all (or, the vast majority of) write functionality with minimal, and often cosmetic, side-effects.
  2. Resilience - Blocking write request methods will likely cover future write functionality without policy changes.

Based upon these criteria, Blue Coat has identified the following Web Applications (Desktop Browser) that support ROW by request method. In addition to the Web Apps noted below, any application that meets the above criteria can implement ROW using straightforward policy (see the policy examples below).

   Apps that Support ROW by Request Method
 Application Name  Overblocks  Underblocks
 Facebook  Yes  No
 LinkedIn  Yes  Yes
 Twitter  No  No
 YouTube  Yes  Yes

 

 

 

 

 

Facebook

Rationale: Blocking write request methods renders this application read-only with minimal overblocking.

Underblocks: N/A

Overblocks:

  • Can’t read some older style messages.
  • Can’t ungroup comment history using the “View all comments” link.

LinkedIn

Rationale: Blocking write request methods renders this application read-only with minimal overblocking and underblocking.

Overblocks: Breaks group “Choose your View” selector.

Underblocks: Doesn’t block joining a group.

Twitter

Rationale: Blocking write request methods renders this application read-only with no overblocking or underblocking.

Overblocks: N/A

Underblocks: N/A

YouTube

Rationale: Blocking POSTs renders this application read-only with minimal overblocking and underblocking.

Overblocks: Can’t see messages, contacts.

Underblocks: It is possible to upload videos from a webcam when blocking POSTs. Block the “Upload Videos” operation in addition to write request methods to compensate.

Example of Request Method-Based Policy

 

;Read-only Facebook: allows login, but denies write request methods 

<proxy>

    ALLOW url.application.name="facebook" url.application.operation="login"

    DENY url.application.name="facebook" http.method=POST

    DENY url.application.name="facebook" http.method=PUT

    DENY url.application.name="facebook" http.method=DELETE

;Read-only LinkedIn: allows login, but denies write request methods

<proxy>

    ALLOW url.application.name="linkedin" url.application.operation="login"

    DENY url.application.name="linkedin" http.method=POST

    DENY url.application.name="linkedin" http.method=PUT

    DENY url.application.name="linkedin" http.method=DELETE

;Read-only Twitter: allows login, but denies write request methods 

<proxy>

    ALLOW url.application.name="twitter" url.application.operation="login"

    DENY url.application.name="twitter" http.method=POST

    DENY url.application.name="twitter" http.method=PUT

    DENY url.application.name="twitter" http.method=DELETE

;Read-only YouTube: allows login, but denies write request methods & the “Upload Videos” operation

<proxy>

    ALLOW url.application.name="youtube" url.application.operation="login"

    DENY url.application.name="youtube" http.method=POST

    DENY url.application.name="youtube" http.method=PUT

    DENY url.application.name="youtube" http.method=DELETE

    DENY url.application.name="youtube” url.application.operation= 

Which Apps Support Read-Only Web by Operations?

This set includes every other defined application (see Application and Operation Controls for a current listing). Technically, none of these applications has an operations defined for every possible write operation, but the most significant operations are covered, such as sending email, uploading attachments, posting on social networking sites, and file uploads.

 Example of Operation-Based Policy

 

;Read-only Gmail: blocks sending email, attaching uploads, and non-cosmetic settings changes 

<proxy>

    DENY url.application.name="gmail" url.application.operation="send email"

    DENY url.application.name="gmail" url.application.operation="upload attachments"

    DENY url.application.name="gmail" url.application.operation="manage settings"

    ALLOW url.application.name="gmail"

 

;Read-only Tumblr: blocks message posting and media uploads (picture & video)

<proxy>

    DENY url.application.name="tumblr" url.application.operation="post messages"

    DENY url.application.name="tumblr" url.application.operation="upload media"

    ALLOW url.application.name="tumblr" 

Resolution

Solution