Cleanup of Security Considerations

[mmccool]

Resolves Issue #254

• Remove ednote from opening paragraph
• Comment out "Limited Duration Access"; will move to TD spec (see TD PR Cleanup Security, Privacy, and IANA Considerations wot-thing-description#1428)
• Move "Self-Discovery on LANs" to Security Considerations
• Add reference to OWASP Top 10
• Add mention of Anonymous TDs to "Location Tracking"

---

Preview | Diff

[mmccool]

Let me know if I missed anything in the linked issue #254 before we merge this, as it will close that issue. There is another pending PR #286 that overlaps with this one slightly and adds another security consideration.. it should not cause actual conflicts, but some cleanup may be needed to merge both.

Have not dealt with certain other issues, like SSE Authentication. Others not explicitly linked will remain open.

[Citrullin]

@mmccool This issue isn't limited to HTTP. CoAP has a similar issue. Californium enables you to access CoAP directly in the browser. This may become a feature in future browser versions.

[mmccool]

@Citrullin not sure what you mean by "this issue". Can you be specific? Unfortunately the linked issue has a bunch of things in it. I am trying to clear the deck, then we can make new, smaller issues for more specific things. If you'd like to make some changes to the current PR e.g. for CoAP please do a review and suggest changes...

[mmccool]

Suggest we merge this one ASAP (suggested changes can be done with issues), since we have discussed all the points addressed here at length, but hold on #286 until the other members of the Security TF have reviewed it.