W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 2000

RE: webmail vulnerabilities: a new pragma token?

From: Scott Lawrence <lawrence@agranat.com>
Date: Thu, 20 Jan 2000 09:51:35 -0500
To: <http-wg@cuckoo.hpl.hp.com>
Cc: <peterw@usa.net>
Message-ID: <000401bf6355$d9127a20$954768c0@oyster.agranat.com>
> From: Peter W

> It would be nice if there were on an HTTP header that, if sent
> to the client, would cause the client to disable javascript,
> vbscript, etc. for that document only.

> > The problem with Pragma as an extension mechanism is
> > that there is
> > no way for the server to know whether or not the
> > client understands
> > any particular pragma token, so it becomes an unreliable
> > mechanism.

> True, but that's just an issue of getting client vendors on
> board.

Believe me, that is a big hurdle to get over.  I'm one of the
authors of RFC 2617 - Digest Authentication, whose goal is simply
to stop publishing passwords on the Net in cleartext (as all web
mail sites do now - do any use Digest yet?  IE5 supports it.)
Getting new extensions into browsers is not an easy task
(Netscape doesn't even support HTTP/1.1 yet), and you have to
always assume that some won't have it.

> Agreed. I think it would be nice if HTTP provided a way to
> indicate to the client where they might find a signature or
> verification service to authenticate individual pieces of
> content. [...]
> So this, too, is a good candidate for a new entity header.

I should think that multipart/signed would be a better way to go;
the server provides both the object and its signature together.

> I also think there should be an HTML/XML DTD extension to allow
> a document to mark a portion of it (e.g., a certain DIV) as
> signed text, e.g. the news paragraphs are signed, but not the
> doubleclick ad banner. ;-)

That sounds like grist for the XML Signatures WG.

> But it would be nice, don't you think, if a site could
> explicitly repudiate a document without needing a different
> base URL?

I think that you've got the problem backwards - rather than
trying to find a way to explicitly repudiate things, the model
needs to be that nothing is trusted unless vouched for
explicitly.  Otherwise, an attacker can just strip the
repudiation and the result is a trusted object.

> I don't see signed scripts going anywhere soon; too much of a
> hassle for Web publishers.

I think that if Web publishers want to run their programs on my
system with my privileges, then the burden belongs on them to
establish that I can trust them and their scripts.

> Two growing trends make this repudiation a valuable notion:
> webmail systems (ala Hotmail) and discussion-based Web sites
> (ala Slashdot). In both these models, it's natural that
> externally-supplied content should not be trusted to the same
> degree that content created by Microsoft (Hotmail) or Andover
> (Slashdot) should be.

Interesting assumption - that the service provider should be
presumed more trustworthy.  One I don't share, but that is not a
protocol issue.

> And especially for webmail, it seems
> very, very difficult for the server to filter out all the
> different ways of embedding scripts. (Actually, sanitizing
> other objects like PostScript files or Java classes would be
> more difficult.)

Which is why they should put the burden on the originator of the
mail and the recipient to implement a trust model that flows
through their service, rather than taking on the (probably
impossible) job of making all the content safe.

--
Scott Lawrence      Director of R & D        <lawrence@agranat.com>
Agranat Systems   Embedded Web Technology   http://www.agranat.com/
Received on Thursday, 20 January 2000 14:55:22 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:35 EDT