Re: web+ and registerProtocolHandler from Peter Saint-Andre on 2012-09-12 (public-ietf-w3c@w3.org from September 2012)

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Wed, 12 Sep 2012 08:47:00 -0600
To: Adam Barth <w3c@adambarth.com>
CC: Larry Masinter <masinter@adobe.com>, "michel@suignard.com" <michel@suignard.com>, "tony@att.com" <tony@att.com>, "plh@w3.org" <plh@w3.org>, "adil@diwan.com" <adil@diwan.com>, "robin@berjon.com" <robin@berjon.com>, "ted.ietf@gmail.com" <ted.ietf@gmail.com>, John O'Conner <jooconne@adobe.com>, "presnick@qualcomm.com" <presnick@qualcomm.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, "chris@lookout.net" <chris@lookout.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>
Message-ID: <5050A064.3010806@stpeter.im>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the context of whitelisting vs. blacklisting, the concern I have
with the prefixing idea is that it implicitly whitelists any URI
scheme that starts with the string "web+", yet the proponents of this
idea have not specified any criteria for review of such prefixed URI
schemes (or even answered the questions raised here and elsewhere
about whether additional review is needed for such schemes by the
designated experts or the IANA).

I agree that blacklisting doesn't scale and isn't secure. I disagree
that implicit whitelisting is the answer.

Peter

On 9/10/12 9:56 AM, Adam Barth wrote:
> It's just a practical issue.  Many folks have URI schemes
> registered on their computers that are not safe for web sites to
> hijack (i.e., register).  It's not practical to create an blacklist
> that effectively mitigates that risk.  As it happens, we not aware
> of any folks who have such registrations for URI schemes that begin
> with "web+".
> 
> Adam
> 
> 
> On Mon, Sep 10, 2012 at 1:01 AM, Larry Masinter
> <masinter@adobe.com> wrote:
>> since this affects ietf and w3c, and public-ietf-w3c is publicly
>> archived, could someone explain why allowing registering
>> arbitrary web+xxx scheme handlers is any better than allowing
>> arbitrary (unblacklisted) xxx scheme handlers?
>> 
>> 
>> -----Original message-----
>> 
>> From: Adam Barth <w3c@adambarth.com> To: Larry Masinter
>> <masinter@adobe.com> Cc: "michel@suignard.com"
>> <michel@suignard.com>, Tony Hansen <tony@att.com>, Philippe Le
>> Hegaret <plh@w3.org>, Peter Saint-Andre <stpeter@stpeter.im>, 
>> Adil Allawi <adil@diwan.com>, Robin Berjon <robin@berjon.com>,
>> Ted Hardie <ted.ietf@gmail.com>, John O'Conner
>> <jooconne@adobe.com>, Pete Resnick <presnick@qualcomm.com>,
>> "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Chris Weber
>> <chris@lookout.net> Sent: Sun, Sep 9, 2012 19:09:22 GMT+00:00 
>> Subject: RE: 85th IETF - Working Group/BOF/IRTF Scheduling -
>> REMINDER
>> 
>> We should discuss further on a publicly archived mailing list.
>> 
>> Adam
>> 
>> On Sep 9, 2012 12:00 PM, "Larry Masinter" <masinter@adobe.com>
>> wrote:
>>> 
>>> Why doesn't "web+"  introduce all the same problems a blacklist
>>> approach (where everything is allowed unless explicitly
>>> disallowed) introduces? That's kind of what Chris' tests are
>>> showing.
>>> 
>>> And what's the point, anyway, of a precise specification but
>>> leaving out the necessary steps to implement the spec
>>> securely?
>>> 
>>> 
>>> 
>>> -----Original Message----- From: Adam Barth
>>> [mailto:w3c@adambarth.com] Sent: Sunday, September 09, 2012
>>> 10:20 AM To: Chris Weber Cc: Larry Masinter; "Martin J. Dürst";
>>> Peter Saint-Andre; Philippe Le Hegaret; John O'Conner; Tony
>>> Hansen; Ted Hardie; michel@suignard.com; Adil Allawi; Pete
>>> Resnick; Robin Berjon Subject: Re: 85th IETF - Working
>>> Group/BOF/IRTF Scheduling - REMINDER
>>> 
>>> Folks can be unhappy with a whitelist all they want.  A
>>> blacklist isn't secure and we won't implement it.
>>> 
>>> Adam
>>> 
>>> 
>>> On Sun, Sep 9, 2012 at 12:11 AM, Chris Weber
>>> <chris@lookout.net> wrote:
>>>> Thanks for the message Martin and Larry.  I will not be in
>>>> Atlanta unfortunately,  I'm guessing Peter will..?  I'd be
>>>> happy to schedule some design meeting time for next week
>>>> after the expiring drafts have been re-submitted.
>>>> 
>>>> As far as web+xxx, I'm still afraid that a user
>>>> fingerprinting and tracking risk exists - though I didn't
>>>> test the isProtocolHandlerRegistered() method for
>>>> exploitability because it didn't exist, I see Safari has
>>>> implemented it now and Chrome and Firefox have some active
>>>> bugs for tracking.
>>>> 
>>>> Also, I notice that some developers are not happy with the
>>>> whitelist vs blacklist approach:
>>>> https://github.com/jquery/standards/issues/12
>>>> 
>>>> -Chris
>>>> 
>>>> On 9/8/2012 9:32 AM, Larry Masinter wrote:
>>>>> I'm planning to go to IETF Atlanta (direct from W3C TPAC in
>>>>> Lyon)
>>>>> 
>>>>> I'd like to better coordinate the IETF and W3C specs on
>>>>> URLs, IRIs, etc. Doing so was my original motivation for
>>>>> revising these specs in the first place. I'd like to also
>>>>> see if we can make progress on "web+xxx" and (if it's still
>>>>> in W3C specs) "http+aes".
>>>>> 
>>>>> I see Chris is doing testing. Making progress on open
>>>>> issues was stymied by lack of testing, so perhaps now that
>>>>> we have some testing capabilities we can make more rapid
>>>>> progress.
>>>>> 
>>>>> Larry

<snip/>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBQoGQACgkQNL8k5A2w/vxCAgCfXencuCpjpoP1OqvSvgCb2m/B
OwcAnR7QcQGgy5ZGuuUS60Rcfu1ylNJk
=T5l0
-----END PGP SIGNATURE-----

Received on Wednesday, 12 September 2012 15:10:28 UTC