* Posts by William Coppock

2 publicly visible posts • joined 27 Aug 2021

Brit says sorry after waving around nonce patent and leaning on sites to cough up

William Coppock

Re: The law is clear

Gerv's blog 2005 post isn't detailed enough to count as prior art because there is not enough information to put the idea into practice, even when combined with other ideas. Even he says in the opening line that it's an idea. An idea is akin to the claims in a patent. Not the actual detail.

The comments section in the blog shows that it raises more questions than it answers and several posts shoot holes in his idea. For example Luke asks a question and Vi assumes the answer: that the script key is protected by the fact that Javascript cannot run without the key. But this fails to acknowledge that there is a trust/untrust boundary issue with the entire scripting environment and that you actually need to take measures to obscure the script key from untrusted script, whether it be other JavaScript or HTML, because execution is not just coming from the JavaScript. If I recall, even the first production release of CSP nonce got this wrong. It didn't obfuscate the nonce from the DOM. The answer to his boundary issue is discussed at length in my patent and makes its way into both the server and client side components. The boundary issues created by a plain text nonce are very different from the boundary issues relating to other methods so you can't guess the solution from other related ideas such as BEEB, which is based on hashes.

Another issue not discussed is the conveying of trust and/or protection to newly created ancillary portions of the scripting environment, such as IFRAMES or SCRIPT tags created with createElement. This is akin to the problem only recently solved by the addition of strict-dynamic to CSP nonce, ten years after my patent. My patent describes the problem and process of solving it.

These are just two examples of things that even if my Claim 1 was debunked, the remaining claims would remain intact and still describe many of the methods needed to implement the CSP nonce successfully.

William Coppock

Thank you for your kind comment.

I have a deep respect for the idea that the late Gervase Markham had in 2005, but as far as can be told from his blog post and subsequent internal communications in W3C, his idea was abandoned and not put into practice. It seems it was abandoned for the same reason that nobody has heard of Scriptlock until now. The world wasn't ready for it.

I came up with Scriptlock independently of his idea. My original idea was to see if I could protect against XSS in then current browsers by using JavaScript itself to rewrite JavaScript. As the idea developed I found myself needing to add things in like the password, a server side component, etc. until I had a working prototype, which yes, save for the fact that it does it using JavaScript, does exactly the same job as the CSP nonce.

Indeed the invention can emulate the CSP nonce in IE10/IE11. So what proof do you need?

It was a very exciting development. I felt that using a password to authorise the execution of JavaScript in a webpage was going to revolutionise website security and make the internet a more secure place, so I patented it. My very good patent attorneys asked me to conceive of other ways in which it could be done and to create a generalised model, explaining that if you invent a table that extends using flaps and nobody has invented a table before then you claim: a table, a table with legs, a table that extends etc. So that your patent can't be circumvented by doing things slightly differently.

Unfortunately, just like nobody was interested in Gervase's idea. Nobody was interested in my invention. In 2012 I wrote to several of the big companies after my patent was published to see if they wanted to use the product. I got no reply.

The problem was that CSP1.0 had come along with its white listing techniques and the world had gone stir crazy with moving JavaScript into external script files. The mere mention of inline events became an absolute taboo. So there seemed to be no future for something that promoted inline script and inline events. In fact I remember contacting someone on the now defunct ha.ckers.org website, whose response was, “Interesting…But what does this achieve that CSP[1.0] white listing does not?”.

Disheartened I let the idea go and went back to my day job, though I kept the website up all this time.

No, we can't use what we know now to change history: In 2011 nobody practicing the art of computer security believed that embedding a password in plain text into a web page could in any way add to the security of the page. So, as far as can be told, nobody put it into practice. Two different patent examiners agreed. In 2011 I showed it could be done within the browsers available at the time and that it did work. Heck, the original version worked in IE9!

As to my motives to do something now:

I am a 45 year old father of six children, two of whom have disabilities, one very severe. 18 months ago I was diagnosed with a rare combination of cancers (Thyroid cancer and Lymphoma), which has left me struggling to function every day.

For the last six years I have had to watch on as the biggest companies in the world use what looks like my patent… and now I’m struggling to support them and I can’t do anything about it.

The patent system was devised to protect small inventors like me. But to small inventors patents are worthless. It costs millions of pounds to enforce them and in this case would entail me going up against the biggest companies in the world, which I find a terrifying prospect.

It was my hope to be able to revive my invention and build up a business based on it with the view that maybe one day I might have the financial strength to address the bigger problem. My letter was simply to seek the support of people benefiting from this invention with a voluntary contribution. I made a gross error in judgement with my approach and choice of words. Sorry.

I have offered to pay any costs they incurred getting legal advice.

The fights been knocked out of me by this cancer, so as I said to Gareth, I'm not sure I can be bothered.

There is a voluntary scheme in place on my website if anyone does want to contribute.

William