W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: exposing sensitive information in URIs - LC comments on draft-nottingham-http-link-header-07.txt

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 29 Jan 2010 15:30:51 +1100
Cc: Apps Discuss <discuss@apps.ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <AD5F57CA-C457-46A5-8098-019FB9B09FCB@mnot.net>
To: Julian Reschke <julian.reschke@gmx.de>
I sincerely don't believe that adding any such text to the Link draft (or the URI specification, which is where this really belongs) will make the world any more secure of a place. 

However, I'll be happy to have that discussion with Eric *if* he brings it up.

Cheers,


On 22/01/2010, at 1:23 AM, Julian Reschke wrote:

> Hi,
> 
> finally a security related comment.
> 
> During IETF LC for draft-brown-versioning-link-relations we got a comment from Eric Rescorla:
> 
> "In general this mechanism seems sound but I'm not sure that the security considerations are entirely adequate. This mechanism lets you learn information about other versions of a resource even if you potentially don't have permission to view them directly. Consider a limiting case where each version of the resource had a name that contained the change set for that resource. E.g.,
> 
> http://example.com/versions/filename/_@line_50_+_FOO;@line_60_+_BAR/;
> 
> In this case, seeing other parts of the version tree leaks information about those versions. I don't think that this is a problem for the draft, but it might be useful to mention that this feature has implications for name construction."
> 
> I assume this is a concern that applies to the Link header in general.
> 
> Best regards, Julian
> 
> 


--
Mark Nottingham     http://www.mnot.net/
Received on Friday, 29 January 2010 04:31:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT