- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 12 Sep 2012 09:52:10 -0700
- To: Peter Saint-Andre <stpeter@stpeter.im>
- Cc: Larry Masinter <masinter@adobe.com>, "michel@suignard.com" <michel@suignard.com>, "tony@att.com" <tony@att.com>, "plh@w3.org" <plh@w3.org>, "adil@diwan.com" <adil@diwan.com>, "robin@berjon.com" <robin@berjon.com>, "ted.ietf@gmail.com" <ted.ietf@gmail.com>, "John O'Conner" <jooconne@adobe.com>, "presnick@qualcomm.com" <presnick@qualcomm.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, "chris@lookout.net" <chris@lookout.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>
I should be clear that I'm not advocating "web+" as a good idea. I'm just explaining the security consequences of the various options. Adam On Wed, Sep 12, 2012 at 7:47 AM, Peter Saint-Andre <stpeter@stpeter.im> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In the context of whitelisting vs. blacklisting, the concern I have > with the prefixing idea is that it implicitly whitelists any URI > scheme that starts with the string "web+", yet the proponents of this > idea have not specified any criteria for review of such prefixed URI > schemes (or even answered the questions raised here and elsewhere > about whether additional review is needed for such schemes by the > designated experts or the IANA). > > I agree that blacklisting doesn't scale and isn't secure. I disagree > that implicit whitelisting is the answer. > > Peter > > On 9/10/12 9:56 AM, Adam Barth wrote: >> It's just a practical issue. Many folks have URI schemes >> registered on their computers that are not safe for web sites to >> hijack (i.e., register). It's not practical to create an blacklist >> that effectively mitigates that risk. As it happens, we not aware >> of any folks who have such registrations for URI schemes that begin >> with "web+". >> >> Adam >> >> >> On Mon, Sep 10, 2012 at 1:01 AM, Larry Masinter >> <masinter@adobe.com> wrote: >>> since this affects ietf and w3c, and public-ietf-w3c is publicly >>> archived, could someone explain why allowing registering >>> arbitrary web+xxx scheme handlers is any better than allowing >>> arbitrary (unblacklisted) xxx scheme handlers? >>> >>> >>> -----Original message----- >>> >>> From: Adam Barth <w3c@adambarth.com> To: Larry Masinter >>> <masinter@adobe.com> Cc: "michel@suignard.com" >>> <michel@suignard.com>, Tony Hansen <tony@att.com>, Philippe Le >>> Hegaret <plh@w3.org>, Peter Saint-Andre <stpeter@stpeter.im>, >>> Adil Allawi <adil@diwan.com>, Robin Berjon <robin@berjon.com>, >>> Ted Hardie <ted.ietf@gmail.com>, John O'Conner >>> <jooconne@adobe.com>, Pete Resnick <presnick@qualcomm.com>, >>> "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Chris Weber >>> <chris@lookout.net> Sent: Sun, Sep 9, 2012 19:09:22 GMT+00:00 >>> Subject: RE: 85th IETF - Working Group/BOF/IRTF Scheduling - >>> REMINDER >>> >>> We should discuss further on a publicly archived mailing list. >>> >>> Adam >>> >>> On Sep 9, 2012 12:00 PM, "Larry Masinter" <masinter@adobe.com> >>> wrote: >>>> >>>> Why doesn't "web+" introduce all the same problems a blacklist >>>> approach (where everything is allowed unless explicitly >>>> disallowed) introduces? That's kind of what Chris' tests are >>>> showing. >>>> >>>> And what's the point, anyway, of a precise specification but >>>> leaving out the necessary steps to implement the spec >>>> securely? >>>> >>>> >>>> >>>> -----Original Message----- From: Adam Barth >>>> [mailto:w3c@adambarth.com] Sent: Sunday, September 09, 2012 >>>> 10:20 AM To: Chris Weber Cc: Larry Masinter; "Martin J. Dürst"; >>>> Peter Saint-Andre; Philippe Le Hegaret; John O'Conner; Tony >>>> Hansen; Ted Hardie; michel@suignard.com; Adil Allawi; Pete >>>> Resnick; Robin Berjon Subject: Re: 85th IETF - Working >>>> Group/BOF/IRTF Scheduling - REMINDER >>>> >>>> Folks can be unhappy with a whitelist all they want. A >>>> blacklist isn't secure and we won't implement it. >>>> >>>> Adam >>>> >>>> >>>> On Sun, Sep 9, 2012 at 12:11 AM, Chris Weber >>>> <chris@lookout.net> wrote: >>>>> Thanks for the message Martin and Larry. I will not be in >>>>> Atlanta unfortunately, I'm guessing Peter will..? I'd be >>>>> happy to schedule some design meeting time for next week >>>>> after the expiring drafts have been re-submitted. >>>>> >>>>> As far as web+xxx, I'm still afraid that a user >>>>> fingerprinting and tracking risk exists - though I didn't >>>>> test the isProtocolHandlerRegistered() method for >>>>> exploitability because it didn't exist, I see Safari has >>>>> implemented it now and Chrome and Firefox have some active >>>>> bugs for tracking. >>>>> >>>>> Also, I notice that some developers are not happy with the >>>>> whitelist vs blacklist approach: >>>>> https://github.com/jquery/standards/issues/12 >>>>> >>>>> -Chris >>>>> >>>>> On 9/8/2012 9:32 AM, Larry Masinter wrote: >>>>>> I'm planning to go to IETF Atlanta (direct from W3C TPAC in >>>>>> Lyon) >>>>>> >>>>>> I'd like to better coordinate the IETF and W3C specs on >>>>>> URLs, IRIs, etc. Doing so was my original motivation for >>>>>> revising these specs in the first place. I'd like to also >>>>>> see if we can make progress on "web+xxx" and (if it's still >>>>>> in W3C specs) "http+aes". >>>>>> >>>>>> I see Chris is doing testing. Making progress on open >>>>>> issues was stymied by lack of testing, so perhaps now that >>>>>> we have some testing capabilities we can make more rapid >>>>>> progress. >>>>>> >>>>>> Larry > > <snip/> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.18 (Darwin) > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ > > iEYEARECAAYFAlBQoGQACgkQNL8k5A2w/vxCAgCfXencuCpjpoP1OqvSvgCb2m/B > OwcAnR7QcQGgy5ZGuuUS60Rcfu1ylNJk > =T5l0 > -----END PGP SIGNATURE-----
Received on Wednesday, 12 September 2012 16:53:12 UTC