W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #328: user Intervention on Redirects

From: Chris Weber <chris@lookout.net>
Date: Tue, 07 Feb 2012 09:10:42 -0800
Message-ID: <4F315B12.6090800@lookout.net>
To: Martin Thomson <martin.thomson@gmail.com>
CC: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2/7/2012 8:38 AM, Martin Thomson wrote:
> I don't see the problem. So I ask to modify X, but then X points me to
> Y, so I either automatically modify Y, or require confirmation before
> doing so. There isn't a security problem. X has the information and
> could forward to Y itself. 

Within the security community the issue has been termed "Open Redirect"
and has been well documented here
http://cwe.mitre.org/data/definitions/601.html and here
https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
as well as other places.  It's not a vulnerability by itself but has
been heavily abused by phishing attacks over the years.  As such, any
security review or penetration test performed today will flag open
redirects as an issue that needs to be addressed.  To protect their
users, many top applications have built in 'safe redirect' protections
that allow same-origin redirects and either disallow or prompt the user
before allowing redirection to third-party domains. 

>From my point of view it's the job of the applications to implement safe
redirection protection, and several libraries already exist for this. 
If users started seeing prompts for all offsite redirects I'm sure that
they'd just end up clicking the check box to 'never show me this message
again.'

Best regards,
Chris Weber
Received on Tuesday, 7 February 2012 17:13:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:55 GMT